From fe9878b23dc4e2030d08647008d6f91b9e6a32aa Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 26 2018 15:00:42 +0000 Subject: import pki-core-10.5.1-13.1.el7_5 --- diff --git a/.gitignore b/.gitignore index b52c028..8cd0b17 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-core-10.4.1.tar.gz +SOURCES/pki-core-10.5.1.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 59de659..a7dde83 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -5187b494ec33ba6f11e5fc3204d891b2c46ac9b2 SOURCES/pki-core-10.4.1.tar.gz +e99a26daf55c6d9318bd7ab15388dbe7cd9900d2 SOURCES/pki-core-10.5.1.tar.gz diff --git a/SOURCES/pki-core-10.5.1-alpha.patch b/SOURCES/pki-core-10.5.1-alpha.patch new file mode 100644 index 0000000..f2e95d7 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-alpha.patch @@ -0,0 +1,4270 @@ +From 8d109e0b7ca6af60f862c641a6287d93a1dcb01b Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Tue, 7 Nov 2017 11:05:55 -0800 +Subject: Fix #2735 Secure removal of secret data storage (phase 2) + +This portion of the fix attempts to take care of the remaining secret data +storage issues that could be practically taken care of with respect to +servers and clients. + +A new method was placed in CryptoUtil to server the needs of clients. +Change-Id: I1a14daabcad72e531572d1be8bc255e2e501b70a + +(cherry picked from commit f5ec7c2af4a1fb44d5731c74672bf789e9240499) +--- + base/common/src/com/netscape/certsrv/key/Key.java | 6 + + .../src/com/netscape/cmstools/CMCRequest.java | 23 ++- + .../src/com/netscape/cmstools/CMCSharedToken.java | 2 + + .../src/com/netscape/cmstools/PasswordCache.java | 1 + + .../com/netscape/cmstools/key/KeyRetrieveCLI.java | 162 +++++++++++---------- + .../cms/servlet/tks/SecureChannelProtocol.java | 14 +- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 20 +++ + 7 files changed, 139 insertions(+), 89 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/key/Key.java b/base/common/src/com/netscape/certsrv/key/Key.java +index 1afd54c..69b59f3 100644 +--- a/base/common/src/com/netscape/certsrv/key/Key.java ++++ b/base/common/src/com/netscape/certsrv/key/Key.java +@@ -6,6 +6,7 @@ import javax.xml.bind.annotation.XmlElement; + import javax.xml.bind.annotation.XmlRootElement; + + import com.netscape.certsrv.request.RequestId; ++import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Utils; + + /** +@@ -159,4 +160,9 @@ public class Key { + public void setPublicKey(String publicKey) { + this.publicKey = publicKey; + } ++ ++ public void clearSensitiveData() { ++ CryptoUtil.obscureBytes(data, "random"); ++ data = null; ++ } + } +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 37752cd..fc58f4e 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -38,13 +38,6 @@ import java.util.Arrays; + import java.util.Date; + import java.util.StringTokenizer; + +-import netscape.security.pkcs.PKCS10; +-import netscape.security.x509.KeyIdentifier; +-import netscape.security.x509.PKIXExtensions; +-import netscape.security.x509.SubjectKeyIdentifierExtension; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertImpl; +- + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.ANY; + import org.mozilla.jss.asn1.ASN1Util; +@@ -114,6 +107,13 @@ import com.netscape.cmsutil.util.Cert; + import com.netscape.cmsutil.util.HMACDigest; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.pkcs.PKCS10; ++import netscape.security.x509.KeyIdentifier; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.SubjectKeyIdentifierExtension; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertImpl; ++ + /** + * Tool for creating CMC full request + * +@@ -1803,6 +1803,7 @@ public class CMCRequest { + System.exit(1); + } + ++ byte challenge[] = null; + try { + TaggedRequest request = encryptedPop.getRequest(); + AlgorithmIdentifier thePOPAlgID = encryptedPop.getThePOPAlgID(); +@@ -1838,7 +1839,7 @@ public class CMCRequest { + } + System.out.println(method + "symKey unwrapped."); + +- byte challenge[] = CryptoUtil.decryptUsingSymmetricKey( ++ challenge = CryptoUtil.decryptUsingSymmetricKey( + token, + ivps, + encCI.getEncryptedContent().toByteArray(), +@@ -1857,13 +1858,16 @@ public class CMCRequest { + MessageDigest hash = MessageDigest.getInstance(CryptoUtil.getNameFromHashAlgorithm(witnessAlgID)); + byte[] digest = hash.digest(challenge); + boolean witnessChecked = Arrays.equals(digest, witness.toByteArray()); ++ CryptoUtil.obscureBytes(digest,"random"); + if (witnessChecked) { + System.out.println(method + "Yay! witness verified"); + } else { ++ CryptoUtil.obscureBytes(challenge, "random"); + System.out.println(method + "Oops! witness failed to verify. Must abort!"); + System.exit(1); + } + } catch (Exception ex) { ++ CryptoUtil.obscureBytes(challenge, "random"); + System.out.println(method + ex); + System.exit(1); + } +@@ -1877,6 +1881,7 @@ public class CMCRequest { + hmacDigest.update(ASN1Util.encode(request)); + popProofValue = hmacDigest.digest(); + } catch (Exception ex) { ++ CryptoUtil.obscureBytes(challenge, "random"); + System.out.println(method + "calculating POP Proof Value failed: " + ex); + System.exit(1); + } +@@ -1912,6 +1917,8 @@ public class CMCRequest { + } catch (Exception e) { + System.out.println(method + e); + System.exit(1); ++ } finally { ++ CryptoUtil.obscureBytes(challenge, "random"); + } + + System.out.println(method + " completes."); +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java +index a0a7651..d16dd0c 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java +@@ -299,6 +299,8 @@ public class CMCSharedToken { + + String ver_spassphrase = new String(ver_passphrase, "UTF-8"); + ++ CryptoUtil.obscureBytes(ver_passphrase, "random"); ++ + System.out.println("ver_passphrase String = " + ver_spassphrase); + System.out.println("ver_passphrase UTF-8 bytes = "); + System.out.println(Arrays.toString(ver_spassphrase.getBytes("UTF-8"))); +diff --git a/base/java-tools/src/com/netscape/cmstools/PasswordCache.java b/base/java-tools/src/com/netscape/cmstools/PasswordCache.java +index 7f17c8f..859eda3 100644 +--- a/base/java-tools/src/com/netscape/cmstools/PasswordCache.java ++++ b/base/java-tools/src/com/netscape/cmstools/PasswordCache.java +@@ -554,6 +554,7 @@ class PWsdrCache { + byte[] dcryptb = sdr.decrypt(bos.toByteArray()); + + dcrypts = new String(dcryptb, "UTF-8"); ++ CryptoUtil.obscureBytes(dcryptb, "random"); + } catch (TokenException e) { + System.out.println("password cache decrypto failed " + e.toString()); + e.printStackTrace(); +diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java +index 736c6e6..8339218 100644 +--- a/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java +@@ -87,106 +87,116 @@ public class KeyRetrieveCLI extends CLI { + throw new Exception("Incorrect number of parameters provided."); + } + +- String keyId = cmd.getOptionValue("keyID"); +- String passphrase = cmd.getOptionValue("passphrase"); +- String requestId = cmd.getOptionValue("requestID"); +- String outputFilePath = cmd.getOptionValue("output"); +- String outputDataFile = cmd.getOptionValue("output-data"); +- String requestFile = cmd.getOptionValue("input"); +- String transportNickname = cmd.getOptionValue("transport"); +- +- KeyClient keyClient = keyCLI.getKeyClient(transportNickname); + Key keyData = null; + +- if (requestFile != null) { +- JAXBContext context = JAXBContext.newInstance(KeyRecoveryRequest.class); +- Unmarshaller unmarshaller = context.createUnmarshaller(); +- FileInputStream fis = new FileInputStream(requestFile); +- KeyRecoveryRequest req = (KeyRecoveryRequest) unmarshaller.unmarshal(fis); +- +- if (req.getKeyId() == null) { +- throw new Exception("Key ID must be specified in the request file."); +- } +- +- if (req.getCertificate() != null) { +- keyData = keyClient.retrieveKeyByPKCS12(req.getKeyId(), req.getCertificate(), +- req.getPassphrase()); ++ try { ++ String keyId = cmd.getOptionValue("keyID"); ++ String passphrase = cmd.getOptionValue("passphrase"); ++ String requestId = cmd.getOptionValue("requestID"); ++ String outputFilePath = cmd.getOptionValue("output"); ++ String outputDataFile = cmd.getOptionValue("output-data"); ++ String requestFile = cmd.getOptionValue("input"); ++ String transportNickname = cmd.getOptionValue("transport"); ++ ++ KeyClient keyClient = keyCLI.getKeyClient(transportNickname); ++ ++ if (requestFile != null) { ++ JAXBContext context = JAXBContext.newInstance(KeyRecoveryRequest.class); ++ Unmarshaller unmarshaller = context.createUnmarshaller(); ++ FileInputStream fis = new FileInputStream(requestFile); ++ KeyRecoveryRequest req = (KeyRecoveryRequest) unmarshaller.unmarshal(fis); ++ ++ if (req.getKeyId() == null) { ++ throw new Exception("Key ID must be specified in the request file."); ++ } + +- } else if (req.getPassphrase() != null) { +- keyData = keyClient.retrieveKeyByPassphrase(req.getKeyId(), req.getPassphrase()); ++ if (req.getCertificate() != null) { ++ keyData = keyClient.retrieveKeyByPKCS12(req.getKeyId(), req.getCertificate(), ++ req.getPassphrase()); + +- } else if (req.getSessionWrappedPassphrase() != null) { +- keyData = keyClient.retrieveKeyUsingWrappedPassphrase(req.getKeyId(), +- Utils.base64decode(req.getTransWrappedSessionKey()), +- Utils.base64decode(req.getSessionWrappedPassphrase()), +- Utils.base64decode(req.getNonceData())); ++ } else if (req.getPassphrase() != null) { ++ keyData = keyClient.retrieveKeyByPassphrase(req.getKeyId(), req.getPassphrase()); + +- } else if (req.getTransWrappedSessionKey() != null) { +- keyData = keyClient.retrieveKey(req.getKeyId(), +- Utils.base64decode(req.getTransWrappedSessionKey())); ++ } else if (req.getSessionWrappedPassphrase() != null) { ++ keyData = keyClient.retrieveKeyUsingWrappedPassphrase(req.getKeyId(), ++ Utils.base64decode(req.getTransWrappedSessionKey()), ++ Utils.base64decode(req.getSessionWrappedPassphrase()), ++ Utils.base64decode(req.getNonceData())); + +- } else { +- keyData = keyClient.retrieveKey(req.getKeyId()); +- } ++ } else if (req.getTransWrappedSessionKey() != null) { ++ keyData = keyClient.retrieveKey(req.getKeyId(), ++ Utils.base64decode(req.getTransWrappedSessionKey())); + +- } else { +- // Using command line options. +- if (requestId == null && keyId == null) { +- throw new Exception("Either requestID or keyID must be specified"); +- } +- +- if (passphrase != null) { +- if (requestId != null) { +- keyData = keyClient.retrieveKeyByRequestWithPassphrase( +- new RequestId(requestId), passphrase); + } else { +- keyData = keyClient.retrieveKeyByPassphrase(new KeyId(keyId), passphrase); ++ keyData = keyClient.retrieveKey(req.getKeyId()); + } + + } else { +- if (requestId != null) { +- keyData = keyClient.retrieveKeyByRequest(new RequestId(requestId)); +- } else { +- keyData = keyClient.retrieveKey(new KeyId(keyId)); ++ // Using command line options. ++ if (requestId == null && keyId == null) { ++ throw new Exception("Either requestID or keyID must be specified"); + } + +- clientEncryption = false; ++ if (passphrase != null) { ++ if (requestId != null) { ++ keyData = keyClient.retrieveKeyByRequestWithPassphrase( ++ new RequestId(requestId), passphrase); ++ } else { ++ keyData = keyClient.retrieveKeyByPassphrase(new KeyId(keyId), passphrase); ++ } ++ ++ } else { ++ if (requestId != null) { ++ keyData = keyClient.retrieveKeyByRequest(new RequestId(requestId)); ++ } else { ++ keyData = keyClient.retrieveKey(new KeyId(keyId)); ++ } ++ ++ clientEncryption = false; + +- // No need to return the encrypted data since encryption +- // is done locally. +- keyData.setEncryptedData(null); ++ // No need to return the encrypted data since encryption ++ // is done locally. ++ keyData.setEncryptedData(null); ++ } + } +- } + +- MainCLI.printMessage("Retrieve Key Information"); ++ MainCLI.printMessage("Retrieve Key Information"); + +- if (outputDataFile != null) { ++ if (outputDataFile != null) { + +- byte[] data; +- if (clientEncryption) { // store encrypted data +- data = keyData.getEncryptedData(); ++ byte[] data; ++ if (clientEncryption) { // store encrypted data ++ data = keyData.getEncryptedData(); + +- } else { // store unencrypted data +- data = keyData.getData(); +- } ++ } else { // store unencrypted data ++ data = keyData.getData(); ++ } + +- Path path = Paths.get(outputDataFile); +- Files.write(path, data); ++ Path path = Paths.get(outputDataFile); ++ Files.write(path, data); + +- printKeyInfo(keyData); +- System.out.println(" Output: " + outputDataFile); ++ printKeyInfo(keyData); ++ System.out.println(" Output: " + outputDataFile); + +- } else if (outputFilePath != null) { +- JAXBContext context = JAXBContext.newInstance(Key.class); +- Marshaller marshaller = context.createMarshaller(); +- marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); +- marshaller.marshal(keyData, new File(outputFilePath)); ++ } else if (outputFilePath != null) { ++ JAXBContext context = JAXBContext.newInstance(Key.class); ++ Marshaller marshaller = context.createMarshaller(); ++ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); ++ marshaller.marshal(keyData, new File(outputFilePath)); + +- System.out.println(" Output: " + outputFilePath); ++ System.out.println(" Output: " + outputFilePath); + +- } else { +- printKeyInfo(keyData); +- printKeyData(keyData); ++ } else { ++ printKeyInfo(keyData); ++ printKeyData(keyData); ++ } ++ ++ } catch (Exception e) { ++ throw e; ++ } finally { ++ if (keyData != null) { ++ keyData.clearSensitiveData(); ++ } + } + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +index c3b3952..1110cc6 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +@@ -25,12 +25,13 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; + import org.mozilla.jss.crypto.SymmetricKeyDeriver; + import org.mozilla.jss.crypto.TokenException; + +-import sun.security.pkcs11.wrapper.PKCS11Constants; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.cmscore.security.JssSubsystem; + import com.netscape.cmsutil.crypto.CryptoUtil; + ++import sun.security.pkcs11.wrapper.PKCS11Constants; ++ + public class SecureChannelProtocol { + + static String sharedSecretKeyName = null; +@@ -341,7 +342,8 @@ public class SecureChannelProtocol { + byte[] finalKeyBytes = nistKdf.kdf_AES_CMAC_SCP03(divKey, context, constant, 16); + sessionKey = unwrapAESSymKeyOnToken(token, finalKeyBytes, false); + +- Arrays.fill(finalKeyBytes,(byte) 0); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ jssSubsystem.obscureBytes(finalKeyBytes); + + //The final session key is AES. + } +@@ -393,7 +395,8 @@ public class SecureChannelProtocol { + byte[] finalKeyBytes = nistKdf.kdf_AES_CMAC_SCP03(divKey, context, constant, 16); + sessionKey = unwrapAESSymKeyOnToken(token, finalKeyBytes, false); + +- Arrays.fill(finalKeyBytes,(byte) 0); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ jssSubsystem.obscureBytes(finalKeyBytes); + } + } + } +@@ -908,7 +911,8 @@ public class SecureChannelProtocol { + finalAESKey = keyUnWrap.unwrapSymmetric(wrappedKey, SymmetricKey.AES, 16); + + +- Arrays.fill(wrappedKey,(byte) 0); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ jssSubsystem.obscureBytes(wrappedKey); + + //byte[] finalKeyBytes = finalAESKey.getKeyData(); + //displayByteArray(finalKeyBytes, false); +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 1337803..8a0ea08 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -2176,6 +2176,26 @@ public class CryptoUtil { + + } + ++ public static void obscureBytes(byte[] memory, String method) { ++ if (memory == null || memory.length == 0) { ++ //in case we want to log ++ return; ++ } ++ ++ SecureRandom rnd; ++ try { ++ rnd = getRandomNumberGenerator(); ++ } catch (GeneralSecurityException e) { ++ throw new RuntimeException(e); ++ } ++ ++ if ("zeroes".equals(method)) { ++ Arrays.fill(memory, (byte)0); ++ } else { ++ rnd.nextBytes(memory); ++ } ++ } ++ + public static byte[] unwrapUsingPassphrase(byte[] wrappedRecoveredKey, String recoveryPassphrase) + throws IOException, InvalidBERException, InvalidKeyException, IllegalStateException, + NoSuchAlgorithmException, InvalidAlgorithmParameterException, NotInitializedException, TokenException, +-- +1.8.3.1 + + +From 0cbe30064861a9908475aa95a686e69e3012a841 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 8 Nov 2017 20:46:57 +0100 +Subject: Ignore empty key in read_environment_files + +Don't set empty key or key '_' (last command) in read_environment_files. +Fixes "ValueError: illegal environment variable name". + +Change-Id: I22d295ebbf0845bcf8aab3019e1b1f5a3a731e10 +Closes: https://pagure.io/dogtagpki/issue/2850 +Signed-off-by: Christian Heimes +(cherry picked from commit a105341f777354429dfc9f28c7baf5bddd2d5e1f) +--- + base/common/python/pki/util.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 5832f55..871c899 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -272,4 +272,6 @@ def read_environment_files(env_file_list=None): + + for env_val in env_vals: + (key, _, value) = env_val.partition("=") ++ if not key.strip() or key == u'_': ++ continue + os.environ[key] = value +-- +1.8.3.1 + + +From 45c07d48a8a5f4acda8ce4ca3be5803c2596901e Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 10 Nov 2017 15:55:36 -0800 +Subject: ReFix for #2824 TPS new configuration to allow the protocol of the + to determine applet loaded. + +The problem discovered was that in only the external registration case, there was a problem obtaining the protocol +information for the token being enrolled. This simple fix makes sure the protocol info is obtained correctly for external +reg and non external reg enrollment cases. + +Change-Id: Iccd40adbdafd5e94e04cbb8c391bd2706e483a1f +(cherry picked from commit e48374cd8a744fad5a03f64e8685ec3b3c465553) +--- + .../src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 57e5d79..a78db64 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -33,8 +33,6 @@ import java.util.List; + import java.util.Map; + import java.util.Set; + +-import netscape.security.x509.RevocationReason; +- + import org.dogtagpki.server.tps.TPSSession; + import org.dogtagpki.server.tps.TPSSubsystem; + import org.dogtagpki.server.tps.authentication.AuthUIParameter; +@@ -104,6 +102,8 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.symkey.SessionKey; + ++import netscape.security.x509.RevocationReason; ++ + public class TPSProcessor { + + private static Logger signedAuditLogger = SignedAuditLogger.getLogger(); +@@ -558,8 +558,10 @@ public class TPSProcessor { + CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData"); + } + +- // We already do this when checking for applet upgrade earlier. +- //acquireChannelPlatformAndProtocolInfo(); ++ // Do this on behalf of external reg, which needs it ++ // If already called, the routine will return anyway. ++ ++ acquireChannelPlatformAndProtocolInfo(); + + TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); + +-- +1.8.3.1 + + +From 23ce60193a31c070441f93238565a7250cff981b Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 10 Nov 2017 10:57:36 -0800 +Subject: Fix #2735 Secure removal of secret data storage (phase 3) + +Add more secure data removal with respect to passwords. +Concentrate on the CMC Shared Token area. Done by changing +String based passwords to char[] based password, which then can be cleaned. +Cleaned up a couple of minor review suggestions. + +Change-Id: I898814000353978f403f19f679083474548edc5e +(cherry picked from commit daff3951340246d97a9877d5dde4782c8c675974) +--- + .../certsrv/authentication/ISharedToken.java | 10 +- + .../servlet/test/GeneratePKIArchiveOptions.java | 9 +- + base/kra/src/com/netscape/kra/RecoveryService.java | 30 +- + .../com/netscape/kra/SecurityDataProcessor.java | 8 +- + .../netscape/cms/authentication/SharedSecret.java | 24 +- + .../netscape/cms/profile/common/EnrollProfile.java | 349 ++++++++++++--------- + .../cms/servlet/common/CMCOutputTemplate.java | 19 +- + .../cms/servlet/csadmin/ConfigurationUtils.java | 266 +++++++++------- + .../netscape/cmscore/security/JssSubsystem.java | 8 + + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 65 +++- + 10 files changed, 494 insertions(+), 294 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java +index b33ae7b..761c344 100644 +--- a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java ++++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java +@@ -16,24 +16,24 @@ + // All rights reserved. + // --- END COPYRIGHT BLOCK --- + package com.netscape.certsrv.authentication; +-import com.netscape.certsrv.base.EBaseException; +- + import java.math.BigInteger; + + import org.mozilla.jss.pkix.cmc.PKIData; + ++import com.netscape.certsrv.base.EBaseException; ++ + /** + * Shared Token interface. + */ + public interface ISharedToken { + + // support for id_cmc_identification +- public String getSharedToken(String identification) ++ public char[] getSharedToken(String identification) + throws EBaseException; + +- public String getSharedToken(PKIData cmcData) ++ public char[] getSharedToken(PKIData cmcData) + throws EBaseException; + +- public String getSharedToken(BigInteger serialnum) ++ public char[] getSharedToken(BigInteger serialnum) + throws EBaseException; + } +diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java +index e1a9816..5ccf7a8 100644 +--- a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java ++++ b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java +@@ -213,8 +213,15 @@ public class GeneratePKIArchiveOptions { + new OCTET_STRING(ivps.getIV())); + + if (passphraseMode) { ++ char[] pwdChars = passphrase.toCharArray(); ++ try { + encoded = CryptoUtil.createEncodedPKIArchiveOptions( +- token, transportCert.getPublicKey(), passphrase, params, aid); ++ token, transportCert.getPublicKey(), pwdChars, params, aid); ++ } catch (Exception e) { ++ throw e; ++ } finally { ++ CryptoUtil.obscureChars(pwdChars); ++ } + } else { + encoded = CryptoUtil.createEncodedPKIArchiveOptions( + token, transportCert.getPublicKey(), vek, params, aid); +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index d562c15..96ee73b 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -461,6 +461,7 @@ public class RecoveryService implements IService { + public void createPFX(IRequest request, Hashtable params, + PrivateKey priKey, CryptoToken ct) throws EBaseException { + CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false"); ++ org.mozilla.jss.util.Password pass = null; + try { + // create p12 + X509Certificate x509cert = +@@ -493,9 +494,14 @@ public class RecoveryService implements IService { + // add key + mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); + CMS.debug("RecoverService: createPFX() adds key to P12"); +- org.mozilla.jss.util.Password pass = new ++ char[] pwdChar = pwd.toCharArray(); ++ pass = new + org.mozilla.jss.util.Password( +- pwd.toCharArray()); ++ pwdChar); ++ { ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ jssSubsystem.obscureChars(pwdChar); ++ } + + SEQUENCE safeContents = new SEQUENCE(); + PasswordConverter passConverter = new +@@ -580,7 +586,6 @@ public class RecoveryService implements IService { + ByteArrayOutputStream(); + + pfx.encode(fos); +- pass.clear(); + + // put final PKCS12 into volatile request + params.put(ATTR_PKCS12, fos.toByteArray()); +@@ -590,6 +595,10 @@ public class RecoveryService implements IService { + CMS.debug("RecoverService: createPFX() exception caught:"+ + e.toString()); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); ++ } finally { ++ if(pass != null) { ++ pass.clear(); ++ } + } + + // update request +@@ -637,6 +646,7 @@ public class RecoveryService implements IService { + public void createPFX(IRequest request, Hashtable params, + byte priData[]) throws EBaseException { + CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true"); ++ org.mozilla.jss.util.Password pass = null; + try { + // create p12 + X509Certificate x509cert = +@@ -667,9 +677,13 @@ public class RecoveryService implements IService { + + // add key + mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); +- org.mozilla.jss.util.Password pass = new +- org.mozilla.jss.util.Password( +- pwd.toCharArray()); ++ char[] pwdChars = pwd.toCharArray(); ++ pass = new org.mozilla.jss.util.Password( ++ pwdChars); ++ ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ jssSubsystem.obscureChars(pwdChars); ++ + + SEQUENCE safeContents = new SEQUENCE(); + PrivateKeyInfo pki = (PrivateKeyInfo) +@@ -735,13 +749,15 @@ public class RecoveryService implements IService { + ByteArrayOutputStream(); + + pfx.encode(fos); +- pass.clear(); + + // put final PKCS12 into volatile request + params.put(ATTR_PKCS12, fos.toByteArray()); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); ++ } finally { ++ if(pass != null) ++ pass.clear(); + } + + // update request +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 71d1233..8de1311 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -487,9 +487,11 @@ public class SecurityDataProcessor { + unwrappedSess, + wrapParams.getPayloadEncryptionAlgorithm()); + +- String passStr = new String(unwrappedPass, "UTF-8"); +- pass = new Password(passStr.toCharArray()); +- passStr = null; ++ char[] passChars = CryptoUtil.bytesToChars(unwrappedPass); ++ pass = new Password(passChars); ++ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); ++ jssSubsystem.obscureChars(passChars); ++ + + if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +index cf69975..ee7a7d7 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +@@ -240,7 +240,7 @@ public class SharedSecret extends DirBasedAuthentication + * Note: caller should clear the memory for the returned token + * after each use + */ +- public String getSharedToken(String identification) ++ public char[] getSharedToken(String identification) + throws EBaseException { + String method = "SharedSecret.getSharedToken(String identification): "; + String msg = ""; +@@ -319,7 +319,7 @@ public class SharedSecret extends DirBasedAuthentication + } + CMS.debug(method + " got entryShrTok"); + +- String shrSecret = decryptShrTokData(new String(entryShrTok)); ++ char[] shrSecret = decryptShrTokData(new String(entryShrTok)); + CMS.debug(method + "returning"); + return shrSecret; + } catch (Exception e) { +@@ -338,11 +338,11 @@ public class SharedSecret extends DirBasedAuthentication + * encryptedPrivate OCTET STRING + * } + * @param data_s +- * @return ++ * @return phrase in char array. + */ +- private String decryptShrTokData(String data_s) { ++ private char[] decryptShrTokData(String data_s) { + String method = "SharedSecret.decryptShrTokData: "; +- String msg = ""; ++ byte[] ver_passphrase = null; + try { + byte[] wrapped_secret_data = Utils.base64decode(data_s); + DerValue wrapped_val = new DerValue(wrapped_secret_data); +@@ -357,22 +357,24 @@ public class SharedSecret extends DirBasedAuthentication + + SymmetricKey ver_session = CryptoUtil.unwrap(tmpToken, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, + issuanceProtPrivKey, wrapped_session, wrapAlgorithm); +- byte[] ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(tmpToken, new IVParameterSpec(iv), ++ ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(tmpToken, new IVParameterSpec(iv), + wrapped_passphrase, + ver_session, EncryptionAlgorithm.AES_128_CBC_PAD); + +- String ver_spassphrase = new String(ver_passphrase, "UTF-8"); +- return ver_spassphrase; ++ char[] ver_spassphraseChars = CryptoUtil.bytesToChars(ver_passphrase); ++ return ver_spassphraseChars; + } catch (Exception e) { + CMS.debug(method + e.toString()); + return null; ++ } finally { ++ CryptoUtil.obscureBytes(ver_passphrase, "random"); + } + } + + /** + * unsupported + */ +- public String getSharedToken(PKIData cmcdata) ++ public char[] getSharedToken(PKIData cmcdata) + throws EBaseException { + String method = "SharedSecret.getSharedToken(PKIData cmcdata): "; + String msg = ""; +@@ -389,7 +391,7 @@ public class SharedSecret extends DirBasedAuthentication + * Note: caller should clear the memory for the returned token + * after each use + */ +- public String getSharedToken(BigInteger serial) ++ public char[] getSharedToken(BigInteger serial) + throws EBaseException { + String method = "SharedSecret.getSharedToken(BigInteger serial): "; + String msg = ""; +@@ -417,7 +419,7 @@ public class SharedSecret extends DirBasedAuthentication + throw new EBaseException(method + msg); + } + +- String shrSecret = decryptShrTokData(shrTok_s); ++ char[] shrSecret = decryptShrTokData(shrTok_s); + CMS.debug(method + "returning"); + return shrSecret; + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 5f34ec9..9051baf 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -21,6 +21,7 @@ import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; + import java.math.BigInteger; ++import java.nio.ByteBuffer; + import java.security.InvalidKeyException; + import java.security.MessageDigest; + import java.security.NoSuchAlgorithmException; +@@ -1300,7 +1301,7 @@ public abstract class EnrollProfile extends BasicProfile + protected boolean verifyPopLinkWitnessV2( + PopLinkWitnessV2 popLinkWitnessV2, + byte[] randomSeed, +- String sharedSecret, ++ byte[] sharedSecret, + String ident_string) { + String method = "EnrollProfile: verifyPopLinkWitnessV2: "; + +@@ -1326,6 +1327,7 @@ public abstract class EnrollProfile extends BasicProfile + return false; + } + ++ byte[] verifyBytes = null; + try { + DigestAlgorithm keyGenAlgID = DigestAlgorithm.fromOID(keyGenAlg.getOID()); + MessageDigest keyGenMDAlg = MessageDigest.getInstance(keyGenAlgID.toString()); +@@ -1335,17 +1337,41 @@ public abstract class EnrollProfile extends BasicProfile + .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgID.toString())); + + byte[] witness_bytes = witness.toByteArray(); +- return verifyDigest( +- (ident_string != null) ? (sharedSecret + ident_string).getBytes() : sharedSecret.getBytes(), ++ ++ ByteBuffer bb = null; ++ ++ if(ident_string != null) { ++ bb = ByteBuffer.allocate(ident_string.getBytes().length + sharedSecret.length); ++ bb.put(sharedSecret); ++ bb.put(ident_string.getBytes()); ++ verifyBytes = bb.array(); ++ } else { ++ verifyBytes = sharedSecret; ++ } ++ ++ boolean result = verifyDigest( ++ verifyBytes, + randomSeed, + witness_bytes, + keyGenMDAlg, macMDAlg); ++ ++ //Check ident_string because, verifyBytes will be = sharedSecret otherwise. ++ //Let caller clear sharedSecret when the time comes. ++ if (ident_string != null) { ++ CryptoUtil.obscureBytes(verifyBytes, "random"); ++ } ++ ++ return result; + } catch (NoSuchAlgorithmException e) { + CMS.debug(method + e); + return false; + } catch (Exception e) { + CMS.debug(method + e); + return false; ++ } finally { ++ if (ident_string != null) { ++ CryptoUtil.obscureBytes(verifyBytes, "random"); ++ } + } + } + +@@ -1365,162 +1391,175 @@ public abstract class EnrollProfile extends BasicProfile + + boolean sharedSecretFound = true; + String configName = "SharedToken"; +- String sharedSecret = null; ++ char[] sharedSecret = null; ++ byte[] sharedSecretBytes = null; ++ + try { +- IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + +- IAuthManager sharedTokenAuth = authSS.getAuthManager(configName); +- if (sharedTokenAuth == null) { +- CMS.debug(method + " Failed to retrieve shared secret authentication plugin class"); +- sharedSecretFound = false; +- } +- ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; ++ try { ++ IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + +- if (ident_string != null) { +- sharedSecret = tokenClass.getSharedToken(ident_string); +- } else { +- sharedSecret = tokenClass.getSharedToken(mCMCData); +- } +- if (sharedSecret == null) +- sharedSecretFound = false; ++ IAuthManager sharedTokenAuth = authSS.getAuthManager(configName); ++ if (sharedTokenAuth == null) { ++ CMS.debug(method + " Failed to retrieve shared secret authentication plugin class"); ++ sharedSecretFound = false; ++ } ++ ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; + +- } catch (Exception e) { +- CMS.debug(e); +- return false; +- } ++ if (ident_string != null) { ++ sharedSecret = tokenClass.getSharedToken(ident_string); ++ } else { ++ sharedSecret = tokenClass.getSharedToken(mCMCData); ++ } ++ if (sharedSecret == null) { ++ sharedSecretFound = false; ++ } else { ++ sharedSecretBytes = CryptoUtil.charsToBytes(sharedSecret); ++ } + +- INTEGER reqId = null; +- byte[] bv = null; ++ } catch (Exception e) { ++ CMS.debug(e); ++ return false; ++ } + +- if (req.getType().equals(TaggedRequest.PKCS10)) { +- String methodPos = method + "PKCS10: "; +- CMS.debug(methodPos + "begins"); ++ INTEGER reqId = null; ++ byte[] bv = null; + +- TaggedCertificationRequest tcr = req.getTcr(); +- if (!sharedSecretFound) { +- bpids.addElement(tcr.getBodyPartID()); +- context.put("POPLinkWitness", bpids); +- return false; +- } else { +- CertificationRequest creq = tcr.getCertificationRequest(); +- CertificationRequestInfo cinfo = creq.getInfo(); +- SET attrs = cinfo.getAttributes(); +- for (int j = 0; j < attrs.size(); j++) { +- Attribute pkcs10Attr = (Attribute) attrs.elementAt(j); +- if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { +- CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); +- if (ident_string == null) { +- bpids.addElement(reqId); +- context.put("identification", bpids); +- context.put("POPLinkWitnessV2", bpids); +- String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; +- CMS.debug(methodPos + msg); +- return false; +- } ++ if (req.getType().equals(TaggedRequest.PKCS10)) { ++ String methodPos = method + "PKCS10: "; ++ CMS.debug(methodPos + "begins"); + +- SET witnessVal = pkcs10Attr.getValues(); +- if (witnessVal.size() > 0) { +- try { +- PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(witnessVal.elementAt(0)); +- boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, +- randomSeed, +- sharedSecret, +- ident_string); +- if (!valid) { +- bpids.addElement(reqId); +- context.put("POPLinkWitnessV2", bpids); +- return valid; +- } +- return true; +- } catch (Exception ex) { +- CMS.debug(methodPos + ex); ++ TaggedCertificationRequest tcr = req.getTcr(); ++ if (!sharedSecretFound) { ++ bpids.addElement(tcr.getBodyPartID()); ++ context.put("POPLinkWitness", bpids); ++ return false; ++ } else { ++ CertificationRequest creq = tcr.getCertificationRequest(); ++ CertificationRequestInfo cinfo = creq.getInfo(); ++ SET attrs = cinfo.getAttributes(); ++ for (int j = 0; j < attrs.size(); j++) { ++ Attribute pkcs10Attr = (Attribute) attrs.elementAt(j); ++ if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { ++ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); ++ if (ident_string == null) { ++ bpids.addElement(reqId); ++ context.put("identification", bpids); ++ context.put("POPLinkWitnessV2", bpids); ++ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; ++ CMS.debug(methodPos + msg); + return false; + } +- } +- } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { +- SET witnessVal = pkcs10Attr.getValues(); +- if (witnessVal.size() > 0) { +- try { +- OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), +- ASN1Util.encode(witnessVal.elementAt(0)))); +- bv = str.toByteArray(); +- return verifyDigest(sharedSecret.getBytes(), +- randomSeed, bv); +- } catch (InvalidBERException ex) { +- return false; ++ ++ SET witnessVal = pkcs10Attr.getValues(); ++ if (witnessVal.size() > 0) { ++ try { ++ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control( ++ witnessVal.elementAt(0)); ++ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, ++ randomSeed, ++ sharedSecretBytes, ++ ident_string); ++ if (!valid) { ++ bpids.addElement(reqId); ++ context.put("POPLinkWitnessV2", bpids); ++ return valid; ++ } ++ return true; ++ } catch (Exception ex) { ++ CMS.debug(methodPos + ex); ++ return false; ++ } ++ } ++ } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { ++ SET witnessVal = pkcs10Attr.getValues(); ++ if (witnessVal.size() > 0) { ++ try { ++ OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), ++ ASN1Util.encode(witnessVal.elementAt(0)))); ++ bv = str.toByteArray(); ++ return verifyDigest(sharedSecretBytes, ++ randomSeed, bv); ++ } catch (InvalidBERException ex) { ++ return false; ++ } + } + } + } +- } +- +- return false; +- } +- } else if (req.getType().equals(TaggedRequest.CRMF)) { +- String methodPos = method + "CRMF: "; +- CMS.debug(methodPos + "begins"); +- +- CertReqMsg crm = req.getCrm(); +- CertRequest certReq = crm.getCertReq(); +- reqId = certReq.getCertReqId(); +- if (!sharedSecretFound) { +- bpids.addElement(reqId); +- context.put("POPLinkWitness", bpids); +- return false; +- } else { +- for (int i = 0; i < certReq.numControls(); i++) { +- AVA ava = certReq.controlAt(i); + +- if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { +- CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); +- if (ident_string == null) { +- bpids.addElement(reqId); +- context.put("identification", bpids); +- context.put("POPLinkWitnessV2", bpids); +- String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; +- CMS.debug(methodPos + msg); +- return false; +- } ++ return false; ++ } ++ } else if (req.getType().equals(TaggedRequest.CRMF)) { ++ String methodPos = method + "CRMF: "; ++ CMS.debug(methodPos + "begins"); + +- ASN1Value value = ava.getValue(); +- PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value); ++ CertReqMsg crm = req.getCrm(); ++ CertRequest certReq = crm.getCertReq(); ++ reqId = certReq.getCertReqId(); ++ if (!sharedSecretFound) { ++ bpids.addElement(reqId); ++ context.put("POPLinkWitness", bpids); ++ return false; ++ } else { ++ for (int i = 0; i < certReq.numControls(); i++) { ++ AVA ava = certReq.controlAt(i); ++ ++ if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { ++ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); ++ if (ident_string == null) { ++ bpids.addElement(reqId); ++ context.put("identification", bpids); ++ context.put("POPLinkWitnessV2", bpids); ++ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; ++ CMS.debug(methodPos + msg); ++ return false; ++ } + +- boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, +- randomSeed, +- sharedSecret, +- ident_string); +- if (!valid) { +- bpids.addElement(reqId); +- context.put("POPLinkWitnessV2", bpids); +- return valid; +- } +- } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { +- CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness"); +- ASN1Value value = ava.getValue(); +- ByteArrayInputStream bis = new ByteArrayInputStream( +- ASN1Util.encode(value)); +- OCTET_STRING ostr = null; +- try { +- ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis); +- bv = ostr.toByteArray(); +- } catch (Exception e) { +- bpids.addElement(reqId); +- context.put("POPLinkWitness", bpids); +- return false; +- } ++ ASN1Value value = ava.getValue(); ++ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value); ++ ++ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, ++ randomSeed, ++ sharedSecretBytes, ++ ident_string); ++ if (!valid) { ++ bpids.addElement(reqId); ++ context.put("POPLinkWitnessV2", bpids); ++ return valid; ++ } ++ } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { ++ CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness"); ++ ASN1Value value = ava.getValue(); ++ ByteArrayInputStream bis = new ByteArrayInputStream( ++ ASN1Util.encode(value)); ++ OCTET_STRING ostr = null; ++ try { ++ ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis); ++ bv = ostr.toByteArray(); ++ } catch (Exception e) { ++ bpids.addElement(reqId); ++ context.put("POPLinkWitness", bpids); ++ return false; ++ } + +- boolean valid = verifyDigest(sharedSecret.getBytes(), +- randomSeed, bv); +- if (!valid) { +- bpids.addElement(reqId); +- context.put("POPLinkWitness", bpids); +- return valid; ++ boolean valid = verifyDigest(sharedSecretBytes, ++ randomSeed, bv); ++ if (!valid) { ++ bpids.addElement(reqId); ++ context.put("POPLinkWitness", bpids); ++ return valid; ++ } + } + } + } + } +- } + +- return true; ++ return true; ++ ++ } finally { ++ CryptoUtil.obscureBytes(sharedSecretBytes, "random"); ++ CryptoUtil.obscureChars(sharedSecret); ++ } + } + + private boolean verifyDigest(byte[] sharedSecret, byte[] text, byte[] bv) { +@@ -1664,7 +1703,7 @@ public abstract class EnrollProfile extends BasicProfile + } + ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; + +- String token = null; ++ char[] token = null; + if (ident_string != null) { + auditAttemptedCred = ident_string; + token = tokenClass.getSharedToken(ident_string); +@@ -1702,14 +1741,36 @@ public abstract class EnrollProfile extends BasicProfile + + byte[] witness_bytes = witness.toByteArray(); + byte[] request_bytes = ASN1Util.encode(reqSeq); // PKIData reqSequence field ++ ++ byte[] verifyBytes = null; ++ ByteBuffer bb = null; ++ ++ byte[] tokenBytes = CryptoUtil.charsToBytes(token); ++ ++ if(ident_string != null) { ++ bb = ByteBuffer.allocate(ident_string.getBytes().length + token.length); ++ bb.put(tokenBytes); ++ bb.put(ident_string.getBytes()); ++ verifyBytes = bb.array(); ++ } else { ++ verifyBytes = tokenBytes; ++ } ++ ++ + verified = verifyDigest( +- (ident_string != null) ? (token + ident_string).getBytes() : token.getBytes(), ++ verifyBytes, + request_bytes, + witness_bytes, + hashAlg, macAlg); + + String auditSubjectID = null; + ++ if(ident_string != null) { ++ CryptoUtil.obscureBytes(verifyBytes, "random"); ++ } ++ ++ CryptoUtil.obscureChars(token); ++ + if (verified) { + auditSubjectID = (String) sessionContext.get(SessionContext.USER_ID); + CMS.debug(method + "current auditSubjectID was:" + auditSubjectID); +@@ -1760,13 +1821,14 @@ public abstract class EnrollProfile extends BasicProfile + } + + OCTET_STRING ostr = null; +- String token = null; ++ char[] token = null; + try { + token = tokenClass.getSharedToken(mCMCData); + ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + } catch (InvalidBERException e) { + CMS.debug(method + "Failed to decode the byte value."); ++ CryptoUtil.obscureChars(token); + return false; + } catch (Exception e) { + CMS.debug(method + "exception: " + e.toString()); +@@ -1775,10 +1837,15 @@ public abstract class EnrollProfile extends BasicProfile + byte[] b = ostr.toByteArray(); + byte[] text = ASN1Util.encode(reqSeq); + +- verified = verifyDigest(token.getBytes(), text, b); ++ byte[] verifyBytes = CryptoUtil.charsToBytes(token); ++ verified = verifyDigest(verifyBytes, text, b); + if (verified) {// update auditSubjectID + //placeholder. Should probably just disable this v1 method + } ++ ++ CryptoUtil.obscureBytes(verifyBytes, "random"); ++ CryptoUtil.obscureChars(token); ++ + return verified; + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index 1d70b36..6c40d2d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -68,6 +68,7 @@ import org.mozilla.jss.pkix.cms.SignerIdentifier; + import org.mozilla.jss.pkix.cms.SignerInfo; + import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; + import org.mozilla.jss.pkix.primitive.Name; ++import org.mozilla.jss.util.Password; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.IAuthManager; +@@ -1093,7 +1094,7 @@ public class CMCOutputTemplate { + } + ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; + +- String sharedSecret = tokenClass.getSharedToken(revokeSerial); ++ char[] sharedSecret = tokenClass.getSharedToken(revokeSerial); + + if (sharedSecret == null) { + CMS.debug("CMCOutputTemplate: shared secret not found."); +@@ -1110,11 +1111,21 @@ public class CMCOutputTemplate { + } + + byte[] reqSecretb = reqSecret.toByteArray(); +- String clientSC = new String(reqSecretb); +- if (clientSC.equals(sharedSecret)) { ++ char[] reqSecretbChars = CryptoUtil.bytesToChars(reqSecretb); ++ ++ Password secret1 = new Password(sharedSecret); ++ Password secret2 = new Password(reqSecretbChars); ++ ++ CryptoUtil.obscureChars(sharedSecret); ++ CryptoUtil.obscureChars(reqSecretbChars); ++ CryptoUtil.obscureBytes(reqSecretb, "random"); ++ ++ if(secret1.equals(secret2)) { + CMS.debug(method + + " Client and server shared secret are the same, can go ahead and revoke certificate."); + revoke = true; ++ secret1.clear(); ++ secret2.clear(); + } else { + CMS.debug(method + + " Client and server shared secret are not the same, cannot revoke certificate."); +@@ -1137,6 +1148,8 @@ public class CMCOutputTemplate { + auditReasonNum, + auditApprovalStatus)); + ++ secret1.clear(); ++ secret2.clear(); + return bpid; + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 0018841..1d37d73 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -217,18 +217,28 @@ public class ConfigurationUtils { + Password password = null; + password = new Password(tokPwd.toCharArray()); + +- if (token.passwordIsInitialized()) { +- CMS.debug("loginToken():token password is initialized"); +- if (!token.isLoggedIn()) { +- CMS.debug("loginToken():Token is not logged in, try it"); +- token.login(password); ++ try { ++ if (token.passwordIsInitialized()) { ++ CMS.debug("loginToken():token password is initialized"); ++ if (!token.isLoggedIn()) { ++ CMS.debug("loginToken():Token is not logged in, try it"); ++ token.login(password); ++ } else { ++ CMS.debug("loginToken():Token has already logged on"); ++ } + } else { +- CMS.debug("loginToken():Token has already logged on"); ++ CMS.debug("loginToken():Token password not initialized"); ++ rv = false; ++ } ++ ++ } catch (TokenException | IncorrectPasswordException e) { ++ throw e; ++ } finally { ++ if (password != null) { ++ password.clear(); + } +- } else { +- CMS.debug("loginToken():Token password not initialized"); +- rv = false; + } ++ + return rv; + } + +@@ -877,117 +887,126 @@ public class ConfigurationUtils { + StringBuffer reason = new StringBuffer(); + Password password = new Password(p12Pass.toCharArray()); + +- PFX pfx = (PFX) (new PFX.Template()).decode(bis); +- boolean verifypfx = pfx.verifyAuthSafes(password, reason); ++ try { + +- if (!verifypfx) { +- throw new IOException("PKCS #12 password is incorrect"); +- } ++ PFX pfx = (PFX) (new PFX.Template()).decode(bis); ++ boolean verifypfx = pfx.verifyAuthSafes(password, reason); + +- AuthenticatedSafes safes = pfx.getAuthSafes(); +- Vector> pkeyinfo_collection = new Vector>(); +- Vector> cert_collection = new Vector>(); ++ if (!verifypfx) { ++ throw new IOException("PKCS #12 password is incorrect"); ++ } + +- CMS.debug("Importing PKCS #12 data"); ++ AuthenticatedSafes safes = pfx.getAuthSafes(); ++ Vector> pkeyinfo_collection = new Vector>(); ++ Vector> cert_collection = new Vector>(); + +- for (int i = 0; i < safes.getSize(); i++) { ++ CMS.debug("Importing PKCS #12 data"); + +- CMS.debug("- Safe #" + i + ":"); +- SEQUENCE scontent = safes.getSafeContentsAt(null, i); ++ for (int i = 0; i < safes.getSize(); i++) { + +- for (int j = 0; j < scontent.size(); j++) { ++ CMS.debug("- Safe #" + i + ":"); ++ SEQUENCE scontent = safes.getSafeContentsAt(null, i); + +- SafeBag bag = (SafeBag) scontent.elementAt(j); +- OBJECT_IDENTIFIER oid = bag.getBagType(); ++ for (int j = 0; j < scontent.size(); j++) { + +- if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { ++ SafeBag bag = (SafeBag) scontent.elementAt(j); ++ OBJECT_IDENTIFIER oid = bag.getBagType(); + +- CMS.debug(" - Bag #" + j + ": key"); +- byte[] epki = bag.getBagContent().getEncoded(); ++ if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { + +- SET bagAttrs = bag.getBagAttributes(); +- String subjectDN = null; ++ CMS.debug(" - Bag #" + j + ": key"); ++ byte[] epki = bag.getBagContent().getEncoded(); + +- for (int k = 0; k < bagAttrs.size(); k++) { ++ SET bagAttrs = bag.getBagAttributes(); ++ String subjectDN = null; + +- Attribute attrs = (Attribute) bagAttrs.elementAt(k); +- OBJECT_IDENTIFIER aoid = attrs.getType(); ++ for (int k = 0; k < bagAttrs.size(); k++) { + +- if (aoid.equals(SafeBag.FRIENDLY_NAME)) { +- SET val = attrs.getValues(); +- ANY ss = (ANY) val.elementAt(0); ++ Attribute attrs = (Attribute) bagAttrs.elementAt(k); ++ OBJECT_IDENTIFIER aoid = attrs.getType(); + +- ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); +- BMPString sss = (BMPString) new BMPString.Template().decode(bbis); +- subjectDN = sss.toString(); +- CMS.debug(" Subject DN: " + subjectDN); +- break; ++ if (aoid.equals(SafeBag.FRIENDLY_NAME)) { ++ SET val = attrs.getValues(); ++ ANY ss = (ANY) val.elementAt(0); ++ ++ ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); ++ BMPString sss = (BMPString) new BMPString.Template().decode(bbis); ++ subjectDN = sss.toString(); ++ CMS.debug(" Subject DN: " + subjectDN); ++ break; ++ } + } +- } + +- // pkeyinfo_v stores EncryptedPrivateKeyInfo +- // (byte[]) and subject DN (String) +- Vector pkeyinfo_v = new Vector(); +- pkeyinfo_v.addElement(epki); +- if (subjectDN != null) +- pkeyinfo_v.addElement(subjectDN); ++ // pkeyinfo_v stores EncryptedPrivateKeyInfo ++ // (byte[]) and subject DN (String) ++ Vector pkeyinfo_v = new Vector(); ++ pkeyinfo_v.addElement(epki); ++ if (subjectDN != null) ++ pkeyinfo_v.addElement(subjectDN); + +- pkeyinfo_collection.addElement(pkeyinfo_v); ++ pkeyinfo_collection.addElement(pkeyinfo_v); + +- } else if (oid.equals(SafeBag.CERT_BAG)) { ++ } else if (oid.equals(SafeBag.CERT_BAG)) { + +- CMS.debug(" - Bag #" + j + ": certificate"); +- CertBag cbag = (CertBag) bag.getInterpretedBagContent(); +- OCTET_STRING str = (OCTET_STRING) cbag.getInterpretedCert(); +- byte[] x509cert = str.toByteArray(); ++ CMS.debug(" - Bag #" + j + ": certificate"); ++ CertBag cbag = (CertBag) bag.getInterpretedBagContent(); ++ OCTET_STRING str = (OCTET_STRING) cbag.getInterpretedCert(); ++ byte[] x509cert = str.toByteArray(); + +- SET bagAttrs = bag.getBagAttributes(); +- String nickname = null; ++ SET bagAttrs = bag.getBagAttributes(); ++ String nickname = null; + +- if (bagAttrs != null) { ++ if (bagAttrs != null) { + +- for (int k = 0; k < bagAttrs.size(); k++) { ++ for (int k = 0; k < bagAttrs.size(); k++) { + +- Attribute attrs = (Attribute) bagAttrs.elementAt(k); +- OBJECT_IDENTIFIER aoid = attrs.getType(); ++ Attribute attrs = (Attribute) bagAttrs.elementAt(k); ++ OBJECT_IDENTIFIER aoid = attrs.getType(); + +- if (aoid.equals(SafeBag.FRIENDLY_NAME)) { +- SET val = attrs.getValues(); +- ANY ss = (ANY) val.elementAt(0); ++ if (aoid.equals(SafeBag.FRIENDLY_NAME)) { ++ SET val = attrs.getValues(); ++ ANY ss = (ANY) val.elementAt(0); + +- ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); +- BMPString sss = (BMPString) (new BMPString.Template()).decode(bbis); +- nickname = sss.toString(); +- CMS.debug(" Nickname: " + nickname); +- break; ++ ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); ++ BMPString sss = (BMPString) (new BMPString.Template()).decode(bbis); ++ nickname = sss.toString(); ++ CMS.debug(" Nickname: " + nickname); ++ break; ++ } + } + } +- } + +- X509CertImpl certImpl = new X509CertImpl(x509cert); +- CMS.debug(" Serial number: " + certImpl.getSerialNumber()); ++ X509CertImpl certImpl = new X509CertImpl(x509cert); ++ CMS.debug(" Serial number: " + certImpl.getSerialNumber()); + +- try { +- certImpl.checkValidity(); +- CMS.debug(" Status: valid"); ++ try { ++ certImpl.checkValidity(); ++ CMS.debug(" Status: valid"); + +- } catch (CertificateExpiredException | CertificateNotYetValidException e) { +- CMS.debug(" Status: " + e); +- continue; +- } ++ } catch (CertificateExpiredException | CertificateNotYetValidException e) { ++ CMS.debug(" Status: " + e); ++ continue; ++ } + +- // cert_v stores certificate (byte[]) and nickname (String) +- Vector cert_v = new Vector(); +- cert_v.addElement(x509cert); +- if (nickname != null) +- cert_v.addElement(nickname); ++ // cert_v stores certificate (byte[]) and nickname (String) ++ Vector cert_v = new Vector(); ++ cert_v.addElement(x509cert); ++ if (nickname != null) ++ cert_v.addElement(nickname); + +- cert_collection.addElement(cert_v); ++ cert_collection.addElement(cert_v); ++ } + } + } +- } + +- importKeyCert(password, pkeyinfo_collection, cert_collection); ++ importKeyCert(password, pkeyinfo_collection, cert_collection); ++ } catch (Exception e) { ++ throw e; ++ } finally { ++ if (password != null) { ++ password.clear(); ++ } ++ } + } + + public static void verifySystemCertificates() throws Exception { +@@ -3248,54 +3267,63 @@ public class ConfigurationUtils { + + Password pass = new org.mozilla.jss.util.Password(pwd.toCharArray()); + +- PKCS12Util util = new PKCS12Util(); +- PKCS12 pkcs12 = new PKCS12(); ++ try { + +- // load system certificate (with key but without chain) +- while (st.hasMoreTokens()) { ++ PKCS12Util util = new PKCS12Util(); ++ PKCS12 pkcs12 = new PKCS12(); + +- String t = st.nextToken(); +- if (t.equals("sslserver")) +- continue; ++ // load system certificate (with key but without chain) ++ while (st.hasMoreTokens()) { + +- String nickname = cs.getString("preop.cert." + t + ".nickname"); +- String modname = cs.getString("preop.module.token"); ++ String t = st.nextToken(); ++ if (t.equals("sslserver")) ++ continue; + +- if (!CryptoUtil.isInternalToken(modname)) +- nickname = modname + ":" + nickname; ++ String nickname = cs.getString("preop.cert." + t + ".nickname"); ++ String modname = cs.getString("preop.module.token"); + +- util.loadCertFromNSS(pkcs12, nickname, true, false); +- } ++ if (!CryptoUtil.isInternalToken(modname)) ++ nickname = modname + ":" + nickname; + +- // load CA certificates (without keys or chains) +- for (X509Certificate caCert : cm.getCACerts()) { +- util.loadCertFromNSS(pkcs12, caCert, false, false); +- } ++ util.loadCertFromNSS(pkcs12, nickname, true, false); ++ } + +- PFX pfx = util.generatePFX(pkcs12, pass); ++ // load CA certificates (without keys or chains) ++ for (X509Certificate caCert : cm.getCACerts()) { ++ util.loadCertFromNSS(pkcs12, caCert, false, false); ++ } + +- ByteArrayOutputStream bos = new ByteArrayOutputStream(); +- pfx.encode(bos); +- byte[] output = bos.toByteArray(); ++ PFX pfx = util.generatePFX(pkcs12, pass); + +- cs.putString("preop.pkcs12", CryptoUtil.byte2string(output)); +- pass.clear(); +- cs.commit(false); ++ ByteArrayOutputStream bos = new ByteArrayOutputStream(); ++ pfx.encode(bos); ++ byte[] output = bos.toByteArray(); + +- if (fname != null) { +- FileOutputStream fout = null; +- try { +- fout = new FileOutputStream(fname); +- fout.write(output); ++ cs.putString("preop.pkcs12", CryptoUtil.byte2string(output)); ++ cs.commit(false); + +- } catch (Exception e) { +- throw new IOException("Failed to store keys in backup file " + e, e); ++ if (fname != null) { ++ FileOutputStream fout = null; ++ try { ++ fout = new FileOutputStream(fname); ++ fout.write(output); + +- } finally { +- if (fout != null) { +- fout.close(); ++ } catch (Exception e) { ++ throw new IOException("Failed to store keys in backup file " + e, e); ++ ++ } finally { ++ if (fout != null) { ++ fout.close(); ++ } + } + } ++ ++ } catch (Exception e) { ++ throw e; ++ } finally { ++ if (pass != null) { ++ pass.clear(); ++ } + } + } + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java +index be7edd5..a9bb003 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java +@@ -409,6 +409,14 @@ public final class JssSubsystem implements ICryptoSubsystem { + } + } + ++ public void obscureChars(char[] memory) { ++ String methodName = "JssSubsystem.obscureBytes: "; ++ if (memory == null || memory.length == 0) ++ return; ++ CMS.debug(methodName + " filling with zeroes, numChars: " + memory.length); ++ Arrays.fill(memory, (char) 0); ++ } ++ + public String getCipherVersion() throws EBaseException { + return "cipherdomestic"; + } +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 8a0ea08..7a68c9b 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -24,6 +24,9 @@ import java.io.IOException; + import java.io.PrintStream; + import java.math.BigInteger; + import java.net.SocketException; ++import java.nio.ByteBuffer; ++import java.nio.CharBuffer; ++import java.nio.charset.Charset; + import java.security.GeneralSecurityException; + import java.security.InvalidAlgorithmParameterException; + import java.security.InvalidKeyException; +@@ -1950,6 +1953,52 @@ public class CryptoUtil { + return bytes; + } + ++ public static char[] bytesToChars(byte[] bytes) { ++ if(bytes == null) ++ return null; ++ ++ Charset charset = Charset.forName("UTF-8"); ++ CharBuffer charBuffer = charset.decode(ByteBuffer.wrap(bytes)); ++ char[] result = Arrays.copyOf(charBuffer.array(), charBuffer.limit()); ++ ++ //Clear up the CharBuffer we just created ++ if (charBuffer.hasArray()) { ++ char[] contentsToBeErased = charBuffer.array(); ++ CryptoUtil.obscureChars(contentsToBeErased); ++ } ++ return result; ++ } ++ ++ public static byte[] charsToBytes(char[] chars) { ++ if(chars == null) ++ return null; ++ ++ Charset charset = Charset.forName("UTF-8"); ++ ByteBuffer byteBuffer = charset.encode(CharBuffer.wrap(chars)); ++ byte[] result = Arrays.copyOf(byteBuffer.array(), byteBuffer.limit()); ++ ++ if(byteBuffer.hasArray()) { ++ byte[] contentsToBeErased = byteBuffer.array(); ++ CryptoUtil.obscureBytes(contentsToBeErased, "random"); ++ } ++ return result; ++ } ++ ++ /** ++ * Create a jss Password object from a provided byte array. ++ */ ++ public static Password createPasswordFromBytes(byte[] bytes ) { ++ ++ if(bytes == null) ++ return null; ++ ++ char[] pwdChars = bytesToChars(bytes); ++ Password password = new Password(pwdChars); ++ obscureChars(pwdChars); ++ ++ return password; ++ } ++ + /** + * Retrieves a private key from a unique key ID. + */ +@@ -2176,6 +2225,14 @@ public class CryptoUtil { + + } + ++ public static void obscureChars(char[] memory) { ++ if (memory == null || memory.length == 0) { ++ //in case we want to log ++ return; ++ } ++ Arrays.fill(memory, (char) 0); ++ } ++ + public static void obscureBytes(byte[] memory, String method) { + if (memory == null || memory.length == 0) { + //in case we want to log +@@ -2279,7 +2336,7 @@ public class CryptoUtil { + public static PKIArchiveOptions createPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, +- String data, ++ char[] data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + return createPKIArchiveOptionsInternal( +@@ -2289,7 +2346,7 @@ public class CryptoUtil { + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, +- String data, ++ char []data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + PKIArchiveOptions opts = createPKIArchiveOptionsInternal( +@@ -2300,7 +2357,7 @@ public class CryptoUtil { + private static PKIArchiveOptions createPKIArchiveOptionsInternal( + CryptoToken token, + PublicKey wrappingKey, +- String passphraseData, ++ char[] passphraseData, + PrivateKey privKeyData, + SymmetricKey symKeyData, + WrappingParams params, +@@ -2315,7 +2372,7 @@ public class CryptoUtil { + + if (passphraseData != null) { + +- byte[] secret = passphraseData.getBytes("UTF-8"); ++ byte[] secret = CryptoUtil.charsToBytes(passphraseData); + key_data = encryptSecret( + token, + secret, +-- +1.8.3.1 + + +From 45a098dfbe3bbb951a7cb22d50e13e8e093d03cc Mon Sep 17 00:00:00 2001 +From: Geetika Kapoor +Date: Mon, 20 Nov 2017 12:13:41 +0530 +Subject: Added ansible playbooks code and documentation for setup + +Change-Id: I0e597ec86661d2ccf72e8a04279981471b0590b1 +Signed-off-by: Geetika Kapoor +(cherry picked from commit 48fbe1e75de5d91699aaa418fd8e34ab3745e25c) +--- + tests/dogtag/pytest-ansible/README.md | 27 ++ + tests/dogtag/pytest-ansible/common-modules/pki.py | 127 +++++++++ + tests/dogtag/pytest-ansible/installation/README.md | 99 +++++++ + tests/dogtag/pytest-ansible/installation/host | 2 + + tests/dogtag/pytest-ansible/installation/main.yml | 11 + + .../files/config_templates/ansible_constants.py | 52 ++++ + .../roles/Test_Execution/files/test/script | 79 ++++++ + .../roles/Test_Execution/handlers/main.yml | 3 + + .../roles/Test_Execution/handlers/pki-core.yml | 54 ++++ + .../roles/Test_Execution/tasks/configure_ca.yml | 18 ++ + .../Test_Execution/tasks/configure_common.yml | 77 +++++ + .../roles/Test_Execution/tasks/configure_kra.yml | 24 ++ + .../roles/Test_Execution/tasks/configure_ldap.yml | 20 ++ + .../roles/Test_Execution/tasks/configure_ocsp.yml | 17 ++ + .../Test_Execution/tasks/configure_shared.yml | 14 + + .../tasks/configure_sharedsecret.yml | 4 + + .../roles/Test_Execution/tasks/configure_tks.yml | 30 ++ + .../roles/Test_Execution/tasks/configure_tps.yml | 24 ++ + .../roles/Test_Execution/tasks/main.yml | 19 ++ + .../files/config_templates/ansible_constants.py | 52 ++++ + .../roles/Test_Trigger/files/test/ca.cfg | 38 +++ + .../roles/Test_Trigger/files/test/constants.py | 67 +++++ + .../roles/Test_Trigger/files/test/kra.cfg | 42 +++ + .../roles/Test_Trigger/files/test/ldap.cfg | 12 + + .../roles/Test_Trigger/files/test/ocsp.cfg | 36 +++ + .../roles/Test_Trigger/files/test/script | 79 ++++++ + .../roles/Test_Trigger/files/test/tks.cfg | 26 ++ + .../roles/Test_Trigger/files/test/tps.cfg | 34 +++ + .../roles/Test_Trigger/tasks/configure_ca.yml | 25 ++ + .../roles/Test_Trigger/tasks/configure_common.yml | 146 ++++++++++ + .../roles/Test_Trigger/tasks/configure_kra.yml | 27 ++ + .../roles/Test_Trigger/tasks/configure_ldap.yml | 47 ++++ + .../roles/Test_Trigger/tasks/configure_ocsp.yml | 27 ++ + .../roles/Test_Trigger/tasks/configure_tks.yml | 27 ++ + .../roles/Test_Trigger/tasks/configure_tps.yml | 39 +++ + .../installation/roles/Test_Trigger/tasks/main.yml | 15 + + .../dogtag/pytest-ansible/installation/vars/ca.yml | 4 + + .../pytest-ansible/installation/vars/ca_shared.yml | 24 ++ + .../pytest-ansible/installation/vars/kra.yml | 4 + + .../pytest-ansible/installation/vars/ldap.yml | 8 + + .../installation/vars/ldap_shared.yml | 3 + + .../pytest-ansible/installation/vars/ocsp.yml | 4 + + .../pytest-ansible/installation/vars/tks.yml | 4 + + .../pytest-ansible/installation/vars/tps.yml | 4 + + tests/dogtag/pytest-ansible/provision/readme.txt | 0 + tests/dogtag/pytest-ansible/pytest/README.md | 313 +++++++++++++++++++++ + .../pytest/tps-token/ldapUserAdd.yml | 35 +++ + .../pytest/tps-token/test_tps_token_show.py | 106 +++++++ + .../pytest/tps-token/tokenEnroll.yml | 35 +++ + tests/dogtag/pytest-ansible/requirements.txt | 5 + + 50 files changed, 1989 insertions(+) + create mode 100644 tests/dogtag/pytest-ansible/README.md + create mode 100644 tests/dogtag/pytest-ansible/common-modules/pki.py + create mode 100644 tests/dogtag/pytest-ansible/installation/README.md + create mode 100644 tests/dogtag/pytest-ansible/installation/host + create mode 100644 tests/dogtag/pytest-ansible/installation/main.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py + create mode 100755 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg + create mode 100755 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ca.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/kra.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ldap.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ocsp.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/tks.yml + create mode 100644 tests/dogtag/pytest-ansible/installation/vars/tps.yml + create mode 100644 tests/dogtag/pytest-ansible/provision/readme.txt + create mode 100644 tests/dogtag/pytest-ansible/pytest/README.md + create mode 100644 tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml + create mode 100644 tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py + create mode 100644 tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml + create mode 100644 tests/dogtag/pytest-ansible/requirements.txt + +diff --git a/tests/dogtag/pytest-ansible/README.md b/tests/dogtag/pytest-ansible/README.md +new file mode 100644 +index 0000000..8142f39 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/README.md +@@ -0,0 +1,27 @@ ++# Environment-Setup Instructions ++ ++## Installing pip ++ ++[pip] (https://pip.pypa.io/en/stable/installing/) is needed for ansible & pytest installation. ++ ++## Installing Supporting Packages ++ ++Install the pip and run requirements.txt file ++ ++``` ++pip install -r requirements.txt ++``` ++ ++## Installing CA, KRA, OCSP, TKS & TPS Subsystems ++ ++Refer [README.md] (installation/README.md) ++ ++ ++ ++## Running Pytest-Ansible test cases. ++ ++### Pre-requisite ++ ++1. Run Role user setup for setting up different users for different subsystem for setting up Admin, Agent, Revoked and Expired certificates. ++ -- To-do ++2. Refer [README.md] (pytest/README.md) +\ No newline at end of file +diff --git a/tests/dogtag/pytest-ansible/common-modules/pki.py b/tests/dogtag/pytest-ansible/common-modules/pki.py +new file mode 100644 +index 0000000..4d489e9 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/common-modules/pki.py +@@ -0,0 +1,127 @@ ++#!/usr/bin/python ++# -*- coding: utf-8 -*- ++# (c) 2016, Geetika Kapoor ++# ++# This file is part of Ansible ++# ++# Ansible is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# Ansible is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with Ansible. If not, see . ++ ++ANSIBLE_METADATA = {'metadata_version': '1.0', ++ 'status': ['stableinterface'], ++ 'supported_by': 'core'} ++ ++DOCUMENTATION = ''' ++--- ++module: pki ++short_description: Execute dogtag "pki" commands remotely on any machine. ++Point it to the host where you want them to run. ++This utility supports all the authentication modes as mentioned in ++man pages of pki. Refer 'man pki' for supported options. ++ ++Usage: This can be added as mentioned in the example. ++Authentication types supported: ++1. Connection - Plain URI connection ++2. Basic Authentication: username/password support ++3. Client Authentication: certificate authentication support ++conn_args: Name assigned to variable that has common arguments ++needed for all types of connection. ++auth_args: Name assigned to authentication commands that are run using pki. ++cli_args: Name assigned to sub-cli-commands that are run underneath ++pki command. ++ ++Example: ++- name: Call pki command ++ pki: cli='ca-cert-find' authType='connection' ++ ++''' ++ ++import datetime ++import glob ++import shlex ++import os ++ ++if os.path.isfile('/tmp/test_dir/constants.py'): ++ import sys ++ sys.path.append('/tmp/test_dir') ++ import constants ++else: ++ from pki.testlib.common import constants ++from ansible.module_utils.basic import AnsibleModule ++from ansible.module_utils.six import b ++ ++ ++def main(): ++ ++ # the command module is the one ansible module that does not take key=value args ++ # hence don't copy this one if you are looking to build others! ++ module = AnsibleModule( ++ argument_spec=dict( ++ raw_params = dict(default='pki'), ++ port = dict(default=''), ++ cli = dict(default='--help'), ++ extra_args = dict(default=''), ++ certnick = dict(default="'PKI CA Administrator for Example.Org'"), ++ username = dict(default='caadmin'), ++ userpassword = dict(default='Secret123'), ++ userpwdfile = dict(default='Secret123'), ++ dbpassword = dict(default='Secret123'), ++ nssdb = dict(default='/opt/pkitest/certdb'), ++ protocol = dict(default='http'), ++ hostname = dict(default='localhost'), ++ authType = dict(default='clientAuth', choices=['connection', 'basicAuth', 'clientAuth']) ++ ) ++ ) ++ if module.params['port']: ++ port = module.params['port'] ++ else: ++ Subsystem=map(lambda x: {"True" if x in module.params['cli'] else False: x } ,["ca", "kra", "ocsp", "tks", "tps"]) ++ for idx, val in enumerate(Subsystem): ++ for key, value in val.iteritems(): ++ if key == 'True': ++ sub = value ++ port = '_'.join([sub.upper(), module.params['protocol'].upper(), "PORT"]) ++ port = getattr(constants, port) ++ conn_args = [module.params['raw_params'], '-d', module.params['nssdb'], '-P', module.params['protocol'], '-p', '%s' %(port), '-h', module.params['hostname'], '-c', module.params['dbpassword']] ++ cli_args = [module.params['cli'], module.params['extra_args']] ++ ++ if module.params['authType'] == 'clientAuth': ++ auth_args = ['-n', module.params['certnick']] ++ args = ' '.join(conn_args + auth_args + cli_args) ++ ++ if module.params['authType'] == 'basicAuth': ++ auth_args = ['-u', module.params['username'], '-w', module.params['userpassword']] ++ args = ' '.join(conn_args + auth_args + cli_args) ++ ++ if module.params['authType'] == 'connection': ++ args = ' '.join(conn_args) ++ ++ rc, out, err = module.run_command(args) ++ ++ result = dict( ++ cmd = args, ++ stdout = out.rstrip(b("\r\n")), ++ stderr = err.rstrip(b("\r\n")), ++ rc = rc, ++ changed = True, ++ ) ++ ++ if rc != 0: ++ module.fail_json(msg='non-zero return code', **result) ++ ++ module.exit_json(**result) ++ ++ ++if __name__ == '__main__': ++ main() ++ +diff --git a/tests/dogtag/pytest-ansible/installation/README.md b/tests/dogtag/pytest-ansible/installation/README.md +new file mode 100644 +index 0000000..6b18ee0 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/README.md +@@ -0,0 +1,99 @@ ++# Project Name - Dogtagpki ++ ++## Subsystem Installation using Ansible ++ ++### About ++ ++This ansible playbook is written to setup all the subsystems(CA, KRA, OCSP, TKS and TPS). ++These playbooks can setup the environment based on the topology specified in the runtime. ++ ++### Requirements: ++ ++1. Pip should be installed. ++2. Pip [requiremets.txt](../Installation/requirements.txt) should be installed ++3. Make sure to check ansible version after installation.This can be quickly done using ++ansible --version. ++If this commands works, Your ansible is installed properly. ++ ++4. Before running the playbooks make sure machines that are going to communicate with each other they have passwordless communication working. ++This can be easily done using: ++ `ssh-copy-id root@` ++ ++This will ask you for one time password after which it will copy keys between machines. ++ ++### Verification Step ++``` ++ ssh root@ ++``` ++This should not prompt for password any more. ++ ++### Packages to Install `Only for RHEL users` ++ ++Configure repo that have below listed packages.It is mandatory to setup repo's ++correctly before triggering ansible playbooks for system installation. ++ ++``` ++Required Packages: ++ ++ - redhat-pki ++ - redhat-pki-console-theme ++ - redhat-pki-server-theme ++ - pki-console ++ - 389-ds-base ++ - pki-ca ++ - pki-kra ++ - pki-ocsp ++ - pki-tks ++ - pki-tps ++ - policycoreutils-python ++ - expect ++ - libselinux-python ++``` ++ ++### Usage: ++ ++For Setting up Subsystems on different port, use `topology-02 ` ++``` ++ansible-playbook -i /tmp/test/pki-tests/ci/ansible/host main.yml --extra-vars "topology=topology-02" -v ++``` ++ ++For Setting up Subsystems on default and same port, use `topology-01` ++``` ++ansible-playbook -i /tmp/test/pki-tests/ci/ansible/host main.yml --extra-vars "topology=topology-01" -v ++``` ++ ++where, ++ ++ -i INVENTORY, --inventory-file=INVENTORY ++ specify inventory host path ++ (default=/etc/ansible/hosts) or comma separated host ++ list. ++ ++## Examples of ansible-inventory ++ ++Inventory file consist of the roles and the ip-address.Tests will run for the roles and ip's that are mentioned. ++ ++``` ++[master] ++10.1.2.3 ++10.2.3.4 ++``` ++ ++### Sanity tests ++ ++Once playbook installation is complete, use below command and make certificates are returned. ++``` ++ pki -p 20080 ca-cert-find ++``` ++Incase, you are required to run any other topology let us say "topology-01" for shared instance, replace topology-02 with topology-01. ++ ++ ++### Gathering Subsystems Facts ++ ++Gather configuration files, ports and other environment data from `/tmp/test_dir` on the system under test. ++ ++ ++## References: ++ ++1. http://docs.ansible.com/ansible/intro.html ++2. http://docs.ansible.com/ansible/intro_installation.html +\ No newline at end of file +diff --git a/tests/dogtag/pytest-ansible/installation/host b/tests/dogtag/pytest-ansible/installation/host +new file mode 100644 +index 0000000..056033d +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/host +@@ -0,0 +1,2 @@ ++[master] ++10.8.52.99 +diff --git a/tests/dogtag/pytest-ansible/installation/main.yml b/tests/dogtag/pytest-ansible/installation/main.yml +new file mode 100644 +index 0000000..41d4b66 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/main.yml +@@ -0,0 +1,11 @@ ++# Configure cosmos repo and install all pre-requisites on Jenkins slave. ++# Git clone and install ipa-pytests on Jenkins slave. ++- hosts: localhost ++ gather_facts: true ++ roles: ++ - Test_Trigger ++ ++# Git clone and install ipa-pytests on all SUT ++- hosts: master ++ roles: ++ - Test_Execution +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py +new file mode 100644 +index 0000000..ccb19b6 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py +@@ -0,0 +1,52 @@ ++#common to all subsystems ++CLIENT_PKCS12_PASSWORD = 'Secret123' ++CLIENT_DIR_PASSWORD = 'Secret123' ++BACKUP_PASSWORD = 'Secret123' ++CLIENT_DATABASE_PASSWORD = 'Secret123' ++#CA Instance ++CA_HTTPS_PORT = '20443' ++CA_HTTP_PORT = '20080' ++CA_AJP_PORT = '20009' ++CA_TOMCAT_PORT = '20005' ++CA_CLIENT_DIR = '/opt/topology-CA' ++CA_INSTANCE_NAME = 'topology-CA' ++SECURITY_DOMAIN_PASSWORD = 'Secret123' ++CA_PASSWORD = 'Secret123' ++CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' ++CA_ADMIN_USERNAME = 'caadmin' ++CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' ++#KRA Instance ++KRA_INSTANCE_NAME = 'topology-KRA' ++KRA_HTTPS_PORT = 21443 ++KRA_HTTP_PORT = 21080 ++KRA_AJP_PORT = 21009 ++KRA_TOMCAT_PORT = 21005 ++KRA_PASSWORD = 'Secret123' ++KRA_CLIENT_DIR = '/opt/topology-KRA' ++KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' ++#OCSP Instance ++OCSP_INSTANCE_NAME = 'topology-OCSP' ++OCSP_HTTPS_PORT = 22443 ++OCSP_HTTP_PORT = 22080 ++OCSP_AJP_PORT = 22009 ++OCSP_TOMCAT_PORT = 22005 ++OCSP_PASSWORD = 'Secret123' ++OCSP_CLIENT_DIR = '/opt/topology-OCSP' ++OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' ++#TKS Instance ++TKS_INSTANCE_NAME = 'topology-TKS' ++TKS_HTTPS_PORT = 23443 ++TKS_HTTP_PORT = 23080 ++TKS_AJP_PORT = 23009 ++TKS_TOMCAT_PORT = 23005 ++TKS_PASSWORD = 'Secret123' ++TKS_CLIENT_DIR = '/opt/topology-TKS' ++#TPS instance ++TPS_INSTANCE_NAME = 'topology-TPS' ++TPS_HTTPS_PORT = '25443' ++TPS_HTTP_PORT = '25080' ++TPS_AJP_PORT = '25009' ++TPS_TOMCAT_PORT = '25005' ++TPS_PASSWORD = 'Secret123' ++TPS_CLIENT_DIR = '/opt/topology-TPS' ++TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script +new file mode 100755 +index 0000000..c98e4ae +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script +@@ -0,0 +1,79 @@ ++#!/bin/sh ++#Generate Noise using Openssl ++echo "Defining variables " ++tks_password="/tmp/tkspassword.txt" ++tps_password="/tmp/tpspassword.txt" ++tks_alias="/var/lib/pki/$1-TKS/alias" ++tps_alias="/var/lib/pki/$1-TPS/alias" ++tks_noise="/tmp/tks_noise" ++tks_shared_secret="sharedSecret" ++tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg" ++tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg" ++tps_input_file="/tmp/tps-input.txt" ++tks_secret_output="/tmp/secret" ++tks_input_file="/tmp/tks-input.txt" ++tks_input="proceed\r\n" ++tks_secret_output="/tmp/sharedSecret.out" ++tps_key_import_status="/tmp/sharedSecretImport.out" ++echo "proceed\r\n" > $tks_input_file ++echo "Generate Noise using OpenSSL" ++openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise ++cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password ++cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password ++ ++echo "Stopping TKS & TPS instance" ++systemctl stop pki-tomcatd@$1-TKS.service ++systemctl stop pki-tomcatd@$1-TPS.service ++echo "Generating shared secret" ++/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password ++/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file ++/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out ++grep "$tks_shared_secret" /tmp/sharedSecretList1.out ++first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:") ++first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://') ++first_session_key=$(echo ${first_session_tmp2%% }) ++first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:") ++first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://') ++first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% }) ++ ++second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:") ++second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://') ++second_session_key=$(echo ${second_session_tmp2%% }) ++second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:") ++second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://') ++second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% }) ++ ++third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:") ++third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://') ++third_session_key=$(echo ${third_session_tmp2%% }) ++third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:") ++third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://') ++third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% }) ++ ++sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf ++sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf ++echo "Restart $1-TKS instance" ++systemctl restart pki-tomcatd@$1-TKS.service ++echo "proceed\r\n" > $tps_input_file ++echo "$first_session_key\r\n" >> $tps_input_file ++echo "\r\n" >> $tps_input_file ++echo "$first_session_KCV_key\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "$second_session_key\r\n" >> $tps_input_file ++echo "\r\n" >> $tps_input_file ++echo "$second_session_KCV_key\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "$third_session_key\r\n" >> $tps_input_file ++echo "\r\n" >> $tps_input_file ++echo "$third_session_KCV_key\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++ ++/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status ++/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out ++grep "$tks_shared_secret" /tmp/sharedSecretList2.out ++sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf ++sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf ++echo "Restart $1-TPS instance" ++systemctl restart pki-tomcatd@$1-TPS.service +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml +new file mode 100644 +index 0000000..3342a9a +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml +@@ -0,0 +1,3 @@ ++- name: Inclue pki-core handlers ++ include: pki-core.yml ++ tags: pki-core +\ No newline at end of file +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml +new file mode 100644 +index 0000000..ed22477 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml +@@ -0,0 +1,54 @@ ++- name: STOPCA ++ service: ++ name: pki-tomcatd@{{ topology }}-CA ++ state: stopped ++ ++- name: STARTCA ++ service: ++ name: pki-tomcatd@{{ topology }}-CA ++ state: started ++ ++- name: STOPKRA ++ service: ++ name: pki-tomcatd@{{ topology }}-KRA ++ state: stopped ++ ++- name: STARTKRA ++ service: ++ name: pki-tomcatd@{{ topology }}-KRA ++ state: started ++ ++- name: STOPOCSP ++ service: ++ name: pki-tomcatd@{{ topology }}-OCSP ++ state: stopped ++ ++- name: STARTOCSP ++ service: ++ name: pki-tomcatd@{{ topology }}-OCSP ++ state: started ++ ++- name: STOPTKS ++ service: ++ name: pki-tomcatd@{{ topology }}-TKS ++ state: stopped ++ ++- name: STARTTKS ++ service: ++ name: pki-tomcatd@{{ topology }}-TKS ++ state: started ++ ++- name: STOPTPS ++ service: ++ name: pki-tomcatd@{{ topology }}-TPS ++ state: stopped ++ ++- name: STARTTPS ++ service: ++ name: pki-tomcatd@{{ topology }}-TPS ++ state: started ++ ++- name: INC_CONSTANTS ++ include_vars: ++ file: /tmp/test_dir/constants.yml ++ name: variable +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml +new file mode 100644 +index 0000000..a1de87d +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml +@@ -0,0 +1,18 @@ ++- name: Install CA master ++ shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg ++ ++- name : Stopping CA Subsystem ++ shell: systemctl stop pki-tomcatd@{{ topology }}-CA.service ++ ++- name: Enable SignedAudit for Subsystem ++ replace: dest=/etc/pki/{{ topology }}-CA/ca/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" ++ ++- name: Getting certificate nickname for CA CS.cfg ++ shell: grep "ca.ocsp_signing.nickname" /etc/pki/{{ topology }}-CA/ca/CS.cfg |awk -F"=" ' { print $2 } ' ++ register: nickname_ocsp ++ ++- name: Importing client certificate for OCSP ++ shell: certutil -L -d /var/lib/pki/{{ topology }}-CA/alias -n "{{ nickname_ocsp.stdout }}" -a > /tmp/test_dir/ocsp_signing.crt ++ ++- name : Starting CA Subsystem ++ shell: systemctl start pki-tomcatd@{{ topology }}-CA.service +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml +new file mode 100644 +index 0000000..ac44bc5 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml +@@ -0,0 +1,77 @@ ++- name: Disable firewalld before LDAP and Subsystem installation ++ systemd: state=stopped name=firewalld ++ ++- name : Set hostname for machines Bydefault we choose pki1 for master and pki2 for clones. ++ hostname: name=pki1.example.com ++ tags: platform-ci ++ ++- name: Install a required package for modify hostname task below ++ dnf: pkg={{item}} state=latest ++ with_items: ++ - libselinux-python ++ when: ansible_distribution == "Fedora" ++ ++- name : Modify hostname for master in /etc/hosts ++ lineinfile: dest=/etc/hosts regexp='.*{{ inventory_hostname }}$' create=yes insertafter=EOF line="{{ inventory_hostname }} {{ansible_fqdn}}" state=present ++ tags: platform-ci ++ ++ ++- name : fetch file in master in /etc/hosts ++ fetch: src=/etc/hosts dest=/etc/ flat=yes validate_checksum=no ++ tags: platform-ci ++ ++- name: Install list of packages for CS Master for Redhat ++ yum : pkg={{item}} state=latest ++ with_items: ++ - redhat-pki ++ - redhat-pki-console-theme ++ - redhat-pki-server-theme ++ - pki-console ++ - 389-ds-base ++ - pki-ca ++ - pki-kra ++ - pki-ocsp ++ - pki-tks ++ - pki-tps ++ - policycoreutils-python ++ - expect ++ - libselinux-python ++ when: ansible_distribution == "RedHat" ++ tags: platform-ci ++ ++- name: Install list of packages for CS Master for Fedora ++ dnf : pkg={{item}} state=latest ++ with_items: ++ - 389-ds-base ++ - dogtag-pki ++ - dogtag-pki-console-theme ++ - dogtag-pki-server-theme ++ - policycoreutils-python ++ - expect ++ when: ansible_distribution == "Fedora" ++ tags: platform-ci ++ ++- name: Check for Removed dependency from mod_revocator and mod_nss.If failes refer BZ 1295276 ++ command: rpm -q {{item}} ++ with_items: ++ - mod_revocator ++ - mod_nss ++ register: rpm_check ++ failed_when: "rpm_check.rc == 0" ++ ++- name: Check for Removed dependency of perl from pki-server.If fails, refer BZ 1305769 ++ command: rpm -qR pki-server | grep perl ++ register: rpm_check ++ failed_when: "rpm_check.rc == 0" ++ ++- name: Copying templates to /tmp folder ++ copy : src=/tmp/test_dir dest=/tmp/ ++ tags: platform-ci ++ ++- name: Making constants.py file compatable for including as vars. ++ shell: sed -e "s/ =/:/g;s/'//g" /tmp/test_dir/constants.py > /tmp/test_dir/constants.yml ++ ++- name: Fetch the file ++ fetch: src=/tmp/test_dir/constants.yml dest=/tmp/test_dir/ flat=yes validate_checksum=no ++ ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml +new file mode 100644 +index 0000000..670fa5e +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml +@@ -0,0 +1,24 @@ ++- name: Install KRA master ++ shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg ++ ++- name : Stopping KRA Subsystem ++ shell: echo "Stopping Subsystem for enabling Audit logging" ++ notify: ++ - STOPKRA ++ - INC_CONSTANTS ++ ++- meta: flush_handlers ++ ++- name: Enable SignedAudit ++ replace: dest=/etc/pki/{{ topology }}-KRA/kra/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" ++ ++- name: Enable OCSP for KRA ++ replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' ++ ++- name: Pointing KRA to correct OCSP port ++ replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp ++ ++- name: Importing OCSP certificate in kra nssdb ++ shell: certutil -A -d /etc/pki/{{ topology }}-KRA/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt ++ notify: ++ - STARTKRA +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml +new file mode 100644 +index 0000000..01d867b +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml +@@ -0,0 +1,20 @@ ++ ++- name: Setup DS Service ++ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap.cfg ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++ ++- name: Setup DS Service ++ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_kra.cfg ++ when: topology == "topology-05" ++ ++- name: Setup DS Service ++ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_ocsp.cfg ++ when: topology == "topology-05" ++ ++- name: Setup DS Service ++ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tks.cfg ++ when: topology == "topology-05" ++ ++- name: Setup DS Service ++ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tps.cfg ++ when: topology == "topology-05" +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml +new file mode 100644 +index 0000000..373a16c +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml +@@ -0,0 +1,17 @@ ++- name: sleep ++ shell: sleep 5s ++ ++- name: Install OCSP master ++ shell: pkispawn -s OCSP -f /tmp/test_dir/ocsp.cfg ++ ++- name : Stopping OCSP Subsystem ++ shell: echo "Stopping Subsystem for enabling Audit logging" ++ notify: ++ - STOPOCSP ++ ++- name: Enable SignedAudit ++ replace: dest=/etc/pki/{{ topology }}-OCSP/ocsp/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" ++ notify: ++ - STARTOCSP ++ ++- meta: flush_handlers +\ No newline at end of file +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml +new file mode 100644 +index 0000000..dee083c +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml +@@ -0,0 +1,14 @@ ++- name: Install CA master ++ shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg ++ ++- name: Install KRA master ++ shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg ++ ++- name: Install OCSP master ++ shell: pkispawn -s OCSP -f /tmp/test_dir/ocsp.cfg ++ ++- name: Install TKS master ++ shell: pkispawn -s TKS -f /tmp/test_dir/tks.cfg ++ ++- name: Install TPS master ++ shell: pkispawn -s TPS -f /tmp/test_dir/tps.cfg +\ No newline at end of file +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml +new file mode 100644 +index 0000000..f2e4de4 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml +@@ -0,0 +1,4 @@ ++- name: Shared Secret sharing between TPS and TKS ++ script: test/script {{ topology }} ++ when: topology == "topology-02" or topology == "topology-05" ++ tags: platform-ci +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml +new file mode 100644 +index 0000000..78295d1 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml +@@ -0,0 +1,30 @@ ++- name: Install TKS master ++ shell: pkispawn -s TKS -f /tmp/test_dir/tks.cfg ++ ++- name : Stopping TKS Subsystem ++ shell: echo "Stopping Subsystem for enabling Audit logging" ++ notify: ++ - STOPTKS ++ - INC_CONSTANTS ++ ++- meta: flush_handlers ++ ++- name: Enable SignedAudit ++ replace: dest=/etc/pki/{{ topology }}-TKS/tks/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" ++ ++- name: Enable OCSP for TKS ++ replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' ++ ++- name: Pointing TKS to correct OCSP port ++ replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp ++ ++- name: Importing OCSP certificate in TKS nssdb ++ shell: certutil -A -d /etc/pki/{{ topology }}-TKS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt ++ notify: ++ - STARTTKS ++ ++- meta: flush_handlers ++ ++- name: Sleep for a while to start TKS ++ shell: sleep 3s ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml +new file mode 100644 +index 0000000..5aa1021 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml +@@ -0,0 +1,24 @@ ++- name: Install TPS master ++ shell: pkispawn -s TPS -f /tmp/test_dir/tps.cfg ++ ++- name : Stopping TPS Subsystem ++ shell: echo "Stopping Subsystem for enabling Audit logging" ++ notify: ++ - STOPTPS ++ - INC_CONSTANTS ++ ++- meta: flush_handlers ++ ++- name: Enable SignedAudit ++ replace: dest=/etc/pki/{{ topology }}-TPS/tps/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" ++ ++- name: Enable OCSP for TPS ++ replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' ++ ++- name: Pointing TPS to correct OCSP port ++ replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp ++ ++- name: Importing OCSP certificate in tps nssdb ++ shell: certutil -A -d /etc/pki/{{ topology }}-TPS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt ++ notify: ++ - STARTTPS +\ No newline at end of file +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml +new file mode 100644 +index 0000000..2aa432b +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml +@@ -0,0 +1,19 @@ ++--- ++- include: configure_common.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_ldap.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_shared.yml ++ when: topology == "topology-01" ++- include: configure_ca.yml ++ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_ocsp.yml ++ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_kra.yml ++ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_tks.yml ++ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" ++- include: configure_tps.yml ++ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" ++- include: configure_sharedsecret.yml ++ when: topology == "topology-02" or topology == "topology-04" or topology == "topology-05" +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py +new file mode 100644 +index 0000000..ccb19b6 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py +@@ -0,0 +1,52 @@ ++#common to all subsystems ++CLIENT_PKCS12_PASSWORD = 'Secret123' ++CLIENT_DIR_PASSWORD = 'Secret123' ++BACKUP_PASSWORD = 'Secret123' ++CLIENT_DATABASE_PASSWORD = 'Secret123' ++#CA Instance ++CA_HTTPS_PORT = '20443' ++CA_HTTP_PORT = '20080' ++CA_AJP_PORT = '20009' ++CA_TOMCAT_PORT = '20005' ++CA_CLIENT_DIR = '/opt/topology-CA' ++CA_INSTANCE_NAME = 'topology-CA' ++SECURITY_DOMAIN_PASSWORD = 'Secret123' ++CA_PASSWORD = 'Secret123' ++CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' ++CA_ADMIN_USERNAME = 'caadmin' ++CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' ++#KRA Instance ++KRA_INSTANCE_NAME = 'topology-KRA' ++KRA_HTTPS_PORT = 21443 ++KRA_HTTP_PORT = 21080 ++KRA_AJP_PORT = 21009 ++KRA_TOMCAT_PORT = 21005 ++KRA_PASSWORD = 'Secret123' ++KRA_CLIENT_DIR = '/opt/topology-KRA' ++KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' ++#OCSP Instance ++OCSP_INSTANCE_NAME = 'topology-OCSP' ++OCSP_HTTPS_PORT = 22443 ++OCSP_HTTP_PORT = 22080 ++OCSP_AJP_PORT = 22009 ++OCSP_TOMCAT_PORT = 22005 ++OCSP_PASSWORD = 'Secret123' ++OCSP_CLIENT_DIR = '/opt/topology-OCSP' ++OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' ++#TKS Instance ++TKS_INSTANCE_NAME = 'topology-TKS' ++TKS_HTTPS_PORT = 23443 ++TKS_HTTP_PORT = 23080 ++TKS_AJP_PORT = 23009 ++TKS_TOMCAT_PORT = 23005 ++TKS_PASSWORD = 'Secret123' ++TKS_CLIENT_DIR = '/opt/topology-TKS' ++#TPS instance ++TPS_INSTANCE_NAME = 'topology-TPS' ++TPS_HTTPS_PORT = '25443' ++TPS_HTTP_PORT = '25080' ++TPS_AJP_PORT = '25009' ++TPS_TOMCAT_PORT = '25005' ++TPS_PASSWORD = 'Secret123' ++TPS_CLIENT_DIR = '/opt/topology-TPS' ++TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg +new file mode 100644 +index 0000000..e286927 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg +@@ -0,0 +1,38 @@ ++[DEFAULT] ++pki_instance_name = topology-CA ++pki_https_port = capki_https_port ++pki_http_port = capki_http_port ++pki_token_password = Secret123 ++pki_admin_password = Secret123 ++pki_hostname = SERVERNAME ++pki_security_domain_name = topology_Foobarmaster.org ++pki_security_domain_password = Secret123 ++pki_client_dir = /opt/topology-CA ++pki_client_pkcs12_password = Secret123 ++pki_backup_keys = True ++pki_backup_password = Secret123 ++pki_ds_password = Secret123 ++pki_ds_ldap_port = ldapServerPort ++pki_ssl_server_key_algorithm=SHA512withRSA ++pki_ssl_server_key_size=2048 ++pki_ssl_server_key_type=rsa ++pki_subsystem_key_algorithm=SHA512withRSA ++pki_subsystem_key_size=2048 ++pki_subsystem_key_type=rsa ++ ++[Tomcat] ++pki_ajp_port = capki_ajp_port ++pki_tomcat_server_port = capki_tomcat_port ++ ++[CA] ++pki_import_admin_cert = False ++pki_ds_hostname = SERVERNAME ++pki_admin_nickname = PKI CA Administrator for Example.Org ++pki_ca_signing_key_algorithm=SHA512withRSA ++pki_ca_signing_key_size=2048 ++pki_ca_signing_key_type=rsa ++pki_ca_signing_signing_algorithm=SHA512withRSA ++pki_ocsp_signing_key_algorithm=SHA512withRSA ++pki_ocsp_signing_key_size=2048 ++pki_ocsp_signing_key_type=rsa ++pki_ocsp_signing_signing_algorithm=SHA512withRSA +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py +new file mode 100644 +index 0000000..8df625c +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py +@@ -0,0 +1,67 @@ ++#common to all subsystems ++CLIENT_PKCS12_PASSWORD = 'Secret123' ++CLIENT_DIR_PASSWORD = 'Secret123' ++BACKUP_PASSWORD = 'Secret123' ++CLIENT_DATABASE_PASSWORD = 'Secret123' ++#CA Instance ++CA_HTTPS_PORT = 'capki_https_port' ++CA_HTTP_PORT = 'capki_http_port' ++CA_AJP_PORT = 'capki_ajp_port' ++CA_TOMCAT_PORT = 'capki_tomcat_port' ++CA_CLIENT_DIR = '/opt/topology-CA' ++CA_INSTANCE_NAME = 'topology-CA' ++SECURITY_DOMAIN_PASSWORD = 'Secret123' ++CA_PASSWORD = 'Secret123' ++CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' ++CA_ADMIN_USERNAME = 'caadmin' ++CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' ++#KRA Instance ++KRA_INSTANCE_NAME = 'topology-KRA' ++KRA_HTTPS_PORT = 'krapki_https_port' ++KRA_HTTP_PORT = 'krapki_http_port' ++KRA_AJP_PORT = 'krapki_ajp_port' ++KRA_TOMCAT_PORT = 'krapki_tomcat_server_port' ++KRA_PASSWORD = 'Secret123' ++KRA_CLIENT_DIR = '/opt/topology-KRA' ++KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' ++#OCSP Instance ++OCSP_INSTANCE_NAME = 'topology-OCSP' ++OCSP_HTTPS_PORT = 'ocsppki_https_port' ++OCSP_HTTP_PORT = 'ocsppki_http_port' ++OCSP_AJP_PORT = 'ocsppki_ajp_port' ++OCSP_TOMCAT_PORT = 'ocsppki_tomcat_server_port' ++OCSP_PASSWORD = 'Secret123' ++OCSP_CLIENT_DIR = '/opt/topology-OCSP' ++OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' ++#TKS Instance ++TKS_INSTANCE_NAME = 'topology-TKS' ++TKS_HTTPS_PORT = 'tkspki_https_port' ++TKS_HTTP_PORT = 'tkspki_http_port' ++TKS_AJP_PORT = 'tkspki_ajp_port' ++TKS_TOMCAT_PORT = 'tkspki_tomcat_server_port' ++TKS_PASSWORD = 'Secret123' ++TKS_CLIENT_DIR = '/opt/topology-TKS' ++TKS_ADMIN_NICK = 'PKI TKS Administrator for Example.Org' ++#TPS instance ++TPS_INSTANCE_NAME = 'topology-TPS' ++TPS_HTTPS_PORT = 'tpspki_https_port' ++TPS_HTTP_PORT = 'tpspki_http_port' ++TPS_AJP_PORT = 'tpspki_ajp_port' ++TPS_TOMCAT_PORT = 'tpspki_tomcat_server_port' ++TPS_PASSWORD = 'Secret123' ++TPS_CLIENT_DIR = '/opt/topology-TPS' ++TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' ++#LDAP Details ++LDAP_PORT = 'ldapServerPort' ++LDAP_BIND_DN = 'cn=Directory Manager' ++LDAP_PASSWD = 'Secret123' ++LDAP_BASE_DN = 'dc=example,dc=org' ++LDAP_KRA_PORT = 'ldapkraServerPort' ++LDAP_OCSP_PORT = 'ldapocspServerPort' ++LDAP_TKS_PORT = 'ldaptksServerPort' ++LDAP_TPS_PORT = 'ldaptpsServerPort' ++LDAP_USER = 'foobar' ++LDAP_USER_ENROLL = 'testuser' ++CUID = '40906145C76224192D2B' ++CUID_01 = '40906145C76224192D11' ++TPS_OPERATION = 'ra_enroll' +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg +new file mode 100644 +index 0000000..fd46b09 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg +@@ -0,0 +1,42 @@ ++[DEFAULT] ++pki_instance_name = topology-KRA ++pki_https_port = krapki_https_port ++pki_http_port = krapki_http_port ++pki_token_password = Secret123 ++pki_admin_password = Secret123 ++pki_hostname = SERVERNAME ++pki_security_domain_hostname = SERVERNAME ++pki_security_domain_https_port = secure_domain_port ++pki_security_domain_name = topology_Foobarmaster.org ++pki_security_domain_password = Secret123 ++pki_client_dir = /opt/topology-KRA ++pki_client_pkcs12_password = Secret123 ++pki_backup_keys = True ++pki_backup_password = Secret123 ++pki_ds_password = Secret123 ++pki_ds_ldap_port = ldapServerPort ++pki_client_database_password = Secret123 ++pki_ssl_server_key_algorithm=SHA512withRSA ++pki_ssl_server_key_size=2048 ++pki_ssl_server_key_type=rsa ++pki_subsystem_key_algorithm=SHA512withRSA ++pki_subsystem_key_size=2048 ++pki_subsystem_key_type=rsa ++ ++[Tomcat] ++pki_ajp_port = krapki_ajp_port ++pki_tomcat_server_port = krapki_tomcat_server_port ++ ++[KRA] ++pki_import_admin_cert = False ++pki_ds_hostname = SERVERNAME ++pki_admin_nickname = PKI KRA Administrator for Example.Org ++pki_storage_key_algorithm=SHA512withRSA ++pki_storage_key_size=2048 ++pki_storage_key_type=rsa ++pki_storage_signing_algorithm=SHA512withRSA ++pki_transport_key_algorithm=SHA512withRSA ++pki_transport_key_size=2048 ++pki_transport_key_type=rsa ++pki_transport_signing_algorithm=SHA512withRSA ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg +new file mode 100644 +index 0000000..820efec +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg +@@ -0,0 +1,12 @@ ++[General] ++FullMachineName = SERVERNAME ++SuiteSpotUserID = nobody ++SuiteSpotGroup = nobody ++ConfigDirectoryAdminID = admin ++ ++[slapd] ++ServerIdentifier = topology-testingmaster ++ServerPort = ldapServerPort ++Suffix = dc=example,dc=org ++RootDN = CN=Directory Manager ++RootDNPwd = Secret123 +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg +new file mode 100644 +index 0000000..e553c32 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg +@@ -0,0 +1,36 @@ ++[DEFAULT] ++pki_instance_name = topology-OCSP ++pki_https_port = ocsppki_https_port ++pki_http_port = ocsppki_http_port ++pki_token_password = Secret123 ++pki_admin_password = Secret123 ++pki_hostname = SERVERNAME ++pki_security_domain_name = topology_Foobarmaster.org ++pki_security_domain_password = Secret123 ++pki_security_domain_https_port = secure_domain_port ++pki_client_dir = /opt/topology-OCSP ++pki_client_pkcs12_password = Secret123 ++pki_backup_keys = True ++pki_backup_password = Secret123 ++pki_ds_password = Secret123 ++pki_ds_ldap_port = ldapServerPort ++pki_client_database_password = Secret123 ++pki_ssl_server_key_algorithm=SHA512withRSA ++pki_ssl_server_key_size=2048 ++pki_ssl_server_key_type=rsa ++pki_subsystem_key_algorithm=SHA512withRSA ++pki_subsystem_key_size=2048 ++pki_subsystem_key_type=rsa ++ ++[Tomcat] ++pki_ajp_port = ocsppki_ajp_port ++pki_tomcat_server_port = ocsppki_tomcat_server_port ++ ++[OCSP] ++pki_import_admin_cert = False ++pki_ds_hostname = SERVERNAME ++pki_admin_nickname= PKI OCSP Administrator for Example.Org ++pki_ocsp_signing_key_algorithm=SHA512withRSA ++pki_ocsp_signing_key_size=2048 ++pki_ocsp_signing_key_type=rsa ++pki_ocsp_signing_signing_algorithm=SHA512withRSA +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script +new file mode 100755 +index 0000000..c98e4ae +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script +@@ -0,0 +1,79 @@ ++#!/bin/sh ++#Generate Noise using Openssl ++echo "Defining variables " ++tks_password="/tmp/tkspassword.txt" ++tps_password="/tmp/tpspassword.txt" ++tks_alias="/var/lib/pki/$1-TKS/alias" ++tps_alias="/var/lib/pki/$1-TPS/alias" ++tks_noise="/tmp/tks_noise" ++tks_shared_secret="sharedSecret" ++tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg" ++tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg" ++tps_input_file="/tmp/tps-input.txt" ++tks_secret_output="/tmp/secret" ++tks_input_file="/tmp/tks-input.txt" ++tks_input="proceed\r\n" ++tks_secret_output="/tmp/sharedSecret.out" ++tps_key_import_status="/tmp/sharedSecretImport.out" ++echo "proceed\r\n" > $tks_input_file ++echo "Generate Noise using OpenSSL" ++openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise ++cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password ++cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password ++ ++echo "Stopping TKS & TPS instance" ++systemctl stop pki-tomcatd@$1-TKS.service ++systemctl stop pki-tomcatd@$1-TPS.service ++echo "Generating shared secret" ++/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password ++/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file ++/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out ++grep "$tks_shared_secret" /tmp/sharedSecretList1.out ++first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:") ++first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://') ++first_session_key=$(echo ${first_session_tmp2%% }) ++first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:") ++first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://') ++first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% }) ++ ++second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:") ++second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://') ++second_session_key=$(echo ${second_session_tmp2%% }) ++second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:") ++second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://') ++second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% }) ++ ++third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:") ++third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://') ++third_session_key=$(echo ${third_session_tmp2%% }) ++third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:") ++third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://') ++third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% }) ++ ++sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf ++sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf ++echo "Restart $1-TKS instance" ++systemctl restart pki-tomcatd@$1-TKS.service ++echo "proceed\r\n" > $tps_input_file ++echo "$first_session_key\r\n" >> $tps_input_file ++echo "\r\n" >> $tps_input_file ++echo "$first_session_KCV_key\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "$second_session_key\r\n" >> $tps_input_file ++echo "\r\n" >> $tps_input_file ++echo "$second_session_KCV_key\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++echo "$third_session_key\r\n" >> $tps_input_file ++echo "\r\n" >> $tps_input_file ++echo "$third_session_KCV_key\r\n" >> $tps_input_file ++echo "proceed\r\n" >> $tps_input_file ++ ++/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status ++/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out ++grep "$tks_shared_secret" /tmp/sharedSecretList2.out ++sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf ++sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf ++echo "Restart $1-TPS instance" ++systemctl restart pki-tomcatd@$1-TPS.service +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg +new file mode 100644 +index 0000000..479bbbf +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg +@@ -0,0 +1,26 @@ ++[DEFAULT] ++pki_instance_name = topology-TKS ++pki_https_port = tkspki_https_port ++pki_http_port = tkspki_http_port ++pki_token_password = Secret123 ++pki_admin_password = Secret123 ++pki_hostname = SERVERNAME ++pki_security_domain_name = topology_Foobarmaster.org ++pki_security_domain_password = Secret123 ++pki_security_domain_https_port = secure_domain_port ++pki_client_dir = /opt/topology-TKS ++pki_client_pkcs12_password = Secret123 ++pki_backup_keys = True ++pki_backup_password = Secret123 ++pki_ds_password = Secret123 ++pki_ds_ldap_port = ldapServerPort ++pki_client_database_password = Secret123 ++ ++[Tomcat] ++pki_ajp_port = tkspki_ajp_port ++pki_tomcat_server_port = tkspki_tomcat_server_port ++ ++[TKS] ++pki_import_admin_cert = False ++pki_ds_hostname = SERVERNAME ++pki_admin_nickname= PKI TKS Administrator for Example.Org +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg +new file mode 100644 +index 0000000..b878abc +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg +@@ -0,0 +1,34 @@ ++[DEFAULT] ++pki_instance_name = topology-TPS ++pki_https_port = tpspki_https_port ++pki_http_port = tpspki_http_port ++pki_token_password = Secret123 ++pki_admin_password = Secret123 ++pki_hostname = SERVERNAME ++pki_security_domain_hostname = SERVERNAME ++pki_security_domain_https_port = secure_domain_port ++pki_security_domain_name = topology_Foobarmaster.org ++pki_security_domain_password = Secret123 ++pki_client_dir = /opt/topology-TPS ++pki_client_pkcs12_password = Secret123 ++pki_backup_keys = True ++pki_backup_password = Secret123 ++pki_ds_password = Secret123 ++pki_ds_ldap_port = ldapServerPort ++pki_client_database_password = Secret123 ++ ++[Tomcat] ++pki_ajp_port = tpspki_ajp_port ++pki_tomcat_server_port = tpspki_tomcat_server_port ++ ++[TPS] ++pki_import_admin_cert = False ++pki_ds_hostname = SERVERNAME ++pki_authdb_basedn = ou=People,dc=example,dc=org ++pki_authdb_hostname=SERVERNAME ++pki_authdb_port=3389 ++pki_ca_uri=https://SERVERNAME:capki_https_port ++pki_tks_uri=https://SERVERNAME:tkspki_https_port ++pki_kra_uri=https://SERVERNAME:krapki_https_port ++pki_admin_nickname=PKI TPS Administrator for Example.Org ++pki_enable_server_side_keygen=True +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml +new file mode 100644 +index 0000000..67c112b +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml +@@ -0,0 +1,25 @@ ++ ++- name: Replace CA specific changes ++ replace: dest={{item}} regexp="capki_https_port" replace={{capki_https_port}} ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace http port for CA. ++ replace: dest={{item}} regexp="capki_http_port" replace={{capki_http_port}} ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace ajp port for CA ++ replace: dest={{item}} regexp="capki_ajp_port" replace={{capki_ajp_port}} ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for CA ++ replace: dest={{item}} regexp="capki_tomcat_port" replace={{capki_tomcat_port}} ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/constants.py ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml +new file mode 100644 +index 0000000..4bb8bc4 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml +@@ -0,0 +1,146 @@ ++- name: Pick constants based on {{topology}} ++ include_vars: "{{ item }}" ++ with_items: ++ - "{{ playbook_dir }}/vars/ldap_shared.yml" ++ - "{{ playbook_dir }}/vars/ca_shared.yml" ++ when: topology == "topology-01" ++ ++- name: Pick constants based on {{topology}} ++ include_vars: "{{ item }}" ++ with_items: ++ - "{{ playbook_dir }}/vars/ldap.yml" ++ - "{{ playbook_dir }}/vars/ca.yml" ++ - "{{ playbook_dir }}/vars/kra.yml" ++ - "{{ playbook_dir }}/vars/ocsp.yml" ++ - "{{ playbook_dir }}/vars/tks.yml" ++ - "{{ playbook_dir }}/vars/tps.yml" ++ when: topology == "topology-02" ++ ++- name: Pick constants based on {{topology}} ++ include_vars: "{{ item }}" ++ with_items: ++ - "{{ playbook_dir }}/vars/ldap.yml" ++ - "{{ playbook_dir }}/vars/ca.yml" ++ - "{{ playbook_dir }}/vars/kra.yml" ++ - "{{ playbook_dir }}/vars/ocsp.yml" ++ when: topology == "topology-03" ++ ++- name: Pick constants based on {{topology}} ++ include_vars: "{{ item }}" ++ with_items: ++ - "{{ playbook_dir }}/vars/ldap.yml" ++ - "{{ playbook_dir }}/vars/ca.yml" ++ - "{{ playbook_dir }}/vars/kra.yml" ++ - "{{ playbook_dir }}/vars/tks.yml" ++ - "{{ playbook_dir }}/vars/tps.yml" ++ when: topology == "topology-04" ++ ++- name: Pick constants based on {{topology}} ++ include_vars: "{{ item }}" ++ with_items: ++ - "{{ playbook_dir }}/vars/ldap.yml" ++ - "{{ playbook_dir }}/vars/ca.yml" ++ - "{{ playbook_dir }}/vars/kra.yml" ++ - "{{ playbook_dir }}/vars/ocsp.yml" ++ - "{{ playbook_dir }}/vars/tks.yml" ++ - "{{ playbook_dir }}/vars/tps.yml" ++ when: topology == "topology-05" ++ ++- name: Pick constants based on {{topology}} ++ include_vars: "{{ item }}" ++ with_items: ++ - "{{ playbook_dir }}/vars/ldap.yml" ++ - "{{ playbook_dir }}/vars/ca.yml" ++ - "{{ playbook_dir }}/vars/kra.yml" ++ - "{{ playbook_dir }}/vars/ocsp.yml" ++ - "{{ playbook_dir }}/vars/tks.yml" ++ - "{{ playbook_dir }}/vars/tps.yml" ++ when: topology == "topology-ecc" ++ ++- name: Creates directory ++ file: path=/tmp/test_files state=directory ++ ++- name: Copying templates to /tmp folder ++ copy : src=test/ dest=/tmp/test_dir ++ tags: platform-ci ++ ++- name: Replace Ldap server port in all configuration files ++ replace: dest={{item}} regexp="ldapServerPort" replace={{ldapServerPort}} ++ with_items: ++ - /tmp/test_dir/ldap.cfg ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/tps.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace topology in use in all configuration files ++ replace: dest={{item}} regexp="topology" replace={{topology}} ++ with_items: ++ - /tmp/test_dir/ldap.cfg ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/tps.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Substitute ecc with rsa when topology=topology-ecc ++ replace: dest={{item}} regexp="SHA512withRSA" replace="SHA384withEC" ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/ocsp.cfg ++ when: ++ - topology == "topology-ecc" ++ ++- name : Substitute ecc with rsa when topology=topology-ecc ++ replace: dest={{item}} regexp="rsa" replace="ecc" ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/ocsp.cfg ++ when: ++ - topology == "topology-ecc" ++ ++- name : Substitute ecc with rsa when topology=topology-ecc ++ replace: dest={{item}} regexp="2048" replace="nistp384" ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/ocsp.cfg ++ when: ++ - topology == "topology-ecc" ++ ++- name : For topology-01 ++ replace: dest={{item}} regexp="pki_instance_name" replace="#pki_instance_name" ++ with_items: ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/tps.cfg ++ when: ++ - topology == "topology-01" ++ ++ ++- name: Replace ServerName in all configuration files. ++ replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com ++ with_items: ++ - /tmp/test_dir/ldap.cfg ++ - /tmp/test_dir/ca.cfg ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/tps.cfg ++ ++- name: Replace ServerName in all configuration files. ++ replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com ++ with_items: ++ - /tmp/test_dir/ldap_kra.cfg ++ - /tmp/test_dir/ldap_ocsp.cfg ++ - /tmp/test_dir/ldap_tks.cfg ++ - /tmp/test_dir/ldap_tps.cfg ++ when: topology == "topology-05" ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml +new file mode 100644 +index 0000000..e0edeea +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml +@@ -0,0 +1,27 @@ ++- name: Replace KRA specific changes ++ replace: dest={{item}} regexp="krapki_https_port" replace={{krapki_https_port}} ++ with_items: ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace http port for KRA. ++ replace: dest={{item}} regexp="krapki_http_port" replace={{krapki_http_port}} ++ with_items: ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace ajp port for KRA ++ replace: dest={{item}} regexp="krapki_ajp_port" replace={{krapki_ajp_port}} ++ with_items: ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for KRA ++ replace: dest={{item}} regexp="krapki_tomcat_server_port" replace={{krapki_tomcat_server_port}} ++ with_items: ++ - /tmp/test_dir/kra.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for KRA ++ replace: dest=/tmp/test_dir/kra.cfg regexp="secure_domain_port" replace={{capki_https_port}} ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml +new file mode 100644 +index 0000000..f9af68c +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml +@@ -0,0 +1,47 @@ ++- name : Create different ldap files for ca,kra,ocsp,tks and tps. ++ shell : for i in kra ocsp tks tps ;do cp /tmp/test_dir/ldap.cfg /tmp/test_dir/ldap_$i.cfg ; sed -i "s/testingmaster/$i-testingmaster/" /tmp/test_dir/ldap_$i.cfg; done ++ when: topology == "topology-05" ++ ++- name : Conditional check before replacing values in ldap.cfg file. ++ replace: dest={{item}} regexp="3389" replace={{ldapkraServerPort}} ++ with_items: ++ - /tmp/test_dir/ldap_kra.cfg ++ - /tmp/test_dir/kra.cfg ++ when: topology == "topology-05" ++ ++- name : Conditional check before replacing values in ldap.cfg file. ++ replace: dest={{item}} regexp="3389" replace={{ldapocspServerPort}} ++ with_items: ++ - /tmp/test_dir/ldap_ocsp.cfg ++ - /tmp/test_dir/ocsp.cfg ++ when: topology == "topology-05" ++ ++- name : Conditional check before replacing values in ldap.cfg file. ++ replace: dest={{item}} regexp="3389" replace={{ldaptksServerPort}} ++ with_items: ++ - /tmp/test_dir/ldap_tks.cfg ++ - /tmp/test_dir/tks.cfg ++ when: topology == "topology-05" ++ ++- name : Conditional check before replacing values in ldap.cfg file. ++ replace: dest={{item}} regexp="3389" replace={{ldaptpsServerPort}} ++ with_items: ++ - /tmp/test_dir/ldap_tps.cfg ++ - /tmp/test_dir/tps.cfg ++ when: topology == "topology-05" ++ ++- name: Replace Ldap server port in all configuration files ++ replace: dest=/tmp/test_dir/constants.py regexp="ldapkraServerPort" replace={{ldapkraServerPort}} ++ when: topology == "topology-05" ++ ++- name: Replace Ldap server port in all configuration files ++ replace: dest=/tmp/test_dir/constants.py regexp="ldapocspServerPort" replace={{ldapocspServerPort}} ++ when: topology == "topology-05" ++ ++- name: Replace Ldap server port in all configuration files ++ replace: dest=/tmp/test_dir/constants.py regexp="ldaptksServerPort" replace={{ldaptksServerPort}} ++ when: topology == "topology-05" ++ ++- name: Replace Ldap server port in all configuration files ++ replace: dest=/tmp/test_dir/constants.py regexp="ldaptpsServerPort" replace={{ldaptpsServerPort}} ++ when: topology == "topology-05" +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml +new file mode 100644 +index 0000000..dea8645 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml +@@ -0,0 +1,27 @@ ++- name: Replace OCSP specific changes ++ replace: dest={{item}} regexp="ocsppki_https_port" replace={{ocsppki_https_port}} ++ with_items: ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace http port for OCSP. ++ replace: dest={{item}} regexp="ocsppki_http_port" replace={{ocsppki_http_port}} ++ with_items: ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace ajp port for OCSP ++ replace: dest={{item}} regexp="ocsppki_ajp_port" replace={{ocsppki_ajp_port}} ++ with_items: ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for OCSP ++ replace: dest={{item}} regexp="ocsppki_tomcat_server_port" replace={{ocsppki_tomcat_server_port}} ++ with_items: ++ - /tmp/test_dir/ocsp.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for OCSP ++ replace: dest=/tmp/test_dir/ocsp.cfg regexp="secure_domain_port" replace={{capki_https_port}} ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml +new file mode 100644 +index 0000000..9cd2bc7 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml +@@ -0,0 +1,27 @@ ++- name: Replace TKS specific changes ++ replace: dest={{item}} regexp="tkspki_https_port" replace={{tkspki_https_port}} ++ with_items: ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace http port for TKS. ++ replace: dest={{item}} regexp="tkspki_http_port" replace={{tkspki_http_port}} ++ with_items: ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace ajp port for TKS ++ replace: dest={{item}} regexp="tkspki_ajp_port" replace={{tkspki_ajp_port}} ++ with_items: ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for TKS ++ replace: dest={{item}} regexp="tkspki_tomcat_server_port" replace={{tkspki_tomcat_server_port}} ++ with_items: ++ - /tmp/test_dir/tks.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for TKS ++ replace: dest=/tmp/test_dir/tks.cfg regexp="secure_domain_port" replace={{capki_https_port}} ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml +new file mode 100644 +index 0000000..69fe4c5 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml +@@ -0,0 +1,39 @@ ++- name: Replace TPS specific changes ++ replace: dest={{item}} regexp="tpspki_https_port" replace={{tpspki_https_port}} ++ with_items: ++ - /tmp/test_dir/tps.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace http port for TPS. ++ replace: dest={{item}} regexp="tpspki_http_port" replace={{tpspki_http_port}} ++ with_items: ++ - /tmp/test_dir/tps.cfg ++ - /tmp/test_dir/constants.py ++ ++- name: Replace ajp port for TPS ++ replace: dest={{item}} regexp="tpspki_ajp_port" replace={{tpspki_ajp_port}} ++ with_items: ++ - /tmp/test_dir/tps.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for TPS ++ replace: dest={{item}} regexp="tpspki_tomcat_server_port" replace={{tpspki_tomcat_server_port}} ++ with_items: ++ - /tmp/test_dir/tps.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace tomcat port for TPS ++ replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}} ++ with_items: ++ - /tmp/test_dir/tps.cfg ++ - /tmp/test_dir/constants.py ++ ++- name : Replace ca uri for TPS ++ replace: dest=/tmp/test_dir/tps.cfg regexp="capki_https_port" replace={{capki_https_port}} ++ ++- name : Replace kra uri for TPS ++ replace: dest=/tmp/test_dir/tps.cfg regexp="krapki_https_port" replace={{krapki_https_port}} ++ ++- name : Replace tks uri for TPS ++ replace: dest=/tmp/test_dir/tps.cfg regexp="tkspki_https_port" replace={{tkspki_https_port}} ++ +diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml +new file mode 100644 +index 0000000..17e0ecc +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml +@@ -0,0 +1,15 @@ ++--- ++- include: configure_common.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_ca.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_ldap.yml ++ when: topology == "topology-05" ++- include: configure_kra.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_ocsp.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-05" or topology == "topology-ecc" ++- include: configure_tks.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" ++- include: configure_tps.yml ++ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" +diff --git a/tests/dogtag/pytest-ansible/installation/vars/ca.yml b/tests/dogtag/pytest-ansible/installation/vars/ca.yml +new file mode 100644 +index 0000000..6768f66 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/ca.yml +@@ -0,0 +1,4 @@ ++capki_https_port: '20443' ++capki_http_port: '20080' ++capki_ajp_port: '20009' ++capki_tomcat_port: '20005' +diff --git a/tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml b/tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml +new file mode 100644 +index 0000000..83aa43e +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml +@@ -0,0 +1,24 @@ ++capki_https_port: '8443' ++capki_http_port: '8080' ++capki_ajp_port: '8009' ++capki_tomcat_port: '8005' ++capki_https_port: '8443' ++capki_http_port: '8080' ++capki_ajp_port: '8009' ++capki_tomcat_port: '8005' ++krapki_https_port: '8443' ++krapki_http_port: '8080' ++krapki_ajp_port: '8009' ++krapki_tomcat_server_port: '8005' ++ocsppki_https_port: '8443' ++ocsppki_http_port: '8080' ++ocsppki_ajp_port: '8009' ++ocsppki_tomcat_server_port: '8005' ++tkspki_https_port: '8443' ++tkspki_http_port: '8080' ++tkspki_ajp_port: '8009' ++tkspki_tomcat_server_port: '8005' ++tpspki_https_port: '8443' ++tpspki_http_port: '8080' ++tpspki_ajp_port: '8009' ++tpspki_tomcat_server_port: '8005' +diff --git a/tests/dogtag/pytest-ansible/installation/vars/kra.yml b/tests/dogtag/pytest-ansible/installation/vars/kra.yml +new file mode 100644 +index 0000000..2d45fab +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/kra.yml +@@ -0,0 +1,4 @@ ++krapki_https_port: '21443' ++krapki_http_port: '21080' ++krapki_ajp_port: '21009' ++krapki_tomcat_server_port: '21005' +diff --git a/tests/dogtag/pytest-ansible/installation/vars/ldap.yml b/tests/dogtag/pytest-ansible/installation/vars/ldap.yml +new file mode 100644 +index 0000000..401c4a7 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/ldap.yml +@@ -0,0 +1,8 @@ ++ldapServerPort: '3389' ++ldapRootDN: CN=Directory Manager ++ldapRootDNPwd: Secret123 ++ldapcaServerPort: '4389' ++ldapkraServerPort: '5389' ++ldapocspServerPort: '6389' ++ldaptksServerPort: '7389' ++ldaptpsServerPort: '8389' +diff --git a/tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml b/tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml +new file mode 100644 +index 0000000..0e1d7e6 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml +@@ -0,0 +1,3 @@ ++ldapServerPort: '2389' ++ldapRootDN: CN=Directory Manager ++ldapRootDNPwd: Secret123 +diff --git a/tests/dogtag/pytest-ansible/installation/vars/ocsp.yml b/tests/dogtag/pytest-ansible/installation/vars/ocsp.yml +new file mode 100644 +index 0000000..497ebb8 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/ocsp.yml +@@ -0,0 +1,4 @@ ++ocsppki_https_port: '22443' ++ocsppki_http_port: '22080' ++ocsppki_ajp_port: '22009' ++ocsppki_tomcat_server_port: '22005' +diff --git a/tests/dogtag/pytest-ansible/installation/vars/tks.yml b/tests/dogtag/pytest-ansible/installation/vars/tks.yml +new file mode 100644 +index 0000000..3f402a4 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/tks.yml +@@ -0,0 +1,4 @@ ++tkspki_https_port: '23443' ++tkspki_http_port: '23080' ++tkspki_ajp_port: '23009' ++tkspki_tomcat_server_port: '23005' +diff --git a/tests/dogtag/pytest-ansible/installation/vars/tps.yml b/tests/dogtag/pytest-ansible/installation/vars/tps.yml +new file mode 100644 +index 0000000..92534c2 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/installation/vars/tps.yml +@@ -0,0 +1,4 @@ ++tpspki_https_port: '25443' ++tpspki_http_port: '25080' ++tpspki_ajp_port: '25009' ++tpspki_tomcat_server_port: '25005' +diff --git a/tests/dogtag/pytest-ansible/provision/readme.txt b/tests/dogtag/pytest-ansible/provision/readme.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/dogtag/pytest-ansible/pytest/README.md b/tests/dogtag/pytest-ansible/pytest/README.md +new file mode 100644 +index 0000000..24c3f66 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/pytest/README.md +@@ -0,0 +1,313 @@ ++# Pytest-ansible for Dogtag Tests ++ ++## Note ++Recommended version to install ansible version 2.3.x. ++Integration testing with other versions like pytest-ansible 2.4.0 are still in-progress. ++ ++## Installing pip ++ ++[pip] (https://pip.pypa.io/en/stable/installing/) is needed for ansible & pytest installation. ++ ++## Description about pytest-ansible & pytest-ansible-playbook ++ ++This repository contains a plugin for py.test which adds several fixtures for running ansible modules, or inspecting ansible_facts. While one can simply call out to ansible using the subprocess module, having to parse stdout to determine the outcome of the operation is unpleasant and prone to error. With pytest-ansible, modules return JSON data which you can inspect and act on, much like with an ansible playbook. ++See [pytest-ansible] (https://pypi.python.org/pypi/pytest-ansible) ++ ++### Installation ++ ++#### Installing ansible ++#### Installing pytest-ansible ++#### Installing pytest-ansible-playbook ++ ++Covered under [README] (../README.md#installing-supporting-packages) ++### Usage ++ ++Once installed, the following py.test command-line parameters are available: ++ ++``` ++ py.test \ ++ [--ansible-inventory ] \ ++ [--ansible-host-pattern ] \ ++ [--ansible-playbook-directory ] \ ++ [--ansible-playbook-inventory ] ++ [--ansible-connection ] \ ++ [--ansible-user ] \ ++ [--ansible-sudo] \ ++ [--ansible-sudo-user ] ++ ++``` ++ ++#### Mandatory command-line parameters: ++ ++``` ++ py.test \ ++ [--ansible-inventory ] \ ++ [--ansible-playbook-directory ] \ ++ [--ansible-playbook-inventory ] \ ++ [--ansible-host-pattern ] ++``` ++ ++### Available Fixtures with pytest-ansible ++ ++1. Fixture ansible_module ++ ++ The ansible_module fixture allows tests and fixtures to call ansible modules. See [ansible_module] (http://docs.ansible.com/ansible/2.3/modules.html) ++ ++2. Fixture ansible_facts ++ ++ The ansible_facts fixture returns a JSON structure representing the system facts for the associated inventory. Sample fact data is available in the [ansible documentation](http://docs.ansible.com/ansible/latest/playbooks_variables.html#information-discovered-from-systems-facts) ++ ++### Available Fixtures with pytest-ansible-playbook ++ ++1. Fixture ansible playbook ++ ++ The plugin provides a single pytest fixture called ansible_playbook. To specify playbooks to be executed by the fixture, use the following pytest markers: ++ ++``` ++ ++ @pytest.mark.ansible_playbook_setup('playbook.yml') ++ @pytest.mark.ansible_playbook_teardown('playbook.yml') ++ ++ @pytest.mark.ansible_playbook_setup('playbook.01.yml', 'playbook.02.yml') ++ ++``` ++ ++### Install pytest-autochecklog ++ ++In case you have plans to use logging that we get from `pytest-autochecklog`, get it using ++ ++``` ++pip install pytest-autochecklog ++``` ++ ++### Parameterizing with pytest.mark.ansible ++ ++Perhaps the --ansible-inventory= includes many systems, but you only wish to interact with a subset. The pytest.mark.ansible marker can be used to modify the pytest-ansible command-line parameters for a single test. ++ ++For example, to interact with the local system, you would adjust the host_pattern and connection parameters. ++ ++ ++``` ++@pytest.mark.ansible(host_pattern='local,', connection='local') ++class Test_Local(object): ++ def test_install(self, ansible_module): ++ '''do some testing''' ++ def test_template(self, ansible_module): ++ '''do some testing''' ++ def test_service(self, ansible_module): ++ '''do some testing''' ++``` ++It works with both class and function. ++ ++More on [Paramaterizing](https://docs.pytest.org/en/latest/example/parametrize.html) ++ ++### Exception Handling ++ ++Below is the example of exception handling.During runtime, if we wanted to change inventory file it can be done using `@pytest.mark.ansible(inventory='abc')`. ++Here , if host mentioned in file "abc" is not reachable using ping it should raise exception `AnsibleHostUnreachable` ++ ++``` ++@pytest.mark.ansible(inventory='abc') ++def test_shutdown(ansible_module): ++ pytest.raises(pytest_ansible.plugin.AnsibleHostUnreachable, ansible_module.ping) ++``` ++ ++## About PKI Module ++ ++PKI module is an ansible module that can be called either from python code or from ansible-playbooks to run any pki client commands ++See [PKI Module](https://copr.fedorainfracloud.org/coprs/g/pki/10.5/package/test-pki-modules/) for latest modules and common packages. ++ ++PKI Module has few default values and those can be over-written by defining them during tests creation.This is same as any standard ansible modules. ++ ++### Getting PKI Module ++ ++PKI module can be installed with below procedure. Install latest rpm from [copr site] (https://copr.fedorainfracloud.org/coprs/g/pki/10.5/package/test-pki-modules/) ++ ++``` ++Example: ++ ++1. wget https://copr.fedorainfracloud.org/coprs/g/pki/10.5/package/test-pki-modules/ ++2. rpm -qlp idm-modules ++ - Make sure above command lists pki.py module ++3. rpm -ivh idm-modules ++ ++Make sure pki.py exist under PYTHONPATH/ansible/modules/identity/pki/pki.py ++``` ++ ++In case, it is difficult with above procedure, this can be done manually using ++ ++``` ++cp pki-pytest-ansible/raw/pytest-task/common-modules/pki.py PYTHONPATH/ansible/modules/identity/pki/pki.py ++``` ++ ++All the common modules are part of common-modules code. ++ ++### Usage ++ ++`with python` ++ ++``` ++def test_pki(ansible_facts,ansible_module): ++ for (host, facts) in ansible_facts.items(): ++ contacted = ansible_module.pki( ++ cli='ca-cert-find', ++ hostname = host, ++ nssdb = '/root/nssdb', ++ certnick = "'PKI Administrator for example.com'" ++ ) ++ item=contacted.items() ++ print dict(item) ++ ++For Positive test case: ++---------------------- ++ ++@pytest.mark.positive ++def test_tpsToken_show_01(ansible_module, certnick, expected): ++ contacted = ansible_module.pki( ++ cli='ca-cert-find', ++ protocol='http', ++ certnick = certnick ++ ) ++ for result in contacted.values(): ++ for iter in expected: ++ assert iter in result['stdout'] ++ ++For Negative test case: ++----------------------- ++ ++@pytest.mark.negative ++def test_tpsToken_show_01(ansible_module, certnick, expected): ++ contacted = ansible_module.pki( ++ cli='ca-cert-find', ++ protocol='http', ++ certnick = certnick ++ ) ++ for result in contacted.values(): ++ for iter in expected: ++ assert iter in result['stderr'] ++ ++ ++``` ++ ++`with ansible-playbook` ++ ++``` ++ tasks: ++ ++ - name: Run pki module from ansible-playbook ++ pki: cli='ca-cert-show' port='9443' ++ ++Output ++ ++"cmd": "pki -d -P http -p 9443 -h localhost -c Secret123 -n 'PKI CA Administrator for Example.Org' ca-cert-show " ++ ++``` ++### Examples ++ ++See [Examples](tps-token/test_tps_token_show.py) ++ ++### Parametrizing your tests ++ ++This involves clubbing of tests which are similar in nature. ++ ++Example: All Positive tests whose output comes under stdout can be clubbed together. ++ ++Negative tests where output goes in stderr can be put together. ++ ++See [Parametrizing your tests](tps-token/test_tps_token_show.py) ++ ++### Advantages of parametrizing tests ++ ++1. Test cases are much shorter. ++2. Easy to run smoke, positive, negative cases using markers. ++3. Similar kind of test are clubbed together and avoid code duplication. ++4. Multiple asserts are implemented. ++5. Code is never touched.Just input and output is changed. ++ ++## Pre-requisite before running a pytest-ansible using pki module ++ ++Py.test assumes that your Subsystem installation is done using [ansible-playbooks](../installation/README.md) ++Tests look for ansible environment constants file for fetching port if not provided in pytest code. ++ ++ ++## Importing the CA cert to nssdb. Please run this command on the machine on which RHCS is setup ++ ++``` ++1. Create nssdb in . ++2. Import CA Admin Certificate into nssdb. ++pki -d -c Secret123 -h -p client-cert-import "RootCA" --ca-server ++pk12util -i -d -K Secret123 -W Secret123 ++``` ++ ++## Running a pytest-ansible test ++ ++``` ++py.test --ansible-inventory host --ansible-host-pattern master -q -s -vvv ++``` ++ ++where, ++ ++ --ansible-inventory, the inventory file from where hosts ip are picked. ++ --ansible-host-pattern, the host pattern on which tests needs to be run like master or clone ++ ++ ++## Running a combination of pytest-ansible and pytest-ansible-playbook ++ ++``` ++py.test --ansible-inventory host --ansible-host-pattern master --ansible-playbook-inventory host -q -s -vvv ++``` ++ ++ ++where, ++ ++ --ansible-inventory, the inventory file from where hosts ip are picked. ++ --ansible-host-pattern, the host pattern on which tests needs to be run. ++ --ansible-playbook-inventory, the inventory file used for running playbooks which are defined in form of fixtures to run. ++ ++Refer [Available Fixtures with pytest-ansible-playbook](README.md#available-fixtures-with-pytest-ansible-playbook) ++ ++## Examples of ansible-inventory and ansible-playbook-inventory ++ ++Inventory file consist of the roles and the ip-address.Tests will run for the roles and ip's that are mentioned. ++ ++``` ++[master] ++10.1.2.3 ++10.2.3.4 ++``` ++ ++## Troubleshooting Errors ++ ++To Debug any error, `Run py.test command with reporting option.` ++ ++``` ++reporting: ++ -v, --verbose increase verbosity. ++ -q, --quiet decrease verbosity. ++ -r chars show extra test summary info as specified by chars ++ (f)ailed, (E)error, (s)skipped, (x)failed, (X)passed, ++ (p)passed, (P)passed with output, (a)all except pP. ++ The pytest warnings are displayed at all times except ++ when --disable-pytest-warnings is set ++ --disable-pytest-warnings ++ disable warnings summary, overrides -r w flag ++ -l, --showlocals show locals in tracebacks (disabled by default). ++ --tb=style traceback print mode (auto/long/short/line/native/no). ++ --full-trace don't cut any tracebacks (default is to cut). ++ --color=color color terminal output (yes/no/auto). ++ --durations=N show N slowest setup/test durations (N=0 for all). ++ --pastebin=mode send failed|all info to bpaste.net pastebin service. ++ --junit-xml=path create junit-xml style report file at given path. ++ --junit-prefix=str prepend prefix to classnames in junit-xml output ++ --result-log=path DEPRECATED path for machine-readable result log. ++ --excel-report=path create excel report file at given path. ++``` ++ ++## Additional Packages ++ ++These are additional logging packages that could be used in future if logging improvement is needed. ++ ++- [Logging-1](https://pypi.python.org/pypi/pytest-logger). ++- [Logging-2](ttps://pypi.python.org/pypi/pytest-autochecklog). ++ ++ +diff --git a/tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml b/tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml +new file mode 100644 +index 0000000..1648266 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml +@@ -0,0 +1,35 @@ ++- hosts: master ++ gather_facts: true ++ ++ tasks: ++ - name: Making constants.py file compatable for including as vars. ++ shell: sed -e "s/ =/:/g;s/'//g" /tmp/test_dir/constants.py > /tmp/test_dir/constants.yml ++ ++ - name: Fetch the file ++ fetch: src=/tmp/test_dir/constants.yml dest=/tmp/test_dir flat=yes validate_checksum=no ++ ++ - name: Including variables from Environment ++ include_vars: ++ file: /tmp/test_dir/constants.yml ++ name: variable ++ ++ - name: Gather facts ++ set_fact: ++ var: "{{ inventory_hostname }}" ++ userPasswd: "{{ variable.LDAP_PASSWD }}" ++ ++ - name: Get rid of an old entry ++ ldap_entry: ++ dn: uid={{ variable.LDAP_USER }},ou=People,dc=example,dc=org ++ objectClass: ++ - top ++ - person ++ - inetOrgPerson ++ - organizationalRole ++ params: ++ cn: "{{ variable.LDAP_USER }}" ++ sn: "{{ variable.LDAP_USER }}" ++ userPassword: "{{ variable.LDAP_PASSWD }}" ++ server_uri: ldap://{{ inventory_hostname }}:{{ variable.LDAP_PORT }} ++ bind_dn: cn=Directory Manager ++ bind_pw: "{{ variable.LDAP_PASSWD }}" +diff --git a/tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py b/tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py +new file mode 100644 +index 0000000..9c30b19 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py +@@ -0,0 +1,106 @@ ++""" ++# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++# ++# Description: PKI TPS-TOKEN-SHOW tests ++# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++# The following pki tps commands needs to be tested: ++# pki tps-token-show ++# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++# ++# Author: Geetika Kapoor ++# ++# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++# ++# Copyright (c) 2016 Red Hat, Inc. All rights reserved. ++# ++# This copyrighted material is made available to anyone wishing ++# to use, modify, copy, or redistribute it subject to the terms ++# and conditions of the GNU General Public License version 2. ++# ++# This program is distributed in the hope that it will be ++# useful, but WITHOUT ANY WARRANTY; without even the implied ++# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR ++# PURPOSE. See the GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public ++# License along with this program; if not, write to the Free ++# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++# Boston, MA 02110-1301, USA. ++""" ++ ++ ++import pytest ++import ansible ++import logging ++from ansible.inventory import Inventory ++from pytest_ansible import plugin ++import ansible.constants ++import os ++ ++from test_steps import * ++import random ++ ++@pytest.mark.ansible_playbook_setup('ldapUserAdd.yml', 'tokenEnroll.yml') ++@pytest.mark.setup ++def test_setup(ansible_playbook): ++ pass ++ ++@pytest.mark.parametrize("certnick,expected", [ ++ ('"PKI TPS Administrator for Example.Org"', ['Token ID: 40906145C76224192D2B', 'User ID: foobar', 'Type: userKey', 'Status: ACTIVE']), ++]) ++ ++@pytest.mark.positive ++def test_tpstoken_show_validgroup(ansible_module, certnick, expected): ++ """ ++ :Description: Command should successfully show tokens. ++ """ ++ contacted = ansible_module.pki( ++ cli='tps-token-show', ++ extra_args='40906145C76224192D2B', ++ protocol='http', ++ certnick=certnick ++ ) ++ for (host, result) in contacted.items(): ++ for iter in expected: ++ ok("Certificate: %s, Expected Output: %s , Actual Output : %s" %(certnick, iter, result['stdout'])) ++ assert iter in result['stdout'] ++@pytest.mark.parametrize("certnick,expected", [ ++ ('"PKI TPS Administrator for Example.Org"', ["PKIException: Record not found"]), ++]) ++ ++@pytest.mark.negative ++def test_tpstoken_show_exception(ansible_module, certnick, expected): ++ """ ++ :Description: Command should give "Records" not found. ++ """ ++ contacted = ansible_module.pki( ++ cli='tps-token-show', ++ extra_args='40906145C76224192D2BRR', ++ certnick=certnick ++ ) ++ for (host, result) in contacted.items(): ++ for iter in expected: ++ ok("Certificate: %s, Expected Output: %s , Actual Output : %s" %(certnick, iter, result['stderr'])) ++ assert iter in result['stderr'] ++ ++@pytest.mark.positive ++@pytest.mark.parametrize("extra_args, certnick, expected", [ ++ ('40906145C76224192D2B', '"PKI TPS Administrator for Example.Org"', ['Token ID: 40906145C76224192D2B', 'User ID: foobar', 'Type: userKey', 'Status: ACTIVE']), ++ ('--help', '"PKI TPS Administrator for Example.Org"', ['usage: tps-token-show', '', '--help Show help options']), ++]) ++ ++@pytest.mark.positive ++def test_tpstoken_show_help(ansible_module, extra_args, certnick, expected): ++ """ ++ :Description: Command should successfully show tokens. ++ """ ++ contacted = ansible_module.pki( ++ cli='tps-token-show', ++ extra_args=extra_args, ++ protocol='https', ++ certnick=certnick ++ ) ++ for (host, result) in contacted.items(): ++ for iter in expected: ++ ok("Certificate: %s, Expected Output: %s , Actual Output : %s" %(certnick, iter, result['stdout'])) ++ assert iter in result['stdout'] +diff --git a/tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml b/tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml +new file mode 100644 +index 0000000..872ee51 +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml +@@ -0,0 +1,35 @@ ++- hosts: master ++ gather_facts: true ++ tasks: ++ - name: Going to TPSClient ++ shell: echo -e "op=var_set name=ra_host value=hostname\nop=var_set name=ra_port value=TPS_HTTP_PORT\nop=var_set name=ra_uri value=/tps/tps\nop=token_set cuid=TOKEN_CUID msn=0120304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0\nop=token_set auth_key=404142434445464748494a4b4c4d4e4f\nop=token_set mac_key=404142434445464748494a4b4c4d4e4f\nop=token_set kek_key=404142434445464748494a4b4c4d4e4f\nop=TPS_OPERATION uid=LDAP_USER pwd=LDAP_PASSWD new_pin=LDAP_NEW_PIN num_threads=1 extensions=tokenType=userKey\nop=exit" > /tmp/tpsclient.txt ++ ++ - name: Including variables from Environment ++ include_vars: ++ file: /tmp/test_dir/constants.yml ++ name: variable ++ ++ - name: Replacing correct hostname ++ replace: dest=/tmp/tpsclient.txt regexp=hostname replace={{ inventory_hostname }} ++ ++ - name: Replacing correct Port ++ replace: dest=/tmp/tpsclient.txt regexp=TPS_HTTP_PORT replace={{ variable.TPS_HTTP_PORT }} ++ ++ - name: Replacing correct Password ++ replace: dest=/tmp/tpsclient.txt regexp=LDAP_PASSWD replace={{ variable.LDAP_PASSWD }} ++ ++ - name: Replacing correct pin ++ replace: dest=/tmp/tpsclient.txt regexp=LDAP_NEW_PIN replace={{ variable.LDAP_PASSWD }} ++ ++ - name: Replacing correct Cuid ++ replace: dest=/tmp/tpsclient.txt regexp=TOKEN_CUID replace={{ variable.CUID }} ++ ++ - name: Replacing correct TPS Operation ++ replace: dest=/tmp/tpsclient.txt regexp=TPS_OPERATION replace={{ variable.TPS_OPERATION }} ++ ++ - name: Adding LDAP user in tpsclient configuration ++ replace: dest=/tmp/tpsclient.txt regexp=LDAP_USER replace={{ variable.LDAP_USER }} ++ ++ - name: Performing token enrollment ++ shell: tpsclient < /tmp/tpsclient.txt ++ ignore_errors: yes +diff --git a/tests/dogtag/pytest-ansible/requirements.txt b/tests/dogtag/pytest-ansible/requirements.txt +new file mode 100644 +index 0000000..160b10e +--- /dev/null ++++ b/tests/dogtag/pytest-ansible/requirements.txt +@@ -0,0 +1,5 @@ ++ansible==2.3.2 ++pytest-ansible==1.3.1 ++pytest-ansible-playbook==0.3.0 ++pytest-logger ++pytest-autochecklog==0.2.0 +-- +1.8.3.1 + + +From 53ad8042f1145aa33990298a4d7dc4d6e4fe646b Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Mon, 27 Nov 2017 13:43:33 -0500 +Subject: Add pkispawn option for ephemeral requests + +Ticket 2820 + +Change-Id: I8865d74dd221b69b7fd53f1dbc941c7686bbd858 +(cherry picked from commit 44c732c5ebb1fc6ef7ca851f4118bf58311588bc) +--- + base/server/etc/default.cfg | 1 + + base/server/man/man5/pki_default.cfg.5 | 7 +++++++ + .../python/pki/server/deployment/scriptlets/configuration.py | 9 +++++++++ + 3 files changed, 17 insertions(+) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index ce10d7f..ad19105 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -436,6 +436,7 @@ pki_replica_number_range_end=100 + [KRA] + pki_import_admin_cert=True + pki_standalone=False ++pki_kra_ephemeral_requests=False + + # DEPRECATED + # Use 'pki_*_csr_path' instead. +diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 +index ab3e617..a505c4b 100644 +--- a/base/server/man/man5/pki_default.cfg.5 ++++ b/base/server/man/man5/pki_default.cfg.5 +@@ -439,6 +439,13 @@ Required for the second step of a stand-alone PKI process. This is the location + .IP + [KRA ONLY] Required for the second step of a stand-alone KRA process. This is the location of the file containing the transport certificate (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_transport.cert'. + ++.SS KRA PARAMETERS ++.BR ++.TP ++.B pki_kra_ephemeral_requests ++.IP ++Specifies to use ephemeral requests for archivals and retrievals. Defaults to False. ++ + .SS TPS PARAMETERS + .BR + .TP +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index b21adb6..1870505 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -968,6 +968,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + subsystem.config['ca.defaultOcspUri'] = ocsp_uri + subsystem.save() + ++ # set ephemeral requests if needed ++ if subsystem.name == 'kra': ++ if config.str2bool(deployer.mdict['pki_kra_ephemeral_requests']): ++ config.pki_log.info( ++ "setting ephemeral requests to true", ++ extra=config.PKI_INDENTATION_LEVEL_1) ++ subsystem.config['kra.ephemeralRequests'] = 'true' ++ subsystem.save() ++ + token = deployer.mdict['pki_token_name'] + nssdb = instance.open_nssdb(token) + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-batch-1.0.patch b/SOURCES/pki-core-10.5.1-batch-1.0.patch new file mode 100644 index 0000000..242e90a --- /dev/null +++ b/SOURCES/pki-core-10.5.1-batch-1.0.patch @@ -0,0 +1,5342 @@ +From 0e6b54df7e0470a5fc18217acc1b800391144ad0 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 21 Feb 2018 18:57:41 +1100 +Subject: [PATCH 01/20] libtps.so: link zlib + +nss-3.35 no longer links zlib. libtps calls `compress` and +`uncompress` but we were not explicitly linking zlib so the build +fails as of nss-3.35. Include -lz when linking libtps. + +Fixes: https://pagure.io/dogtagpki/issue/2946 +Change-Id: If26d71d8c6ad2cc89f60c0de26ccf48673971d55 +(cherry picked from commit dfeb3c66d107123f173d58bf0a6571eb7fa3f260) +--- + base/tps-client/src/CMakeLists.txt | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/base/tps-client/src/CMakeLists.txt b/base/tps-client/src/CMakeLists.txt +index a86e392..229ea0f 100644 +--- a/base/tps-client/src/CMakeLists.txt ++++ b/base/tps-client/src/CMakeLists.txt +@@ -25,12 +25,24 @@ set(TPS_SHARED_LIBRARY + CACHE INTERNAL "tps shared library" + ) + ++find_library(ZLIB_LIBRARY ++ NAMES ++ z ++ PATHS ++ /usr/lib ++ /usr/lib64 ++ /usr/local/lib ++ /opt/local/lib ++ /sw/lib ++) ++ + set(TPS_LINK_LIBRARIES + ${NSPR_LIBRARIES} + ${NSS_LIBRARIES} + ${APR_LIBRARIES} + ${LDAP_LIBRARIES} + ${TOKENDB_SHARED_LIBRARY} ++ ${ZLIB_LIBRARY} + ) + + set(tps_library_SRCS +-- +1.8.3.1 + + +From fff31f97e0123b49961972c12ee3ee82f83920de Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 26 Feb 2018 14:01:18 -0800 +Subject: [PATCH 02/20] Ticket #2949 CMCAuth throws + org.mozilla.jss.crypto.TokenException: Unable to insert certificate into + temporary database + +This patch addresses the "TokenException: Unable to insert certificate into temporary database" issue caused by CMC authentication. During the CMC authentication, looks like the following JSS CryptoManager call actually tries to import the certificate temporarily into the token and causes conflicts: +public boolean isCertValid(byte[] certPackage, boolean checkSig, + CertUsage certUsage) +That call is not appropriate for the purpose. + +Looking closely, certificate validation has been done in various places: +* SSL client authentication (if used) +* the isRevoked() call either in agent authentication or in CMCUserSignedAuth +* the cert.checkValidity() call in CMCUserSignedAuth + +The extra isCertValid call is not only redundant but also problematic. + +This patch fixes https://pagure.io/dogtagpki/issue/2949 +(cherry picked from commit c6630a429f6f4a9b2c2090001f0a2c50e10ba5c4) + +Change-Id: I47367b02c8a53a9cfa99b5da370a3a6af1cb9676 +--- + .../cms/src/com/netscape/cms/authentication/CMCAuth.java | 3 --- + .../com/netscape/cms/authentication/CMCUserSignedAuth.java | 12 ------------ + 2 files changed, 15 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index db3ca2b..86ffa2f 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -945,9 +945,6 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + si.verify(digest, id, pubK); + } + CMS.debug("CMCAuth: finished checking signature"); +- // verify signer's certificate using the revocator +- if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + + // authenticate signer's certificate using the userdb + IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index 527b7e5..d92b33b 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -1132,19 +1132,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } + CMS.debug(method + "finished checking signature"); + +- // verify signer's certificate using the revocator +- // ...or not; I think it just checks usage and +- // validity, but not revocation status +- if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { +- msg = "CMC signing cert is invalid"; +- CMS.debug(method + msg); +- s.close(); +- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); +- } else { +- CMS.debug(method + "CMC signature verified; but signer not yet;"); +- } + // At this point, the signature has been verified; +- + // now check revocation status of the cert + if (CMS.isRevoked(x509Certs)) { + msg = "CMC signing cert is a revoked certificate"; +-- +1.8.3.1 + + +From cc55aa9cc84bf9a17641b0fd0e509633bf115e44 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 12 Feb 2018 22:37:50 +0100 +Subject: [PATCH 03/20] Added two-step installation mode in pkispawn man page. + +The pkispawn man page has been updated to include the two-step +installation mode. + +https://pagure.io/dogtagpki/issue/2938 + +Change-Id: Icf2edad5477072e33c8eab556b95d5ad4b986131 +(cherry picked from commit 7455cc2023c74d0bd72bbb8f224ba880b1364118) +--- + base/server/man/man8/pkispawn.8 | 39 ++++++++++++++++++++++++++++++++++++++- + 1 file changed, 38 insertions(+), 1 deletion(-) + +diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 +index 1411592..21f6308 100644 +--- a/base/server/man/man8/pkispawn.8 ++++ b/base/server/man/man8/pkispawn.8 +@@ -18,7 +18,7 @@ + pkispawn \- Sets up an instance of Certificate Server. + + .SH SYNOPSIS +-pkispawn \-s \-f [\-h] [\-v] [\-p ] ++pkispawn \-s \-f [options] [\-p ] + + .SH DESCRIPTION + Sets up a Certificate Server subsystem (CA, KRA, OCSP, TKS, or TPS) in a +@@ -84,6 +84,12 @@ Specifies the path to the user-defined configuration file. This file contains d + .B --precheck + Execute pre-checks and exit. + .TP ++.B --skip-configuration ++Run the first step of the installation (i.e. skipping the instance configuration step). ++.TP ++.B --skip-installation ++Run the second step of the installation (i.e. skipping the instance installation step). ++.TP + .B -h, --help + Prints additional help information. + .TP +@@ -244,6 +250,37 @@ directory server instance has not yet been created. + + See \fB pki_default.cfg(5) \fP for more details about available flags. + ++.SH TWO-STEP INSTALLATION MODE ++.PP ++pkispawn provides a number of parameters to customize an instance before it is ++created. Usually, most other customization can be done after the server is created. ++However, sometimes certain types of customization need to be done before the server is ++created, but there are no parameters for that. For example, configuring session timeout, ++adding CSR extensions, customizing certificate profiles, configuring TLS ciphers, etc. ++To support such customization, pkispawn provides a two-step installation mode. ++ ++Generally, instance creation happens in one step (except for the external CA case). ++Internally, the process happens in two stages. In the first stage, pkispawn will ++install the instance files (e.g. CS.cfg, NSS database, profiles, etc.) in the instance ++directory and customize them based on pkispawn parameters. In the second stage, ++pkispawn will start the instance and configure the instance based on the instance ++configuration files (e.g. initializing database, generating certificates, configuring ++connectors, etc.). The two-step process allows the process to be stopped after the first ++stage, allowing further customization to be done before running the second stage. ++ ++To use two-step installation mode, prepare a normal pkispawn configuration file, then ++run pkispawn with the --skip-configuration parameter. For example: ++ ++.IP ++\x'-1'\fBpkispawn -s CA -f myconfig.txt --skip-configuration\fR ++ ++.PP ++Then customize the files in the instance directory as needed. Finally, finish the ++installation by running pkispawn again with the --skip-installation parameter. For example: ++ ++.IP ++\x'-1'\fBpkispawn -s CA -f myconfig.txt --skip-installation\fR ++ + .SH EXAMPLES + + .SS Installing a root CA +-- +1.8.3.1 + + +From 652d8c3616fea5d2632e80889445c7f1497572af Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Thu, 22 Feb 2018 10:22:41 +0100 +Subject: [PATCH 04/20] Modernize sslget's TLS version and cipher suite + +Disable all cipher suites unless NSS says it's a FIPS approved suite. + +* SSL 2.0 and SSL 3.0 are disabled +* Broken or weak suites with 3DES, RC4 and effective key bits less than + 80 bits are disabled. + +Fixes: https://pagure.io/dogtagpki/issue/2918 +Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8 +Signed-off-by: Christian Heimes +(cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240) +--- + base/native-tools/src/sslget/sslget.c | 108 +++++++++++++++++++++++++--------- + 1 file changed, 81 insertions(+), 27 deletions(-) + +diff --git a/base/native-tools/src/sslget/sslget.c b/base/native-tools/src/sslget/sslget.c +index bd631c6..b058209 100644 +--- a/base/native-tools/src/sslget/sslget.c ++++ b/base/native-tools/src/sslget/sslget.c +@@ -58,6 +58,7 @@ + #include "prio.h" + #include "prnetdb.h" + #include "nss.h" ++#include + + + /* set Tabs to 8 */ +@@ -122,7 +123,8 @@ int verbose; + SECItem bigBuf; + + +-char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) ++static char* ++ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) + { + char *passwd = NULL; + +@@ -300,7 +302,7 @@ printSecurityInfo(PRFileDesc *fd) + PRBool useModelSocket = PR_TRUE; + + +-PRInt32 ++static PRInt32 + do_writes( + void * a + ) +@@ -334,7 +336,8 @@ do_writes( + } + + +-int isLinkLocalAddress(char *address, int family) ++static int ++isLinkLocalAddress(char *address, int family) + { + if ( !address || ( strlen(address) == 0 ) ) { + return 0; +@@ -363,7 +366,7 @@ int isLinkLocalAddress(char *address, int family) + } + + +-SECStatus ++static SECStatus + do_io( PRFileDesc *ssl_sock, int connection) + { + int countRead = 0; +@@ -472,7 +475,7 @@ do_io( PRFileDesc *ssl_sock, int connection) + return SECSuccess; /* success */ + } + +-int ++static int + do_connect( + PRNetAddr *addr, + PRFileDesc *model_sock, +@@ -543,7 +546,7 @@ do_connect( + ** Since the value returned is an integer (not a string of bytes), + ** it is inherently in Host Byte Order. + */ +-PRUint32 ++static PRUint32 + getIPAddress(const char * hostName) + { + const unsigned char *p; +@@ -565,7 +568,7 @@ getIPAddress(const char * hostName) + return rv; + } + +-void ++static void + client_main( + unsigned short port, + int connections, +@@ -576,31 +579,82 @@ client_main( + { + PRFileDesc *model_sock = NULL; + int rv; +- ++ int i; ++ const PRUint16* ssl_ciphers; ++ PRUint16 num_ciphers; ++ PRBool enabled; ++ SSLCipherSuiteInfo info; ++ SSLVersionRange versions = { ++ SSL_LIBRARY_VERSION_TLS_1_1, ++ SSL_LIBRARY_VERSION_TLS_1_2 ++ }; + + FPRINTF(stderr, "port: %d\n", port); + + /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ + NSS_SetDomesticPolicy(); + +- /* all the SSL2 and SSL3 cipher suites are enabled by default. */ +- +- /* enable FIPS ciphers */ +- SSL_CipherPrefSetDefault(0xc004 /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xc003 /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xc00a /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0x2f /* TLS_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0x35 /* TLS_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xc008 /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xc009 /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xc012 /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xc013 /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0x32 /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0x38 /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0x33 /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); +- SSL_CipherPrefSetDefault(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); ++ /* disable SSL 2.0 and SSL 3.0 */ ++ SSL_VersionRangeSetDefault(ssl_variant_stream, &versions); ++ ++ /* disable all weak or non-FIPS compliant ciphers */ ++ ssl_ciphers = SSL_GetImplementedCiphers(); ++ num_ciphers = SSL_GetNumImplementedCiphers(); ++ ++ for (i = 0; i < num_ciphers; i++) { ++ if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, sizeof(info)) == SECSuccess) { ++ SSL_CipherPrefGetDefault(ssl_ciphers[i], &enabled); ++ if (!enabled) { ++ /* Although some NSS versions do not support SHA384, try to enable select SHA384 ciphers by default */ ++ if (PL_strcmp(info.cipherSuiteName, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384") == 0) { ++ SSL_CipherPrefSetDefault(0x009f /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); ++ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); ++ } ++ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384") == 0) { ++ /* NOTE: CBC ciphers may be deprecated in TLS v1.3 */ ++ SSL_CipherPrefSetDefault(0xc024 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */, PR_TRUE); ++ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); ++ } ++ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384") == 0) { ++ SSL_CipherPrefSetDefault(0xc02c /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); ++ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); ++ } ++ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384") == 0) { ++ /* NOTE: CBC ciphers may be deprecated in TLS v1.3 */ ++ SSL_CipherPrefSetDefault(0xc028 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */, PR_TRUE); ++ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); ++ } ++ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384") == 0) { ++ SSL_CipherPrefSetDefault(0xc030 /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); ++ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); ++ } ++ else if (PL_strcmp(info.cipherSuiteName, "TLS_RSA_WITH_AES_256_GCM_SHA384") == 0) { ++ SSL_CipherPrefSetDefault(0x009d /* TLS_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); ++ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); ++ } else { ++ FPRINTF(stderr, "disabled %-42s\t(disabled by default)\n", info.cipherSuiteName); ++ } ++ } ++ else if (!info.isFIPS) { ++ /* Disable non-FIPS compliant ciphers */ ++ enabled = PR_FALSE; ++ FPRINTF(stderr, "disabled %-42s\t(not FIPS)\n", info.cipherSuiteName); ++ } ++ else if (info.symCipher == ssl_calg_rc4) { ++ /* No RC4, see RFC 7465 (recent NSS flag RC4 as not FIPS) */ ++ enabled = PR_FALSE; ++ FPRINTF(stderr, "disabled %-42s\t(RC4)\n", info.cipherSuiteName); ++ } ++ else if (info.symCipher == ssl_calg_3des) { ++ /* No 3DES to mitigate SWEET32 attack */ ++ enabled = PR_FALSE; ++ FPRINTF(stderr, "disabled %-42s\t(3DES)\n", info.cipherSuiteName); ++ } else { ++ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); ++ } ++ SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); ++ } ++ } + + /* + * Rifle through the values for the host +@@ -694,7 +748,7 @@ client_main( + } + + +-SECStatus ++static SECStatus + createRequest( + char * url, + char *post, +-- +1.8.3.1 + + +From 83c6d20414f4b344994a8112298512d642eae98f Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 2 Feb 2018 15:54:50 +1100 +Subject: [PATCH 05/20] IPAddressName: remove unused getLength method + +Part of: https://pagure.io/dogtagpki/issue/2922 +Change-Id: I732bd39446efcce18b6dc597d9c613a6b0a6422d +--- + base/util/src/netscape/security/x509/IPAddressName.java | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java +index bb27548..4d08b8c 100644 +--- a/base/util/src/netscape/security/x509/IPAddressName.java ++++ b/base/util/src/netscape/security/x509/IPAddressName.java +@@ -166,8 +166,6 @@ public class IPAddressName implements GeneralNameInterface { + + interface IPAddr { + public int getIPAddr(String s, byte[] address, int start); +- +- public int getLength(); + } + + class IPv4Addr implements IPAddr { +@@ -192,10 +190,6 @@ class IPv4Addr implements IPAddr { + } + return nt; + } +- +- public int getLength() { +- return IPv4_LEN; +- } + } + + class IPv6Addr implements IPAddr { +@@ -270,8 +264,4 @@ class IPv6Addr implements IPAddr { + } + return 16; + } +- +- public int getLength() { +- return 16; +- } + } +-- +1.8.3.1 + + +From 8a2bec1661ff8f86c3501f3d0975fe3fc45e254e Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 2 Feb 2018 18:31:46 +1100 +Subject: [PATCH 06/20] parseGeneralName: properly parse iPAddress GN with + netmask + +There are a couple of problems with iPAddress general name parsing +(primarily used for the Name Constraints extension). + +First, an IP address with netmask expressed as e.g. +1.2.3.4,255.0.0.0 or ::1,ffff:: is outright rejected, causing +issuance failure with a message like: + + NameConstraintsExtDefault: createExtension + netscape.security.x509.InvalidIPAddressException: Invalid IP + Address '10.10.10.10,255.255.255.0' + +Second, an IPv4 address with CIDR-style netmask is misinterpreted as +an IPv6 address _without_ netmask, e.g. the input "192.168.1.1/24" +gets misinterpreted as "c0a8:1c8:ffff:ffff:000:000:000:000", which +is not a conforming value in the Name Constraints extension. + +To resolve these problems, separate the handling of these two cases +and fix the logic. A new class, CIDRNetmask, does the heavy lifting +in the CIDR netmask case. + +Consider the following configuration (irrelevant keys and key +prefixes omitted for brevity). It contains values which caused +failures or incorrect outputs: + + nameConstraintsExcludedSubtreeNameChoice_0=IPAddress + nameConstraintsExcludedSubtreeNameValue_0=10.10.10.10/24 + nameConstraintsExcludedSubtreeNameChoice_1=IPAddress + nameConstraintsExcludedSubtreeNameValue_1=10.10.10.10,255.255.255.0 + nameConstraintsExcludedSubtreeNameChoice_2=IPAddress + nameConstraintsExcludedSubtreeNameValue_2=dead:beef::1/128 + nameConstraintsExcludedSubtreeNameChoice_3=IPAddress + nameConstraintsExcludedSubtreeNameValue_3=dead:beef::,ffff:ffff:: + +This configuration now succeeds and produces the correct output. +The extension value produced using the above configuration is (per +OpenSSL pretty print): + + X509v3 Name Constraints: critical + Excluded: + IP:10.10.10.10/255.255.255.0 + IP:10.10.10.10/255.255.255.0 + IP:DEAD:BEEF:0:0:0:0:0:1/FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF + IP:DEAD:BEEF:0:0:0:0:0:0/FFFF:FFFF:0:0:0:0:0:0 + +Part of: https://pagure.io/dogtagpki/issue/2922 +Change-Id: I61d5fcceadcca28cc951802ee4b95691653dd356 +--- + .../netscape/cms/profile/def/EnrollDefault.java | 11 +++- + .../src/netscape/security/x509/CIDRNetmask.java | 77 ++++++++++++++++++++++ + .../src/netscape/security/x509/IPAddressName.java | 51 +++++++------- + .../security/x509/InvalidNetmaskException.java | 27 ++++++++ + 4 files changed, 140 insertions(+), 26 deletions(-) + create mode 100644 base/util/src/netscape/security/x509/CIDRNetmask.java + create mode 100644 base/util/src/netscape/security/x509/InvalidNetmaskException.java + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +index 6192888..173ff83 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +@@ -46,6 +46,7 @@ import netscape.security.util.DerInputStream; + import netscape.security.util.DerOutputStream; + import netscape.security.util.DerValue; + import netscape.security.util.ObjectIdentifier; ++import netscape.security.x509.CIDRNetmask; + import netscape.security.x509.CertificateExtensions; + import netscape.security.x509.DNSName; + import netscape.security.x509.EDIPartyName; +@@ -497,9 +498,17 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe + if (nameType.equalsIgnoreCase("IPAddress")) { + CMS.debug("IP Value:" + nameValue); + if (nameValue.indexOf('/') != -1) { +- // CIDR support for NameConstraintsExt + StringTokenizer st = new StringTokenizer(nameValue, "/"); + String addr = st.nextToken(); ++ CIDRNetmask netmask = new CIDRNetmask(st.nextToken()); ++ CMS.debug("addr:" + addr + " CIDR netmask: " + netmask); ++ return new IPAddressName(addr, netmask); ++ } else if (nameValue.indexOf(',') != -1) { ++ // interpret as IPADDR "," NETMASK e.g. ++ // "192.168.1.0,255.255.255.0" (/24) ++ // "2001:0db8:0123:4567::,ffff:ffff:ffff:ffff::" (/64) ++ StringTokenizer st = new StringTokenizer(nameValue, ","); ++ String addr = st.nextToken(); + String netmask = st.nextToken(); + CMS.debug("addr:" + addr + " netmask: " + netmask); + return new IPAddressName(addr, netmask); +diff --git a/base/util/src/netscape/security/x509/CIDRNetmask.java b/base/util/src/netscape/security/x509/CIDRNetmask.java +new file mode 100644 +index 0000000..80f1a79 +--- /dev/null ++++ b/base/util/src/netscape/security/x509/CIDRNetmask.java +@@ -0,0 +1,77 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package netscape.security.x509; ++ ++import java.nio.ByteBuffer; ++ ++/** ++ * Netmask that is the number of significant bits. ++ */ ++public class CIDRNetmask { ++ private int n; ++ ++ public CIDRNetmask(String s) { ++ this(Integer.parseInt(s)); ++ } ++ ++ public CIDRNetmask(int n) { ++ if (n < 0) ++ throw new InvalidNetmaskException("cannot be negative"); ++ this.n = n; ++ } ++ ++ /** ++ * Write the netmask into a byte buffer. ++ * ++ * Throw InvalidNetmaskException if negative or if the ++ * size exceeds the size of the address type inferred ++ * from the remaining buffer space (which must be 4 ++ * bytes for IPv4 and 16 bytes for IPv6). ++ * ++ * exceeds the size of the buffer ++ */ ++ protected void write(ByteBuffer buf) { ++ // determine type of addr based on bytes left in buffer ++ int remaining = buf.remaining(); ++ int bits = 0; ++ if (remaining == 4) ++ bits = 32; ++ else if (remaining == 16) ++ bits = 128; ++ else ++ throw new InvalidNetmaskException( ++ "cannot determine type of address for netmask"); ++ ++ if (n > bits) ++ throw new InvalidNetmaskException("netmask exceed address size"); ++ ++ int maskSigBits = n; ++ for (; remaining > 0; remaining--) { ++ int maskByteSigBits = Math.min(8, maskSigBits); ++ byte maskByte = (byte) (0xff - (0xff >> maskByteSigBits)); ++ buf.put(maskByte); ++ maskSigBits = Math.max(maskSigBits - 8, 0); ++ } ++ } ++ ++ public String toString() { ++ return "/" + n; ++ } ++ ++} +diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java +index 4d08b8c..bc63615 100644 +--- a/base/util/src/netscape/security/x509/IPAddressName.java ++++ b/base/util/src/netscape/security/x509/IPAddressName.java +@@ -18,6 +18,7 @@ + package netscape.security.x509; + + import java.io.IOException; ++import java.nio.ByteBuffer; + import java.util.StringTokenizer; + + import netscape.security.util.DerOutputStream; +@@ -77,25 +78,22 @@ public class IPAddressName implements GeneralNameInterface { + * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884) + */ + public IPAddressName(String s, String netmask) { +- // Based on PKIX RFC2459. IPAddress has +- // 8 bytes (instead of 4 bytes) in the +- // context of NameConstraints +- IPAddr ipAddr = null; +- if (s.indexOf(':') != -1) { +- ipAddr = IPv6; +- address = new byte[IPv6_LEN * 2]; +- } else { +- ipAddr = IPv4; +- address = new byte[IPv4_LEN * 2]; +- } +- StringTokenizer st = new StringTokenizer(s, ","); +- int numFilled = ipAddr.getIPAddr(st.nextToken(), address, 0); +- if (st.hasMoreTokens()) { +- ipAddr.getIPAddr(st.nextToken(), address, numFilled); +- } else { +- for (int i = numFilled; i < address.length; i++) +- address[i] = (byte) 0xff; +- } ++ IPAddr ipAddr = initAddress(true, s); ++ int numFilled = ipAddr.getIPAddr(s, address, 0); ++ ipAddr.getIPAddr(netmask, address, numFilled); ++ } ++ ++ /** ++ * IP address with CIDR netmask ++ * ++ * @param s a single IPv4 or IPv6 address ++ * @param mask a CIDR netmask ++ */ ++ public IPAddressName(String s, CIDRNetmask mask) { ++ IPAddr ipAddr = initAddress(true, s); ++ int numFilled = ipAddr.getIPAddr(s, address, 0); ++ mask.write(ByteBuffer.wrap( ++ address, address.length / 2, address.length / 2)); + } + + /** +@@ -105,15 +103,18 @@ public class IPAddressName implements GeneralNameInterface { + * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x + */ + public IPAddressName(String s) { +- IPAddr ipAddr = null; ++ IPAddr ipAddr = initAddress(false, s); ++ ipAddr.getIPAddr(s, address, 0); ++ } ++ ++ private IPAddr initAddress(boolean withNetmask, String s) { + if (s.indexOf(':') != -1) { +- ipAddr = IPv6; +- address = new byte[IPv6_LEN]; ++ address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; ++ return IPv6; + } else { +- ipAddr = IPv4; +- address = new byte[IPv4_LEN]; ++ address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)]; ++ return IPv4; + } +- ipAddr.getIPAddr(s, address, 0); + } + + /** +diff --git a/base/util/src/netscape/security/x509/InvalidNetmaskException.java b/base/util/src/netscape/security/x509/InvalidNetmaskException.java +new file mode 100644 +index 0000000..3041377 +--- /dev/null ++++ b/base/util/src/netscape/security/x509/InvalidNetmaskException.java +@@ -0,0 +1,27 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package netscape.security.x509; ++ ++public class InvalidNetmaskException extends RuntimeException { ++ ++ public InvalidNetmaskException(String desc) { ++ super("Invalid netmask (" + desc + ")"); ++ } ++ ++} +-- +1.8.3.1 + + +From c9b323331eef1f1934f8430053a72f7b2a21b084 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 5 Feb 2018 14:53:35 +1100 +Subject: [PATCH 07/20] GeneralNameInterface: methods for checking name + validity + +Some general names may be valid only for describing a single subject +(e.g. Subject Alt Name extension), or for describing a range of +subjects (e.g. Name Constraints extension). For example, an +iPAddress name MUST have 4 (IPv4) or 16 (IPv6) octets in the +"single" context, or 8 (IPv4) or 32 (IPv6) octets in range context. + +Add the validSingle() and validSubtree() methods to +GeneralNameInterface and all implementing classes. These methods +can be used to check whether the value is valid for use in the +corresponding context. + +Part of: https://pagure.io/dogtagpki/issue/2922 + +Change-Id: Ib77286b309f1d505fe15313483ec658a55780f83 +--- + base/util/src/netscape/security/x509/GeneralName.java | 12 ++++++++++++ + .../src/netscape/security/x509/GeneralNameInterface.java | 16 ++++++++++++++++ + base/util/src/netscape/security/x509/IPAddressName.java | 10 ++++++++++ + 3 files changed, 38 insertions(+) + +diff --git a/base/util/src/netscape/security/x509/GeneralName.java b/base/util/src/netscape/security/x509/GeneralName.java +index 55b5bfc..80d020e 100644 +--- a/base/util/src/netscape/security/x509/GeneralName.java ++++ b/base/util/src/netscape/security/x509/GeneralName.java +@@ -197,6 +197,18 @@ public class GeneralName implements GeneralNameInterface { + } + } + ++ @Override ++ public boolean validSingle() { ++ if (this == name) return false; // can't happen, but just in case... ++ return name.validSingle(); ++ } ++ ++ @Override ++ public boolean validSubtree() { ++ if (this == name) return false; // can't happen, but just in case... ++ return name.validSubtree(); ++ } ++ + /** + * Unwrap this GeneralName until we reach something that is not + * a GeneralName. +diff --git a/base/util/src/netscape/security/x509/GeneralNameInterface.java b/base/util/src/netscape/security/x509/GeneralNameInterface.java +index 7225ccc..61ba06a 100644 +--- a/base/util/src/netscape/security/x509/GeneralNameInterface.java ++++ b/base/util/src/netscape/security/x509/GeneralNameInterface.java +@@ -57,4 +57,20 @@ public interface GeneralNameInterface extends java.io.Serializable { + * encoded. + */ + void encode(DerOutputStream out) throws IOException; ++ ++ /** ++ * Whether the name is valid as a single name (e.g. for use in ++ * Subject Alternative Name extension). ++ */ ++ default boolean validSingle() { ++ return true; ++ } ++ ++ /** ++ * Whether the name is valid as a subtree name (e.g. for use in ++ * Name Constraints extension) ++ */ ++ default boolean validSubtree() { ++ return true; ++ } + } +diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java +index bc63615..768d2d6 100644 +--- a/base/util/src/netscape/security/x509/IPAddressName.java ++++ b/base/util/src/netscape/security/x509/IPAddressName.java +@@ -124,6 +124,16 @@ public class IPAddressName implements GeneralNameInterface { + return (GeneralNameInterface.NAME_IP); + } + ++ @Override ++ public boolean validSingle() { ++ return address.length == IPv4_LEN || address.length == IPv6_LEN; ++ } ++ ++ @Override ++ public boolean validSubtree() { ++ return address.length == 2*IPv4_LEN || address.length == 2*IPv6_LEN; ++ } ++ + /** + * Encode the IPAddress name into the DerOutputStream. + * +-- +1.8.3.1 + + +From 9086bedfa105078362573c49a65d0084254ffa35 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 5 Feb 2018 15:27:05 +1100 +Subject: [PATCH 08/20] Check validity of Subject/Issuer Alt Names and Name + Constraints + +Different forms of some GeneralName types (in particular, iPAddress) +are valid only in "single subject" or "multiple subject / range" +context. Update SubjectAltNameExtDefault, IssuerAltNameExtDefault +and NameConstraintsExtDefault to check the validity of GeneralName +values for use in the prevailing context. + +This change prevents certificates being issued with netmasked +iPAddress values in the SAN/Issuer Alt Name extension, or +non-netmasked iPAddress values in the Name Constraints extension. + +Fixes: https://pagure.io/dogtagpki/issue/2922 +Change-Id: I42478e2b554e7d53a7c07db59208bf855b476572 +--- + .../cms/profile/def/IssuerAltNameExtDefault.java | 17 +++++++++++++--- + .../cms/profile/def/NameConstraintsExtDefault.java | 23 +++++++++++++++++----- + .../cms/profile/def/SubjectAltNameExtDefault.java | 10 +++++++++- + 3 files changed, 41 insertions(+), 9 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java +index ec20371..924b15a 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java +@@ -164,6 +164,10 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault { + + GeneralNameInterface n = parseGeneralName(gname); + if (n != null) { ++ if (!n.validSingle()) { ++ throw new EPropertyException( ++ "Not valid for Issuer Alternative Name: " + gname); ++ } + gn.addElement(n); + } + } +@@ -285,7 +289,7 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault { + } + + public IssuerAlternativeNameExtension createExtension(IRequest request) +- throws IOException { ++ throws IOException, EProfileException { + IssuerAlternativeNameExtension ext = null; + + try { +@@ -307,8 +311,15 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault { + gname = mapPattern(request, pattern); + } + +- gn.addElement(parseGeneralName( +- getConfig(CONFIG_TYPE) + ":" + gname)); ++ String gtype = getConfig(CONFIG_TYPE); ++ GeneralNameInterface n = parseGeneralName(gtype + ":" + gname); ++ if (n != null) { ++ if (!n.validSingle()) { ++ throw new EProfileException( ++ "Not valid for Issuer Alternative Name: " + gtype + ":" + gname); ++ } ++ gn.addElement(n); ++ } + ext.set(IssuerAlternativeNameExtension.ISSUER_NAME, gn); + } + ext.setCritical(critical); +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java +index f010b61..a3d41b7 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java +@@ -408,6 +408,10 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { + } + + if (gnI != null) { ++ if (!gnI.validSubtree()) { ++ throw new EPropertyException( ++ "Not valid for Name Constraints: " + val); ++ } + gn = new GeneralName(gnI); + } else { + throw new EPropertyException(CMS.getUserMessage(locale, +@@ -591,7 +595,8 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { + addExtension(PKIXExtensions.NameConstraints_Id.toString(), ext, info); + } + +- public NameConstraintsExtension createExtension() { ++ public NameConstraintsExtension createExtension() ++ throws EProfileException { + NameConstraintsExtension ext = null; + + try { +@@ -632,6 +637,8 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { + + ext = new NameConstraintsExtension(critical, + new GeneralSubtrees(v), new GeneralSubtrees(v1)); ++ } catch (EProfileException e) { ++ throw e; // re-throw + } catch (Exception e) { + CMS.debug("NameConstraintsExtDefault: createExtension " + + e.toString()); +@@ -640,8 +647,9 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { + return ext; + } + +- private GeneralSubtree createSubtree(String choice, String value, +- String minS, String maxS) { ++ private GeneralSubtree createSubtree( ++ String choice, String value, String minS, String maxS ++ ) throws EProfileException { + GeneralName gn = null; + GeneralNameInterface gnI = null; + +@@ -650,11 +658,16 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { + } catch (IOException e) { + CMS.debug(e.toString()); + } +- if (gnI != null) ++ if (gnI != null) { ++ if (!gnI.validSubtree()) { ++ throw new EProfileException( ++ "Not valid for Name Constraints: " + value); ++ } + gn = new GeneralName(gnI); +- else ++ } else { + //throw new EPropertyException("GeneralName must not be null"); + return null; ++ } + + int min = 0; + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java +index ca3d05f..e99acd2 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java +@@ -277,6 +277,10 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { + } + GeneralNameInterface n = parseGeneralName(gname); + if (n != null) { ++ if (!n.validSingle()) { ++ throw new EPropertyException( ++ "Not valid for Subject Alternative Name: " + gname); ++ } + gn.addElement(n); + } + } +@@ -428,7 +432,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { + } + + public SubjectAlternativeNameExtension createExtension(IRequest request) +- throws IOException { ++ throws IOException, EProfileException { + SubjectAlternativeNameExtension ext = null; + int num = getNumGNs(); + +@@ -495,6 +499,10 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { + + CMS.debug("adding gname: " + gname); + if (n != null) { ++ if (!n.validSingle()) { ++ throw new EProfileException( ++ "Not valid for Subject Alternative Name: " + gtype + ":" + gname); ++ } + CMS.debug("SubjectAlternativeNameExtension: n not null"); + gn.addElement(n); + count++; +-- +1.8.3.1 + + +From a66ba7f834d1eb6e828739b74e5c67bbbd741ba8 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 7 Mar 2018 13:42:01 +1100 +Subject: [PATCH 09/20] IPAddressName: refactoring + +Merge the content of some classes that don't need to be classes into +the main IPAddressName. Rename the 'getIPAddress' method to +'fillIPv(4|6)Address', to better reflect its behaviour. Enhance +initAddress to not only intialise the byte[] but also populate the +address. + +Part of: https://pagure.io/dogtagpki/issue/2922 +Change-Id: If9cd9f3134ef2086b283a51abc35f2918869aca2 +--- + .../src/netscape/security/x509/IPAddressName.java | 53 ++++++++++------------ + 1 file changed, 25 insertions(+), 28 deletions(-) + +diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java +index 768d2d6..1c01f58 100644 +--- a/base/util/src/netscape/security/x509/IPAddressName.java ++++ b/base/util/src/netscape/security/x509/IPAddressName.java +@@ -65,8 +65,6 @@ public class IPAddressName implements GeneralNameInterface { + + protected static final char IPv4_LEN = 4; + protected static final char IPv6_LEN = 16; +- protected static final IPAddr IPv4 = new IPv4Addr(); +- protected static final IPAddr IPv6 = new IPv6Addr(); + + /** + * Create the IPAddressName object with a string representing the +@@ -78,9 +76,11 @@ public class IPAddressName implements GeneralNameInterface { + * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884) + */ + public IPAddressName(String s, String netmask) { +- IPAddr ipAddr = initAddress(true, s); +- int numFilled = ipAddr.getIPAddr(s, address, 0); +- ipAddr.getIPAddr(netmask, address, numFilled); ++ address = initAddress(true, s); ++ if (address.length == IPv4_LEN * 2) ++ fillIPv4Address(netmask, address, address.length / 2); ++ else ++ fillIPv6Address(netmask, address, address.length / 2); + } + + /** +@@ -90,8 +90,7 @@ public class IPAddressName implements GeneralNameInterface { + * @param mask a CIDR netmask + */ + public IPAddressName(String s, CIDRNetmask mask) { +- IPAddr ipAddr = initAddress(true, s); +- int numFilled = ipAddr.getIPAddr(s, address, 0); ++ address = initAddress(true, s); + mask.write(ByteBuffer.wrap( + address, address.length / 2, address.length / 2)); + } +@@ -103,17 +102,26 @@ public class IPAddressName implements GeneralNameInterface { + * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x + */ + public IPAddressName(String s) { +- IPAddr ipAddr = initAddress(false, s); +- ipAddr.getIPAddr(s, address, 0); ++ initAddress(false, s); + } + +- private IPAddr initAddress(boolean withNetmask, String s) { ++ /** ++ * Initialise and return a byte[] and write the IP address into it. ++ * If withNetmask == true, the byte[] will be double the size, ++ * with the latter half uninitialised. ++ * ++ * @return byte[] of length 4 or 16 if withNetmask == false, ++ * or length 8 or 32 if withNetmask == true. ++ */ ++ private static byte[] initAddress(boolean withNetmask, String s) { + if (s.indexOf(':') != -1) { +- address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; +- return IPv6; ++ byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; ++ fillIPv6Address(s, address, 0); ++ return address; + } else { +- address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)]; +- return IPv4; ++ byte[] address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)]; ++ fillIPv4Address(s, address, 0); ++ return address; + } + } + +@@ -173,19 +181,11 @@ public class IPAddressName implements GeneralNameInterface { + return r.toString(); + } + } +-} +- +-interface IPAddr { +- public int getIPAddr(String s, byte[] address, int start); +-} +- +-class IPv4Addr implements IPAddr { +- protected static final int IPv4_LEN = 4; + + /** + * Gets an IP v4 address in the form n.n.n.n. + */ +- public int getIPAddr(String s, byte[] address, int start) { ++ public static int fillIPv4Address(String s, byte[] address, int start) { + StringTokenizer st = new StringTokenizer(s, "."); + int nt = st.countTokens(); + if (nt != IPv4_LEN) +@@ -201,9 +201,7 @@ class IPv4Addr implements IPAddr { + } + return nt; + } +-} + +-class IPv6Addr implements IPAddr { + /** + * Gets an IP address in the forms as defined in RFC1884:
+ *
    +@@ -212,7 +210,7 @@ class IPv6Addr implements IPAddr { + *
  • ...:n.n.n.n (with n.n.n.n at the end) + *
+ */ +- public int getIPAddr(String s, byte[] address, int start) { ++ public static int fillIPv6Address(String s, byte[] address, int start) { + int lastcolon = -2; + int end = start + 16; + int idx = start; +@@ -223,8 +221,7 @@ class IPv6Addr implements IPAddr { + if (lastcolon == -1) + throw new InvalidIPAddressException(s); + end -= 4; +- IPAddressName.IPv4.getIPAddr( +- s.substring(lastcolon + 1), address, end); ++ fillIPv4Address(s.substring(lastcolon + 1), address, end); + } + try { + String s1 = s; +-- +1.8.3.1 + + +From c1aca1d718e9f3590bea9ee934d3dda25fa4ff74 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 7 Mar 2018 14:56:44 -0800 +Subject: [PATCH 10/20] Ticket #2950 Need ECC-specific Enrollment Profiles for + standard conformance + +This patch adds ECC-specific enrollment profiles where the Key Usage Extension +bits for SSL server and client certificates are notably different per RFC 6960: + + new file: base/ca/shared/conf/ECadminCert.profile + new file: base/ca/shared/conf/ECserverCert.profile + new file: base/ca/shared/conf/ECsubsystemCert.profile + new file: base/ca/shared/profiles/ca/ECAdminCert.cfg + new file: base/ca/shared/profiles/ca/caCMCECUserCert.cfg + new file: base/ca/shared/profiles/ca/caCMCECserverCert.cfg + new file: base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg + new file: base/ca/shared/profiles/ca/caECAdminCert.cfg + new file: base/ca/shared/profiles/ca/caECAgentServerCert.cfg + new file: base/ca/shared/profiles/ca/caECDirPinUserCert.cfg + new file: base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg + new file: base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg + new file: base/ca/shared/profiles/ca/caECServerCert.cfg + new file: base/ca/shared/profiles/ca/caECSubsystemCert.cfg + new file: base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg + new file: base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg + new file: base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg + new file: base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg + +In addition, some existing enrollment profiles are adjusted. +And while in there, signing algorithms with SHA1, MD2, and MD5 are removed + +No attempt has been made for TPS enrollment profiles in this round. +No attempt has been made for adding ECDH-appropriate profile. + +This patch addresses: https://pagure.io/dogtagpki/issue/2950 + +Change-Id: I26e7f9888372acbab4fbd185883427ef030d5e8d +(cherry picked from commit 27cf99efe1e52249f226db24ef28b0990a654dd5) +--- + base/ca/shared/conf/CS.cfg | 44 +++++++-- + base/ca/shared/conf/ECadminCert.profile | 39 ++++++++ + base/ca/shared/conf/ECserverCert.profile | 39 ++++++++ + base/ca/shared/conf/ECsubsystemCert.profile | 39 ++++++++ + base/ca/shared/conf/serverCert.profile | 2 +- + base/ca/shared/conf/subsystemCert.profile | 8 +- + base/ca/shared/profiles/ca/AdminCert.cfg | 4 +- + base/ca/shared/profiles/ca/ECAdminCert.cfg | 86 ++++++++++++++++ + base/ca/shared/profiles/ca/caAdminCert.cfg | 6 +- + base/ca/shared/profiles/ca/caAgentServerCert.cfg | 10 +- + base/ca/shared/profiles/ca/caCACert.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 86 ++++++++++++++++ + base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 90 +++++++++++++++++ + .../ca/shared/profiles/ca/caCMCECsubsystemCert.cfg | 86 ++++++++++++++++ + base/ca/shared/profiles/ca/caCMCUserCert.cfg | 10 +- + .../shared/profiles/ca/caCMCauditSigningCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCcaCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 2 +- + .../shared/profiles/ca/caCMCkraTransportCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCocspCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCserverCert.cfg | 10 +- + base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 6 +- + base/ca/shared/profiles/ca/caDirUserCert.cfg | 4 +- + base/ca/shared/profiles/ca/caECAdminCert.cfg | 87 ++++++++++++++++ + base/ca/shared/profiles/ca/caECAgentServerCert.cfg | 85 ++++++++++++++++ + base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 99 +++++++++++++++++++ + base/ca/shared/profiles/ca/caECDirUserCert.cfg | 20 ++-- + base/ca/shared/profiles/ca/caECDualCert.cfg | 4 +- + .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 85 ++++++++++++++++ + base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 85 ++++++++++++++++ + .../profiles/ca/caECFullCMCUserSignedCert.cfg | 94 ++++++++++++++++++ + .../profiles/ca/caECInternalAuthServerCert.cfg | 109 +++++++++++++++++++++ + .../profiles/ca/caECInternalAuthSubsystemCert.cfg | 88 +++++++++++++++++ + base/ca/shared/profiles/ca/caECServerCert.cfg | 85 ++++++++++++++++ + .../shared/profiles/ca/caECSimpleCMCUserCert.cfg | 84 ++++++++++++++++ + base/ca/shared/profiles/ca/caECSubsystemCert.cfg | 85 ++++++++++++++++ + base/ca/shared/profiles/ca/caECUserCert.cfg | 14 +-- + base/ca/shared/profiles/ca/caEncECUserCert.cfg | 4 +- + .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 6 +- + base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 6 +- + .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 6 +- + .../profiles/ca/caInternalAuthServerCert.cfg | 10 +- + .../profiles/ca/caInternalAuthSubsystemCert.cfg | 10 +- + base/ca/shared/profiles/ca/caOCSPCert.cfg | 2 +- + base/ca/shared/profiles/ca/caServerCert.cfg | 10 +- + base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 4 +- + base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 10 +- + base/ca/shared/profiles/ca/caSubsystemCert.cfg | 10 +- + base/ca/shared/profiles/ca/caUserCert.cfg | 4 +- + 49 files changed, 1581 insertions(+), 106 deletions(-) + create mode 100644 base/ca/shared/conf/ECadminCert.profile + create mode 100644 base/ca/shared/conf/ECserverCert.profile + create mode 100644 base/ca/shared/conf/ECsubsystemCert.profile + create mode 100644 base/ca/shared/profiles/ca/ECAdminCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCECUserCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCECserverCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECAdminCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECAgentServerCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECDirPinUserCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECServerCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECSubsystemCert.cfg + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 59de904..1d65835 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -233,8 +233,8 @@ ca.scep._004=## ca.scep.nickname= + ca.scep._005=## ca.scep.tokenname= + ca.scep._006=## + ca.scep.enable=false +-ca.scep.hashAlgorithm=SHA1 +-ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ++ca.scep.hashAlgorithm=SHA256 ++ca.scep.allowedHashAlgorithms=SHA256,SHA512 + ca.scep.encryptionAlgorithm=DES3 + ca.scep.allowedEncryptionAlgorithms=DES3 + ca.scep.nonceSizeLimit=16 +@@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail= + ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME] + ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA + ca.ocsp_signing.tokenname=internal +-ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC ++ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC + ca.publish.createOwnDNEntry=false + ca.publish.queue.enable=true + ca.publish.queue.maxNumberOfThreads=3 +@@ -975,7 +975,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 + oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension + oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 + os.userid=nobody +-profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment ++profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSelfSignedCert,caECFullCMCSelfSignedCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment + profile.caUUIDdeviceCert.class_id=caEnrollImpl + profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg + profile.caManualRenewal.class_id=caEnrollImpl +@@ -986,16 +986,22 @@ profile.caSSLClientSelfRenewal.class_id=caEnrollImpl + profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSSLClientSelfRenewal.cfg + profile.AdminCert.class_id=caEnrollImpl + profile.AdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/AdminCert.cfg ++profile.ECAdminCert.class_id=caEnrollImpl ++profile.ECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/ECAdminCert.cfg + profile.DomainController.class_id=caEnrollImpl + profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/DomainController.cfg + profile.caAgentFileSigning.class_id=caEnrollImpl + profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentFileSigning.cfg + profile.caAgentServerCert.class_id=caEnrollImpl + profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg ++profile.caECAgentServerCert.class_id=caEnrollImpl ++profile.caECAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECAgentServerCert.cfg + profile.caRAserverCert.class_id=caEnrollImpl + profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg + profile.caCMCUserCert.class_id=caEnrollImpl + profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg ++profile.caCMCECUserCert.class_id=caEnrollImpl ++profile.caCMCECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECUserCert.cfg + profile.caCMCauditSigningCert.class_id=caEnrollImpl + profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg + profile.caCMCcaCert.class_id=caEnrollImpl +@@ -1008,8 +1014,12 @@ profile.caCMCocspCert.class_id=caEnrollImpl + profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg + profile.caCMCserverCert.class_id=caEnrollImpl + profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg ++profile.caCMCECserverCert.class_id=caEnrollImpl ++profile.caCMCECserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECserverCert.cfg + profile.caCMCsubsystemCert.class_id=caEnrollImpl + profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg ++profile.caCMCECsubsystemCert.class_id=caEnrollImpl ++profile.caCMCECsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECsubsystemCert.cfg + profile.caCACert.class_id=caEnrollImpl + profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg + profile.caInstallCACert.class_id=caEnrollImpl +@@ -1020,32 +1030,42 @@ profile.caDirBasedDualCert.class_id=caEnrollImpl + profile.caDirBasedDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirBasedDualCert.cfg + profile.caDirPinUserCert.class_id=caEnrollImpl + profile.caDirPinUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirPinUserCert.cfg ++profile.caECDirPinUserCert.class_id=caEnrollImpl ++profile.caECDirPinUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDirPinUserCert.cfg + profile.caDirUserCert.class_id=caEnrollImpl + profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirUserCert.cfg + profile.caECDirUserCert.class_id=caEnrollImpl + profile.caECDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDirUserCert.cfg + profile.caDualCert.class_id=caEnrollImpl + profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDualCert.cfg +-profile.caECDualCert.class_id=caEnrollImpl +-profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDualCert.cfg + profile.caDualRAuserCert.class_id=caEnrollImpl + profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDualRAuserCert.cfg + profile.caRAagentCert.class_id=caEnrollImpl + profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAagentCert.cfg + profile.caFullCMCUserCert.class_id=caEnrollImpl + profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg ++profile.caECFullCMCUserCert.class_id=caEnrollImpl ++profile.caECFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserCert.cfg + profile.caFullCMCUserSignedCert.class_id=caEnrollImpl + profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg ++profile.caECFullCMCUserSignedCert.class_id=caEnrollImpl ++profile.caECFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserSignedCert.cfg + profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl + profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg ++profile.caECFullCMCSelfSignedCert.class_id=caEnrollImpl ++profile.caECFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSelfSignedCert.cfg + profile.caInternalAuthOCSPCert.class_id=caEnrollImpl + profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg + profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl + profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthAuditSigningCert.cfg + profile.caInternalAuthServerCert.class_id=caEnrollImpl + profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthServerCert.cfg ++profile.caECInternalAuthServerCert.class_id=caEnrollImpl ++profile.caECInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECInternalAuthServerCert.cfg + profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl + profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthSubsystemCert.cfg ++profile.caECInternalAuthSubsystemCert.class_id=caEnrollImpl ++profile.caECInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECInternalAuthSubsystemCert.cfg + profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl + profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthDRMstorageCert.cfg + profile.caInternalAuthTransportCert.class_id=caEnrollImpl +@@ -1062,20 +1082,26 @@ profile.caRouterCert.class_id=caEnrollImpl + profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRouterCert.cfg + profile.caServerCert.class_id=caEnrollImpl + profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg ++profile.caECServerCert.class_id=caEnrollImpl ++profile.caECServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECServerCert.cfg + profile.caSignedLogCert.class_id=caEnrollImpl + profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg +-profile.caSigningECUserCert.class_id=caEnrollImpl +-profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg + profile.caSigningUserCert.class_id=caEnrollImpl + profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg + profile.caSimpleCMCUserCert.class_id=caEnrollImpl + profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg ++profile.caECSimpleCMCUserCert.class_id=caEnrollImpl ++profile.caECSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECSimpleCMCUserCert.cfg + profile.caSubsystemCert.class_id=caEnrollImpl + profile.caSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSubsystemCert.cfg ++profile.caECSubsystemCert.class_id=caEnrollImpl ++profile.caECSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECSubsystemCert.cfg + profile.caTPSCert.class_id=caEnrollImpl + profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTPSCert.cfg + profile.caAdminCert.class_id=caEnrollImpl + profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg ++profile.caECAdminCert.class_id=caEnrollImpl ++profile.caECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg + profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl + profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg + profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +@@ -1116,8 +1142,6 @@ profile.caIPAserviceCert.class_id=caEnrollImpl + profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caIPAserviceCert.cfg + profile.caEncUserCert.class_id=caEnrollImpl + profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg +-profile.caEncECUserCert.class_id=caEnrollImpl +-profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg + registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg + processor.caProfileProcess.getClientCert=true + processor.caProfileProcess.authzMgr=BasicAclAuthz +diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile +new file mode 100644 +index 0000000..46d157a +--- /dev/null ++++ b/base/ca/shared/conf/ECadminCert.profile +@@ -0,0 +1,39 @@ ++# ++# Admin Certificate ++# ++id=adminCert.profile ++name=All Purpose admin cert with ECC keys Profile ++description=This profile creates an administrator's certificate with ECC keys ++profileIDMapping=caAdminCert ++profileSetIDMapping=adminCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=true ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=false ++6.default.params.keyUsageKeyAgreement=true ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile +new file mode 100644 +index 0000000..8c679f7 +--- /dev/null ++++ b/base/ca/shared/conf/ECserverCert.profile +@@ -0,0 +1,39 @@ ++# ++# ECC Server Certificate ++# ++id=serverCert.profile ++name=All Purpose SSL server cert with ECC keys Profile ++description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers ++profileIDMapping=caECServerCert ++profileSetIDMapping=serverCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=false ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=false ++6.default.params.keyUsageKeyAgreement=true ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile +new file mode 100644 +index 0000000..d11dabb +--- /dev/null ++++ b/base/ca/shared/conf/ECsubsystemCert.profile +@@ -0,0 +1,39 @@ ++# ++# ECC Subsystem Certificate ++# ++id=subsystemCert.profile ++name=Subsystem cert with ECC keys Profile ++description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients ++profileIDMapping=caECSubsystemCert ++profileSetIDMapping=serverCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=false ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=false ++6.default.params.keyUsageKeyAgreement=true ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile +index 8b436b2..3674cbc 100644 +--- a/base/ca/shared/conf/serverCert.profile ++++ b/base/ca/shared/conf/serverCert.profile +@@ -25,7 +25,7 @@ list=2,4,5,6,7 + 6.default.name=Key Usage Default + 6.default.params.keyUsageCritical=true + 6.default.params.keyUsageDigitalSignature=true +-6.default.params.keyUsageNonRepudiation=true ++6.default.params.keyUsageNonRepudiation=false + 6.default.params.keyUsageDataEncipherment=true + 6.default.params.keyUsageKeyEncipherment=true + 6.default.params.keyUsageKeyAgreement=false +diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile +index a8f08e4..fa8f84e 100644 +--- a/base/ca/shared/conf/subsystemCert.profile ++++ b/base/ca/shared/conf/subsystemCert.profile +@@ -1,10 +1,10 @@ + # +-# Server Certificate ++# Subsystem Certificate + # + id=subsystemCert.profile + name=All Purpose SSL server cert Profile +-description=This profile creates an SSL server certificate that is valid for SSL servers +-profileIDMapping=caServerCert ++description=This profile creates a subsystem certificate that is valid for SSL client ++profileIDMapping=caSubsystemCert + profileSetIDMapping=serverCertSet + list=2,4,5,6,7 + 2.default.class=com.netscape.cms.profile.def.ValidityDefault +@@ -36,4 +36,4 @@ list=2,4,5,6,7 + 7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault + 7.default.name=Extended Key Usage Extension Default + 7.default.params.exKeyUsageCritical=false +-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg +index 292beb4..7879614 100644 +--- a/base/ca/shared/profiles/ca/AdminCert.cfg ++++ b/base/ca/shared/profiles/ca/AdminCert.cfg +@@ -30,8 +30,8 @@ policyset.adminCertSet.2.default.params.range=365 + policyset.adminCertSet.2.default.params.startTime=0 + policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl + policyset.adminCertSet.3.constraint.name=Key Constraint +-policyset.adminCertSet.3.constraint.params.keyType=- +-policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.adminCertSet.3.constraint.params.keyType=RSA ++policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl + policyset.adminCertSet.3.default.name=Key Default + policyset.adminCertSet.4.constraint.class_id=noConstraintImpl +diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg +new file mode 100644 +index 0000000..e00022e +--- /dev/null ++++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg +@@ -0,0 +1,86 @@ ++desc=This certificate profile is for enrolling Administrator's certificates with ECC keys suitable for use by clients such as browsers. ++visible=true ++enable=true ++enableBy=admin ++auth.instance_id= ++name=Manual Administrator Certificate Enrollment with ECC keys ++input.list=i1,i2,i3 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++input.i3.class_id=subjectDNInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=adminCertSet ++policyset.adminCertSet.list=1,2,3,4,5,6,7,8 ++policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.adminCertSet.1.constraint.name=Subject Name Constraint ++policyset.adminCertSet.1.constraint.params.pattern=.* ++policyset.adminCertSet.1.constraint.params.accept=true ++policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.adminCertSet.1.default.name=Subject Name Default ++policyset.adminCertSet.1.default.params.name= ++policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.adminCertSet.2.constraint.name=Validity Constraint ++policyset.adminCertSet.2.constraint.params.range=365 ++policyset.adminCertSet.2.constraint.params.notBeforeCheck=false ++policyset.adminCertSet.2.constraint.params.notAfterCheck=false ++policyset.adminCertSet.2.default.class_id=validityDefaultImpl ++policyset.adminCertSet.2.default.name=Validity Default ++policyset.adminCertSet.2.default.params.range=365 ++policyset.adminCertSet.2.default.params.startTime=0 ++policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.adminCertSet.3.constraint.name=Key Constraint ++policyset.adminCertSet.3.constraint.params.keyType=- ++policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.adminCertSet.3.default.name=Key Default ++policyset.adminCertSet.4.constraint.class_id=noConstraintImpl ++policyset.adminCertSet.4.constraint.name=No Constraint ++policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.adminCertSet.4.default.name=Authority Key Identifier Default ++policyset.adminCertSet.5.constraint.class_id=noConstraintImpl ++policyset.adminCertSet.5.constraint.name=No Constraint ++policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.adminCertSet.5.default.name=AIA Extension Default ++policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.adminCertSet.5.default.params.authInfoAccessCritical=false ++policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.adminCertSet.6.constraint.params.keyUsageCritical=true ++policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.adminCertSet.6.default.name=Key Usage Default ++policyset.adminCertSet.6.default.params.keyUsageCritical=true ++policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.adminCertSet.6.default.params.keyUsageCrlSign=false ++policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.adminCertSet.7.constraint.class_id=noConstraintImpl ++policyset.adminCertSet.7.constraint.name=No Constraint ++policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.adminCertSet.7.default.params.exKeyUsageCritical=false ++policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.adminCertSet.8.constraint.name=No Constraint ++policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.adminCertSet.8.default.name=Signing Alg ++policyset.adminCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg +index 6eb784b..86a3b11 100644 +--- a/base/ca/shared/profiles/ca/caAdminCert.cfg ++++ b/base/ca/shared/profiles/ca/caAdminCert.cfg +@@ -31,8 +31,8 @@ policyset.adminCertSet.2.default.params.range=365 + policyset.adminCertSet.2.default.params.startTime=0 + policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl + policyset.adminCertSet.3.constraint.name=Key Constraint +-policyset.adminCertSet.3.constraint.params.keyType=- +-policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.adminCertSet.3.constraint.params.keyType=RSA ++policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl + policyset.adminCertSet.3.default.name=Key Default + policyset.adminCertSet.4.constraint.class_id=noConstraintImpl +@@ -81,7 +81,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false + policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.adminCertSet.8.constraint.name=No Constraint +-policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.adminCertSet.8.default.name=Signing Alg + policyset.adminCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg +index 924046d..c4d109f 100644 +--- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg +@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=180 + policyset.serverCertSet.2.default.params.startTime=0 + policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl + policyset.serverCertSet.3.constraint.name=Key Constraint +-policyset.serverCertSet.3.constraint.params.keyType=- +-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl + policyset.serverCertSet.3.default.name=Key Default + policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCACert.cfg b/base/ca/shared/profiles/ca/caCACert.cfg +index 2f898b8..e4f491d 100644 +--- a/base/ca/shared/profiles/ca/caCACert.cfg ++++ b/base/ca/shared/profiles/ca/caCACert.cfg +@@ -79,7 +79,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default + policyset.caCertSet.8.default.params.critical=false + policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.caCertSet.9.constraint.name=No Constraint +-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.caCertSet.9.default.name=Signing Alg + policyset.caCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +new file mode 100644 +index 0000000..5185891 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +@@ -0,0 +1,86 @@ ++desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC certificate request with CMC Signature authentication. ++visible=true ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Signed CMC-Authenticated User Certificate wth ECC keys Enrollment ++input.list=i1,i2 ++input.i1.class_id=cmcCertReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint ++policyset.cmcUserCertSet.1.constraint.params.pattern=.* ++policyset.cmcUserCertSet.1.constraint.params.accept=true ++policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyType=EC ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +new file mode 100644 +index 0000000..158d9fe +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +@@ -0,0 +1,90 @@ ++desc=This certificate profile is for enrolling server certificates with ECC keys using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Server Certificate wth ECC keys Enrollment using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=EC ++policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.9.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.9.constraint.name=No Constraint ++policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.9.default.name=copy CN to SAN Default +diff --git a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg +new file mode 100644 +index 0000000..f755243 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg +@@ -0,0 +1,86 @@ ++desc=This certificate profile is for enrolling subsystem certificates with ECC keys using CMC. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" ++name=Subsystem Certificate Enrollment with ECC keys using CMC ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=EC ++policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +index 7ff1329..fe2a8b3 100644 +--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +@@ -30,8 +30,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 + policyset.cmcUserCertSet.2.default.params.startTime=0 + policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl + policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyType=- +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=RSA ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl + policyset.cmcUserCertSet.3.default.name=Key Default + policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +@@ -53,7 +53,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -65,7 +65,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +@@ -80,7 +80,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false + policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.cmcUserCertSet.8.default.name=Signing Alg + policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +index ed5a1b2..967d6ef 100644 +--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.auditSigningCertSet.9.constraint.name=No Constraint +-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.auditSigningCertSet.9.default.name=Signing Alg + policyset.auditSigningCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +index 9c95182..49a356d 100644 +--- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +@@ -78,7 +78,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default + policyset.caCertSet.8.default.params.critical=false + policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.caCertSet.9.constraint.name=No Constraint +-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.caCertSet.9.default.name=Signing Alg + policyset.caCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +index 259430b..bbe733a 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false + policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.drmStorageCertSet.9.constraint.name=No Constraint +-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.drmStorageCertSet.9.default.name=Signing Alg + policyset.drmStorageCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +index ec54f9c..60b19bf 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false + policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.transportCertSet.8.constraint.name=No Constraint +-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.transportCertSet.8.default.name=Signing Alg + policyset.transportCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg +index 8afbd46..cd60562 100644 +--- a/base/ca/shared/profiles/ca/caCMCocspCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg +@@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension + policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false + policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.ocspCertSet.9.constraint.name=No Constraint +-policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.ocspCertSet.9.default.name=Signing Alg + policyset.ocspCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +index 8215d65..89bbbea 100644 +--- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +@@ -30,8 +30,8 @@ policyset.serverCertSet.2.default.params.range=720 + policyset.serverCertSet.2.default.params.startTime=0 + policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl + policyset.serverCertSet.3.constraint.name=Key Constraint +-policyset.serverCertSet.3.constraint.params.keyType=- +-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl + policyset.serverCertSet.3.default.name=Key Default + policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +@@ -52,7 +52,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -64,7 +64,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg +index f473f98..4a922fc 100644 +--- a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg +@@ -30,8 +30,8 @@ policyset.serverCertSet.2.default.params.range=720 + policyset.serverCertSet.2.default.params.startTime=0 + policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl + policyset.serverCertSet.3.constraint.name=Key Constraint +-policyset.serverCertSet.3.constraint.params.keyType=- +-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl + policyset.serverCertSet.3.default.name=Key Default + policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg +index b447297..f12c7ed 100644 +--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg +@@ -34,8 +34,8 @@ policyset.userCertSet.2.default.params.range=180 + policyset.userCertSet.2.default.params.startTime=0 + policyset.userCertSet.3.constraint.class_id=keyConstraintImpl + policyset.userCertSet.3.constraint.name=Key Constraint +-policyset.userCertSet.3.constraint.params.keyType=- +-policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.userCertSet.3.constraint.params.keyType=EC ++policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.userCertSet.3.default.class_id=userKeyDefaultImpl + policyset.userCertSet.3.default.name=Key Default + policyset.userCertSet.4.constraint.class_id=noConstraintImpl +diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg +new file mode 100644 +index 0000000..d57bae1 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg +@@ -0,0 +1,87 @@ ++desc=This certificate profile is for enrolling Security Domain administrator's certificates with ECC keys using LDAP authentication against the internal LDAP database. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=TokenAuth ++authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" ++name=Security Domain Administrator Certificate Enrollment with ECC keys ++input.list=i1,i2,i3 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++input.i3.class_id=subjectDNInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=adminCertSet ++policyset.adminCertSet.list=1,2,3,4,5,6,7,8 ++policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.adminCertSet.1.constraint.name=Subject Name Constraint ++policyset.adminCertSet.1.constraint.params.pattern=.* ++policyset.adminCertSet.1.constraint.params.accept=true ++policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.adminCertSet.1.default.name=Subject Name Default ++policyset.adminCertSet.1.default.params.name= ++policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.adminCertSet.2.constraint.name=Validity Constraint ++policyset.adminCertSet.2.constraint.params.range=365 ++policyset.adminCertSet.2.constraint.params.notBeforeCheck=false ++policyset.adminCertSet.2.constraint.params.notAfterCheck=false ++policyset.adminCertSet.2.default.class_id=validityDefaultImpl ++policyset.adminCertSet.2.default.name=Validity Default ++policyset.adminCertSet.2.default.params.range=365 ++policyset.adminCertSet.2.default.params.startTime=0 ++policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.adminCertSet.3.constraint.name=Key Constraint ++policyset.adminCertSet.3.constraint.params.keyType=- ++policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.adminCertSet.3.default.name=Key Default ++policyset.adminCertSet.4.constraint.class_id=noConstraintImpl ++policyset.adminCertSet.4.constraint.name=No Constraint ++policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.adminCertSet.4.default.name=Authority Key Identifier Default ++policyset.adminCertSet.5.constraint.class_id=noConstraintImpl ++policyset.adminCertSet.5.constraint.name=No Constraint ++policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.adminCertSet.5.default.name=AIA Extension Default ++policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.adminCertSet.5.default.params.authInfoAccessCritical=false ++policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.adminCertSet.6.constraint.params.keyUsageCritical=true ++policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.adminCertSet.6.default.name=Key Usage Default ++policyset.adminCertSet.6.default.params.keyUsageCritical=true ++policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.adminCertSet.6.default.params.keyUsageCrlSign=false ++policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.adminCertSet.7.constraint.class_id=noConstraintImpl ++policyset.adminCertSet.7.constraint.name=No Constraint ++policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.adminCertSet.7.default.params.exKeyUsageCritical=false ++policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.adminCertSet.8.constraint.name=No Constraint ++policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.adminCertSet.8.default.name=Signing Alg ++policyset.adminCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg +new file mode 100644 +index 0000000..c56b6de +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg +@@ -0,0 +1,85 @@ ++desc=This certificate profile is for enrolling server certificates with ECC keys using agent authentication. ++visible=true ++enable=true ++enableBy=admin ++auth.instance_id=AgentCertAuth ++name=Agent-Authenticated Server Certificate Enrollment with ECC keys ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=365 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=180 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=- ++policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg +new file mode 100644 +index 0000000..4143102 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg +@@ -0,0 +1,99 @@ ++desc=This certificate profile is for enrolling user ECC certificates with directory-pin-based authentication. ++visible=true ++enable=false ++enableBy=admin ++name=Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment ++auth.instance_id=PinDirEnrollment ++input.list=i1 ++input.i1.class_id=keyGenInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=userCertSet ++policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 ++policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.userCertSet.1.constraint.name=Subject Name Constraint ++policyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.* ++policyset.userCertSet.1.constraint.params.accept=true ++policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl ++policyset.userCertSet.1.default.name=Subject Name Default ++policyset.userCertSet.1.default.params.name= ++policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl ++policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint ++policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 ++policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 ++policyset.userCertSet.10.default.class_id=noDefaultImpl ++policyset.userCertSet.10.default.name=No Default ++policyset.userCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.userCertSet.2.constraint.name=Validity Constraint ++policyset.userCertSet.2.constraint.params.range=365 ++policyset.userCertSet.2.constraint.params.notBeforeCheck=false ++policyset.userCertSet.2.constraint.params.notAfterCheck=false ++policyset.userCertSet.2.default.class_id=validityDefaultImpl ++policyset.userCertSet.2.default.name=Validity Default ++policyset.userCertSet.2.default.params.range=180 ++policyset.userCertSet.2.default.params.startTime=0 ++policyset.userCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.userCertSet.3.constraint.name=Key Constraint ++policyset.userCertSet.3.constraint.params.keyType=- ++policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.userCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.userCertSet.3.default.name=Key Default ++policyset.userCertSet.4.constraint.class_id=noConstraintImpl ++policyset.userCertSet.4.constraint.name=No Constraint ++policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.userCertSet.4.default.name=Authority Key Identifier Default ++policyset.userCertSet.5.constraint.class_id=noConstraintImpl ++policyset.userCertSet.5.constraint.name=No Constraint ++policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.userCertSet.5.default.name=AIA Extension Default ++policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.userCertSet.5.default.params.authInfoAccessCritical=false ++policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.userCertSet.6.constraint.params.keyUsageCritical=true ++policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.userCertSet.6.default.name=Key Usage Default ++policyset.userCertSet.6.default.params.keyUsageCritical=true ++policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.userCertSet.6.default.params.keyUsageCrlSign=false ++policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.userCertSet.7.constraint.class_id=noConstraintImpl ++policyset.userCertSet.7.constraint.name=No Constraint ++policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.userCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.userCertSet.7.default.params.exKeyUsageCritical=false ++policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.userCertSet.8.constraint.class_id=noConstraintImpl ++policyset.userCertSet.8.constraint.name=No Constraint ++policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl ++policyset.userCertSet.8.default.name=Subject Alt Name Constraint ++policyset.userCertSet.8.default.params.subjAltNameExtCritical=false ++policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name ++policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ ++policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true ++policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 ++policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl ++policyset.userCertSet.9.constraint.name=No Constraint ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl ++policyset.userCertSet.9.default.name=Signing Alg ++policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +index c692bcf..0663b40 100644 +--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +@@ -1,8 +1,8 @@ +-desc=This certificate profile is for enrolling user certificates with directory-based authentication. ++desc=This certificate profile is for enrolling user ECC certificates with directory-based authentication. + visible=true + enable=true + enableBy=admin +-name=Directory-Authenticated User Dual-Use ECC Certificate Enrollment ++name=Directory-Authenticated User ECC Certificate Enrollment + auth.instance_id=UserDirEnrollment + input.list=i1 + input.i1.class_id=keyGenInputImpl +@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 + policyset.userCertSet.2.default.params.startTime=0 + policyset.userCertSet.3.constraint.class_id=keyConstraintImpl + policyset.userCertSet.3.constraint.name=Key Constraint +-policyset.userCertSet.3.constraint.params.keyType=EC ++policyset.userCertSet.3.constraint.params.keyType=- + policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 + policyset.userCertSet.3.default.class_id=userKeyDefaultImpl + policyset.userCertSet.3.default.name=Key Default +@@ -57,9 +57,9 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +-policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +-policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false + policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false + policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -69,9 +69,9 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +-policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +-policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.userCertSet.6.default.params.keyUsageCrlSign=false + policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg +index 1a51dc6..0a56caf 100644 +--- a/base/ca/shared/profiles/ca/caECDualCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDualCert.cfg +@@ -1,6 +1,6 @@ + desc=This certificate profile is for enrolling dual user ECC certificates. It works only with Netscape 7.0 or later. + visible=false +-enable=true ++enable=false + enableBy=admin + name=Manual User Signing & Encryption ECC Certificates Enrollment + auth.class_id= +@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +new file mode 100644 +index 0000000..816a1f8 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +@@ -0,0 +1,85 @@ ++desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request ++enable=true ++enableBy=admin ++name=Self-Signed CMC User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1,i2 ++input.i1.class_id=cmcCertReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint ++policyset.cmcUserCertSet.1.constraint.params.accept=true ++policyset.cmcUserCertSet.1.constraint.params.pattern=.* ++policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=EC ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +new file mode 100644 +index 0000000..0116053 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +@@ -0,0 +1,85 @@ ++desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication. ++enable=true ++enableBy=admin ++name=Agent-Signed CMC-Authenticated User Certificate Enrollment ++visible=false ++auth.instance_id=CMCAuth ++input.list=i1,i2 ++input.i1.class_id=cmcCertReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint ++policyset.cmcUserCertSet.1.constraint.params.accept=true ++policyset.cmcUserCertSet.1.constraint.params.pattern=.* ++policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=EC ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +new file mode 100644 +index 0000000..a15aa53 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +@@ -0,0 +1,94 @@ ++desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication. ++enable=true ++enableBy=admin ++name=User-Signed CMC-Authenticated User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1,i2 ++input.i1.class_id=cmcCertReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint ++policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl ++policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint ++policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true ++policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl ++policyset.cmcUserCertSet.9.default.name=No Default ++policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl ++policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint ++policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30 ++policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30 ++policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl ++policyset.cmcUserCertSet.10.default.name=No Default ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=EC ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +new file mode 100644 +index 0000000..4fc8a9c +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +@@ -0,0 +1,109 @@ ++desc=This certificate profile is for enrolling Security Domain ECC server certificates. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=TokenAuth ++authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" ++name=Security Domain Server Certificate Enrollment ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++input.i3.class_id=subjectAltNameExtInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=- ++policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- ++# allows SAN to be specified from client side ++# need to: ++# 1. add i3 to input.list above ++# 2. add 9 to policyset.serverCertSet.list above ++# 3. change below to reflect the number of general names, and ++# turn each corresponding subjAltExtPattern_ to true ++# policyset.serverCertSet.9.default.params.subjAltNameNumGNs ++policyset.serverCertSet.9.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.9.constraint.name=No Constraint ++policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl ++policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default ++policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true ++policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ ++policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName ++policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false ++policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ ++policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName ++policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false ++policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ ++policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName ++policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false ++policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 +diff --git a/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg +new file mode 100644 +index 0000000..551cb68 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg +@@ -0,0 +1,88 @@ ++desc=This certificate profile is for enrolling Security Domain subsystem certificates with ECC keys. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=TokenAuth ++authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" ++name=Security Domain Subsystem Certificate Enrollment ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++updater.list=u1 ++updater.u1.class_id=subsystemGroupUpdaterImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=- ++policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECServerCert.cfg b/base/ca/shared/profiles/ca/caECServerCert.cfg +new file mode 100644 +index 0000000..0ae4371 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECServerCert.cfg +@@ -0,0 +1,85 @@ ++desc=This certificate profile is for enrolling server certificates with ECC keys. ++visible=true ++enable=true ++enableBy=admin ++auth.class_id= ++name=Manual Server Certificate Enrollment with ECC keys ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=- ++policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +new file mode 100644 +index 0000000..14d610c +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +@@ -0,0 +1,84 @@ ++desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. ++enable=true ++enableBy=admin ++name=Simple CMC Enrollment Request for User Certificate ++visible=false ++auth.instance_id= ++input.list=i1 ++input.i1.class_id=certReqInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint ++policyset.cmcUserCertSet.1.constraint.params.accept=true ++policyset.cmcUserCertSet.1.constraint.params.pattern=.* ++policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=EC ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECSubsystemCert.cfg b/base/ca/shared/profiles/ca/caECSubsystemCert.cfg +new file mode 100644 +index 0000000..89f342a +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECSubsystemCert.cfg +@@ -0,0 +1,85 @@ ++desc=This certificate profile is for enrolling subsystem certificates with ECC keys. ++visible=true ++enable=true ++enableBy=admin ++auth.class_id= ++name=Manual Subsystem Certificate Enrollment with ECC keys ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=CN=.* ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name= ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=720 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=720 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=- ++policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg +index 383af01..a6bf04a 100644 +--- a/base/ca/shared/profiles/ca/caECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECUserCert.cfg +@@ -59,9 +59,9 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +-policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +-policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false + policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false + policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -71,9 +71,9 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +-policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +-policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.userCertSet.6.default.params.keyUsageCrlSign=false + policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caEncECUserCert.cfg b/base/ca/shared/profiles/ca/caEncECUserCert.cfg +index 9faa4a5..8b1c1fb 100644 +--- a/base/ca/shared/profiles/ca/caEncECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caEncECUserCert.cfg +@@ -1,6 +1,6 @@ + desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox. + visible=false +-enable=true ++enable=false + enableBy=admin + name=Manual User Encryption ECC Certificates Enrollment + auth.class_id= +@@ -87,7 +87,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +index db3fbd6..1a7c22d 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +@@ -29,8 +29,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 + policyset.cmcUserCertSet.2.default.params.startTime=0 + policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl + policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 +-policyset.cmcUserCertSet.3.constraint.params.keyType=- ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.cmcUserCertSet.3.constraint.params.keyType=RSA + policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl + policyset.cmcUserCertSet.3.default.name=Key Default + policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +@@ -79,7 +79,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false + policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.cmcUserCertSet.8.default.name=Signing Alg + policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +index 90cb424..b06f35d 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +@@ -29,8 +29,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 + policyset.cmcUserCertSet.2.default.params.startTime=0 + policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl + policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 +-policyset.cmcUserCertSet.3.constraint.params.keyType=- ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.cmcUserCertSet.3.constraint.params.keyType=RSA + policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl + policyset.cmcUserCertSet.3.default.name=Key Default + policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +@@ -79,7 +79,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false + policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.cmcUserCertSet.8.default.name=Signing Alg + policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +index 7bfad9c..0c2b97b 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +@@ -38,8 +38,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 + policyset.cmcUserCertSet.2.default.params.startTime=0 + policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl + policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 +-policyset.cmcUserCertSet.3.constraint.params.keyType=- ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.cmcUserCertSet.3.constraint.params.keyType=RSA + policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl + policyset.cmcUserCertSet.3.default.name=Key Default + policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +@@ -88,7 +88,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false + policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.cmcUserCertSet.8.default.name=Signing Alg + policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +index 5d4fbee..dd10f6f 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +@@ -31,8 +31,8 @@ policyset.serverCertSet.2.default.params.range=720 + policyset.serverCertSet.2.default.params.startTime=0 + policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl + policyset.serverCertSet.3.constraint.name=Key Constraint +-policyset.serverCertSet.3.constraint.params.keyType=- +-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl + policyset.serverCertSet.3.default.name=Key Default + policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +@@ -53,7 +53,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -65,7 +65,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg +index 3a8c202..7b3d34c 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg +@@ -32,8 +32,8 @@ policyset.serverCertSet.2.default.params.range=720 + policyset.serverCertSet.2.default.params.startTime=0 + policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl + policyset.serverCertSet.3.constraint.name=Key Constraint +-policyset.serverCertSet.3.constraint.params.keyType=- +-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl + policyset.serverCertSet.3.default.name=Key Default + policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +@@ -54,7 +54,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -66,7 +66,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -82,7 +82,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caOCSPCert.cfg b/base/ca/shared/profiles/ca/caOCSPCert.cfg +index 0a855b9..a1dedd3 100644 +--- a/base/ca/shared/profiles/ca/caOCSPCert.cfg ++++ b/base/ca/shared/profiles/ca/caOCSPCert.cfg +@@ -64,7 +64,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension + policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false + policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.ocspCertSet.9.constraint.name=No Constraint +-policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.ocspCertSet.9.default.name=Signing Alg + policyset.ocspCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg +index 997a056..2f44c96 100644 +--- a/base/ca/shared/profiles/ca/caServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caServerCert.cfg +@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=720 + policyset.serverCertSet.2.default.params.startTime=0 + policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl + policyset.serverCertSet.3.constraint.name=Key Constraint +-policyset.serverCertSet.3.constraint.params.keyType=- +-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl + policyset.serverCertSet.3.default.name=Key Default + policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg +index b410504..39a7c36 100644 +--- a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg +@@ -1,6 +1,6 @@ + desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox. + visible=false +-enable=true ++enable=false + enableBy=admin + name=Manual User Signing ECC Certificate Enrollment + auth.class_id= +@@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +index 34015e2..a9c2b0c 100644 +--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +@@ -28,8 +28,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 + policyset.cmcUserCertSet.2.default.params.startTime=0 + policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl + policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 +-policyset.cmcUserCertSet.3.constraint.params.keyType=- ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.cmcUserCertSet.3.constraint.params.keyType=RSA + policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl + policyset.cmcUserCertSet.3.default.name=Key Default + policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +@@ -78,7 +78,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false + policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.cmcUserCertSet.8.default.name=Signing Alg + policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSubsystemCert.cfg b/base/ca/shared/profiles/ca/caSubsystemCert.cfg +index 63fd3a6..12e1629 100644 +--- a/base/ca/shared/profiles/ca/caSubsystemCert.cfg ++++ b/base/ca/shared/profiles/ca/caSubsystemCert.cfg +@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=720 + policyset.serverCertSet.2.default.params.startTime=0 + policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl + policyset.serverCertSet.3.constraint.name=Key Constraint +-policyset.serverCertSet.3.constraint.params.keyType=- +-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl + policyset.serverCertSet.3.default.name=Key Default + policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg +index 917c589..1f62bb8 100644 +--- a/base/ca/shared/profiles/ca/caUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caUserCert.cfg +@@ -36,8 +36,8 @@ policyset.userCertSet.2.default.params.range=180 + policyset.userCertSet.2.default.params.startTime=0 + policyset.userCertSet.3.constraint.class_id=keyConstraintImpl + policyset.userCertSet.3.constraint.name=Key Constraint +-policyset.userCertSet.3.constraint.params.keyType=- +-policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 ++policyset.userCertSet.3.constraint.params.keyType=EC ++policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.userCertSet.3.default.class_id=userKeyDefaultImpl + policyset.userCertSet.3.default.name=Key Default + policyset.userCertSet.4.constraint.class_id=noConstraintImpl +-- +1.8.3.1 + + +From f87c7525632f33ad9f351f8db0acb8ccc98ce7ec Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Mon, 5 Mar 2018 18:33:51 -0700 +Subject: [PATCH 11/20] Permit additional FIPS ciphers to be enabled by default + for RSA . . . + +It was determined that the following additional FIPS ciphers should be +enabled by default for RSA: + + * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + +Reference: dogtagpki Pagure Issue #2855 - restrict default cipher suite to + those ciphers permitted in fips mode + +Fixes: https://pagure.io/dogtagpki/issue/2952 +Change-Id: I0947e8581beb3140e4c07800dd2c6bc9d90a6cd8 +(cherry picked from commit 7809f40bcd49ad11f0a314cd45979cfdcb55686f) +--- + base/server/python/pki/server/deployment/pkiparser.py | 8 ++++---- + base/server/share/conf/ciphers.info | 6 +++++- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index b64e99b..53296fc 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -1165,8 +1165,8 @@ class PKIConfigParser: + "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ + "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ +@@ -1178,9 +1178,9 @@ class PKIConfigParser: + "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ +- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ +- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ +diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info +index b3e74d3..44c6e4b 100644 +--- a/base/server/share/conf/ciphers.info ++++ b/base/server/share/conf/ciphers.info +@@ -98,6 +98,10 @@ + # +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + # +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + # +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ++# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ++# +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + # +TLS_RSA_WITH_AES_128_CBC_SHA256, + # +TLS_RSA_WITH_AES_256_CBC_SHA256, + # +TLS_RSA_WITH_AES_128_CBC_SHA, +@@ -119,7 +123,7 @@ + # + ## + # For RSA servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" + # + # + # For ECC servers: +-- +1.8.3.1 + + +From 2ba512b4bc7fddc8c279733dd35c8105dd134224 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 26 Feb 2018 13:16:01 -0800 +Subject: [PATCH 12/20] Ticket #2940 [MAN] Missing Man pages for tools + CMCRequest, CMCResponse, CMCSharedToken, and CMCRevoke + +This patch adds man pages for CMCRequest, CMCResponse, and CMCSharedToken. +In addition, the usage in CMCResponse has been enhanced to include a +verbose mode which will output certs in Base64 encoding individually. +A "note" has been added to CMCRevoke --help to direct users to CMCRequest +for better usability. The man page for CMCRevoke is intentionaly left out +for this reason. + +The URL in CMCRequest.1 is a placeholder for the follow-up patch. It will +be replaced once the examples are complete. + +This patch addresses https://pagure.io/dogtagpki/issue/2940 + +Change-Id: Id1df31a29207a0d12d50b7a3b959a3abcd9748d0 +(cherry picked from commit 1597b5bc09b39f7ee248e9f7ef5da55c8846a1c0) +(cherry picked from commit 08ac412c0a724b88817038e89563f928cc522357) +--- + base/java-tools/man/man1/CMCEnroll.1 | 3 + + base/java-tools/man/man1/CMCRequest.1 | 188 +++++++++++++++++++++ + base/java-tools/man/man1/CMCResponse.1 | 63 +++++++ + base/java-tools/man/man1/CMCSharedToken.1 | 79 +++++++++ + .../src/com/netscape/cmstools/CMCResponse.java | 25 ++- + .../src/com/netscape/cmstools/CMCRevoke.java | 1 + + 6 files changed, 356 insertions(+), 3 deletions(-) + create mode 100644 base/java-tools/man/man1/CMCRequest.1 + create mode 100644 base/java-tools/man/man1/CMCResponse.1 + create mode 100644 base/java-tools/man/man1/CMCSharedToken.1 + +diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1 +index 4cc861f..9700307 100644 +--- a/base/java-tools/man/man1/CMCEnroll.1 ++++ b/base/java-tools/man/man1/CMCEnroll.1 +@@ -16,6 +16,9 @@ + .\" for man page specific macros, see man(7) + .SH NAME + CMCEnroll \- Used to sign a certificate request with an agent's certificate. ++.PP ++\fBNote:\fP ++This tool has not yet been updated to work with the latest improvement in the CA to conform to RFC 5272. Please use \fBCMCRequest\fP instead. + + .SH SYNOPSIS + .PP +diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1 +new file mode 100644 +index 0000000..f647ef7 +--- /dev/null ++++ b/base/java-tools/man/man1/CMCRequest.1 +@@ -0,0 +1,188 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH CMCRequest 1 "March 14, 2018" "version 10.5" "PKI CMC Request Generation Tool" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++CMCRequest \- Used to generate a CMC certificate issuance or revocation request. ++ ++.SH SYNOPSIS ++.PP ++\fBCMCRequest \fP ++ ++.SH DESCRIPTION ++.PP ++The Certificate Management over Cryptographic Message Syntax (CMC) Request Generation utility, \fBCMCRequest\fP, provides a command-line utility used to generate a CMC certificate issuance or revocation request. For issuance request, it requires either a PKCS#10 or CRMF request as input. The resulting CMC request can be sent to the CA via tool such as \fBHttpClient\fP. ++.PP ++\fBCMCRequest\fP takes a configuration file where various configuration parametrs are supported. ++ ++.SH CONFIGURATION PARAMETERS ++.PP ++The following are supported configuration parameters for the configuration file. Each parameter is in the format of = (e.g. format=pkcs10). ++.PP ++.TP ++.B numRequests ++Total number of PKCS10 or CRMF requests. (note: lately the CA has only been tested to work with one) ++ ++.TP ++.B input ++full path for PKCS #10 or CRMF certificate request in PEM. ++ ++For example if \fBPKCS10Client\fP or \fBCRMFPopClient\fP are used to generate the PKCS#10 or CRMF requests respectively, this value should be the value of the \fB"-o"\fP option of those command line tools. ++ ++.TP ++.B format ++request format. Either \fBpkcs10\fP or \fBcrmf\fP. ++ ++.TP ++.B output ++full path for the resulting CMC request in ASN.1 DER encoded format. ++ ++Note that this would be the \fBinput\fP in the \fBHttpClient\fP configuration file if it is used to submit the CMC request. ++ ++.TP ++.B dbdir ++directory for NSS database: cert8.db, key3.db and secmod.db ++ ++.TP ++.B tokenname ++name of crypto token where user signing certificate key can be found (default is internal) ++ ++.TP ++.B nickname ++The nickname of the user certificate that corresponds to the private key that is used to sign the request. ++ ++This parameter is ignored if \fBselfSign\fP or \fBidentityProofV2.enable\fP is true. ++ ++.TP ++.B password ++password to the crypto token where the signing user's certificate and keys are stored. ++ ++.TP ++.B identification[.enable] ++RFC 5272 allows the CA to require inclusion of the \fBidentification\fP control to accompany the \fBidentityProofV2\fP control in a CMC request. ++ ++In Dogtag, CA employs the \fBidentification\fP control to assist in locating the shared secret required for verification of the shared secret computed in the \fBidentityProofV2\fP. ++ ++In addition, the \fBidentification\fP control is also required for \fBpopLinkWitnessV2\fP for locating the shared secret. ++ ++When \fBidentification.eanble\fP is true, \fBidentification\fP should contain a user id known by the CA. ++ ++.TP ++.B witness.sharedSecret ++The \fBwitness.sharedSecret\fP should contain a passphrase that is known by the CA. One usually obtains it from the CA administrator. ++ ++This parameter is required by the following options: \fBidentityProofV2\fP, and \fBpopLinkWitnessV2\fP. ++ ++See man pages for \fBCMCSharedToken\fP for information on usage. ++ ++.TP ++.B identityProofV2.[enable, hashAlg, macAlg] ++Identity Proof V2 allows one to provide proof of identity without a signing certificate. It does so by embedding a "witness" value that's calculated from a shared secret (see \fBwitness.sharedSecret\fP) known by the CA. ++ ++The \fBidentityProofV2\fP parameter set allows a user to specify the hashing algorithm as well as MAC (Message Authentication Code) algorithm used to compute the value of the witness value. ++ ++Supported \fBidentityProofV2.hashAlg\fP are: \fBSHA-256, SHA-384, and SHA-512\fP ++ ++Supported \fBidentityProofV2.macAlg\fP are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP ++ ++When \fBidentityProofV2.eanble\fP is true, these parameters must be accompanied by the \fBidentification\fP as well as the \fBwitness.sharedSecret\fP parameters. ++ ++These parameters could be accompanied by the \fBpopLinkWitnessV2\fP parameter set if required by the CA. ++ ++.TP ++.B popLinkWitnessV2.[enable, keyGenAlg, macAlg] ++The POPLinkWitnessV2 control is a mechanim that links the POP (Proof of Possession) to the identity, which adds more credibility to the otherwise distinct POP and Proof of Identity mechanisms. It does so by employing calculation of a random value with a shared secret (see \fBwitness.sharedSecret\fP) known by the CA. ++ ++The POP Link Witness V2 value must be baked into the PKCS#10 or CRMF requests. It is therefore crutial that the caller that employs this option has access to the private key of the certificate request. ++ ++If \fBpopLinkWitnessV2\fP is used, then \fBidentification\fP and \fBwitness.sharedSecret\fP must be supplied, and the \fBidentityProofV2\fP parameter set is in general used. ++ ++Supported keyGenAlg are: \fBSHA-256, SHA-384, and SHA-512\fP ++ ++Supported macAlg are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP ++ ++.TP ++.B request.selfSign ++\fBtrue\fP or \fBfalse\fP. If \fBselfSign\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. ++ ++\fBrequest.selfSign\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. ++ ++In Dogtag, if \fBselfSign\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. ++ ++The \fBselfSign\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. ++ ++By default, if unspecified, \fBselfSign\fP is false. ++ ++\fBNote\fP: to employ the \fBselfSign\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) ++ ++If \fBselfSign\fP is true, \fBrequest.privKeyId\fP must be specified. ++It is crutial that the caller that employs this option has access to the private key of the certificate request. ++ ++.TP ++.B request.privKeyId ++The \fBrequest.privKeyId\fP parameter is required in the following cases: ++ ++\fBselfSign\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP ++ ++.TP ++.B decryptedPop.enable, encryptedPopResponseFile, decryptedPopRequestFile ++In case when the enrolling key is an encryption-only key, the traditional POP (Proof of Possession) that employs signing of the request is not possible, CMC provides the EncryptedPOP/DecryptedPOP mechanism to allow the CA to challenge the client. This mechanism requires two trips. Frist trip (a CMC request without POP) would trigger the CA to generate a challenge and encrypt the challenge with the request public key in the certificate response (one should find the EncryptedPOP control as well as status with "failedInfo=POP required" in the CMCResponse); while second trip from the client would contain proof that the client has decrypted the challenge and thereby proving ownership of the private key to the enrollment request. ++When preparing for the second trip, the following parameters must be present: ++ ++\fBdecryptedPop.enable\fP - set to true; default is false; ++ ++\fBencryptedPopResponseFile\fP - the input file that contains the CMCResponse from first trip; It should contains the CMC EncryptedPop control. ++ ++\fBdecryptedPopRequestFile\fP - the output file for the CMC request which should contain the CMC DecryptedPOP control. ++ ++\fBrequest.privKeyId\fP - see descripton for \fBrequest.privKeyId\fP; It is used to decrypt the EncryptedPop, thereby proving the possession of the private key. ++ ++Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBselfSign\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. ++ ++.TP ++.B revRequest.[enable, serial, reason, comment, issuer, sharedSecret] ++Revocation can be done either by signing with user's own valid signing certificate, or by authenticating with user's shared secret (see \fBwitness.sharedSecret\fP) known by the CA. ++ ++For revocation request signed with user's own valid signing certificate, the \fBnicname\fP parameter should be a valid user signing certificate that belongs to the same user subject as that of the certificate to be revoked (but not necessarily the same certificate); Also, \fBrevRequest.issuer\fP and \fBrevRequest.sharedSecret\fP are ignored, while \fBrevRequest.serial\fP and \fBrevRequest.reason\fP must contain valid values. ++ ++For revocation by authenticating with user's shared secret, the following parameters are required: \fBrevRequest.serial\fP, \fBrevRequest.reason\fP, \fBrevRequest.issuer\fP, \fBrevRequest.sharedSecret\fP, while \fBnickname\fP will be ignored. ++ ++\fBrevRequest.reason\fP can have one of the following values: \fBunspecified\fP, \fBkeyCompromise\fP, \fBcaCompromise\fP, \fBaffiliationChanged\fP, \fBsuperseded\fP, \fBcessationOfOperation\fP, \fBcertificateHold\fP, \fBremoveFromCRL\fP. ++ ++\fBrevRequest.serial\fP is in Decimal. ++ ++\fBrevRequest.issuer\fP is issuer subject DN. ++ ++\fBrevRequest.invalidityDatePresent\fP is optional. \fBtrue\fP or \fBfalse\fP. When true, the invalidityDate of the RevokeRequest will be set to the current time when this tool is being run. ++ ++\fBrevRequest.comment\fP is optional. ++ ++.SH EXAMPLES ++.PP ++CMC requests must be submitted to the CA to be processed. Tool supported by Dogtag for submitting these requests is \fBHttpClient\fP. ++.PP ++\fBNote:\fP For examples on how to use this tool, please see ++http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Practical_Usage_Scenarios for Practical Usage Scenarios, and their examples. ++ ++.SH AUTHORS ++Christina Fu . ++ ++.SH COPYRIGHT ++Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public ++License, version 2 (GPLv2). A copy of this license is available at ++http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR CMCResponse(1), CMCSharedToken(1), CMCRevoke(1), pki(1) +diff --git a/base/java-tools/man/man1/CMCResponse.1 b/base/java-tools/man/man1/CMCResponse.1 +new file mode 100644 +index 0000000..3d5703e +--- /dev/null ++++ b/base/java-tools/man/man1/CMCResponse.1 +@@ -0,0 +1,63 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH CMCResponse 1 "March 14, 2018" "version 10.5" "PKI CMC Response Parsing Tool" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++CMCResponse \- Used to parse CMC responses returned from CMC issuance or revocation requests. ++ ++.SH SYNOPSIS ++.PP ++\fBCMCResponse [OPTIONS]\fP ++ ++.SH DESCRIPTION ++.PP ++The Certificate Management over Cryptographic Message Syntax (CMC) Response parsing utility, \fBCMCResponse\fP, provides a command-line utility used to parse and present CMC responses from CMC issuance or revocation requests. ++.PP ++It takes the CMC response returned from the CA as input, parses, and shows the content of the response along with CMC status in a human-readable format. In addition, it can optionally output the response in PKCS#7 PEM format for further processing by other tools. ++ ++.SH OPTIONS ++.PP ++The following are supported options. ++.PP ++.TP ++.B -d ++Path of directory to the NSS database. This option is required. ++ ++.TP ++.B -i ++Name of file (could include path) for the CMC issuance or revocation response. This option is required. ++ ++.TP ++.B -o ++Name of file (could include path) to store the certificate chain in PKCS#7 PEM. This is optional. ++ ++.TP ++.B -v ++If specified, will run in verbose mode, which would entail all certs in the chain being displayed individually in Base64 encoding format. It is false by default. ++ ++.SH EXAMPLE ++.PP ++CMCResponse -d . -i cmc.role_p10-ec3.resp -o cmc.role_p10-ec3.resp.PEM ++ ++.SH AUTHORS ++Christina Fu . ++ ++.SH COPYRIGHT ++Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public ++License, version 2 (GPLv2). A copy of this license is available at ++http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR CMCRequest(1) +diff --git a/base/java-tools/man/man1/CMCSharedToken.1 b/base/java-tools/man/man1/CMCSharedToken.1 +new file mode 100644 +index 0000000..e4a26f0 +--- /dev/null ++++ b/base/java-tools/man/man1/CMCSharedToken.1 +@@ -0,0 +1,79 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH CMCSharedToken 1 "March 14, 2018" "version 10.5" "PKI CMC Shared Secret Generation Tool" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++CMCSharedToken \- Used to process a user passphrase and create shared token to be stored by the CA to allow Shared Secret-based proof of origin in cases such as CMC certificate issuance and revocation. ++ ++.SH SYNOPSIS ++.PP ++\fBCMCSharedToken [OPTIONS]\fP ++ ++.SH DESCRIPTION ++.PP ++The Certificate Management over Cryptographic Message Syntax (CMC) shared secret generation tool, \fBCMCSharedToken\fP, provides a command-line utility used to process a user passphrase to be shared with the CA. ++.PP ++It takes a passphrase provided by the user, encrypts it with an issuance protection certificate, and outputs the encrypted blob which could be stored on the CA for subsequent enrollment or revocation activities by the user. ++.PP ++This tool can be run either by the user or by the administrator. If run by the user, the output (encrypted passphrase, i.e. shared token) needs to be sent to the CA administrator to store on the CA; if run by the CA administrator, the passphrase itself needs to be passed to the intended user. It is outside of the scope of this software to state how such communication takes place. It is up to the site policy to decide which way best suits the deployment site. ++.PP ++For information on how the administrator would store the shared tokens on the CA, see Red Hat Certificate System Administrator's Guide. ++ ++.SH OPTIONS ++.PP ++The following are supported options. ++.PP ++.TP ++.B -d ++Path of directory to the NSS database. This option is required. ++ ++.TP ++.B -h ++Security token name (default: internal) ++ ++.TP ++.B -p ++Security token password. ++ ++.TP ++.B -p ++CMC enrollment passphrase (shared secret) (put in "" if containing spaces) ++ ++.TP ++.B -b ++PEM issuance protection certificate. Note: only one of the -b or -n options should be used. ++ ++.TP ++.B -n ++PEM issuance protection certificate on token. Note: only one of the -b or -n options should be used. ++ ++.TP ++.B -v ++Run in verbose mode. ++ ++.SH EXAMPLE ++.PP ++CMCSharedToken -d . -p myNSSPassword -s "just another good day" -o cmcSharedTok2.b64 -n "subsystemCert cert-pki-tomcat" ++ ++.SH AUTHORS ++Christina Fu . ++ ++.SH COPYRIGHT ++Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public ++License, version 2 (GPLv2). A copy of this license is available at ++http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR CMCRequest(1) +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java +index 6d84a19..945f09f 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java +@@ -18,6 +18,7 @@ + package com.netscape.cmstools; + + import java.io.ByteArrayInputStream; ++import java.io.ByteArrayOutputStream; + import java.io.FileWriter; + import java.io.IOException; + import java.math.BigInteger; +@@ -53,6 +54,7 @@ import org.mozilla.jss.pkix.cms.ContentInfo; + import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; + import org.mozilla.jss.pkix.cms.SignedData; + ++import com.netscape.cmsutil.util.Utils; + import netscape.security.pkcs.PKCS7; + import netscape.security.util.CertPrettyPrint; + import netscape.security.x509.X509CertImpl; +@@ -124,7 +126,7 @@ public class CMCResponse { + return list; + } + +- public void printContent() { ++ public void printContent(boolean printCerts) { + try { + SignedData cmcFullResp = (SignedData) contentInfo.getInterpretedContent(); + +@@ -137,6 +139,18 @@ public class CMCResponse { + for (int i = 0; i < numCerts; i++) { + Certificate cert = (Certificate) certs.elementAt(i); + X509CertImpl certImpl = new X509CertImpl(ASN1Util.encode(cert)); ++ ++ if (printCerts) { ++ System.out.println("Cert:" + i ); ++ ByteArrayOutputStream fos = new ByteArrayOutputStream(); ++ certImpl.encode(fos); ++ fos.close(); ++ byte[] certBytes = fos.toByteArray(); ++ String certB64 = Utils.base64encode(certBytes, true); ++ System.out.println(certB64); ++ System.out.println("==="); ++ } ++ + CertPrettyPrint print = new CertPrettyPrint(certImpl); + content.append(print.toString(Locale.getDefault())); + } +@@ -320,10 +334,12 @@ public class CMCResponse { + option.setArgName("path"); + options.addOption(option); + +- option = new Option("o", true, "Output file to store certificate chain in PKCS #7 PEM format"); ++ option = new Option("o", true, "Output file to store certificate chain in PKCS #7 PEM format; also prints out cert base 64 encoding individually"); + option.setArgName("path"); + options.addOption(option); + ++ options.addOption("v", "verbose", false, "Run in verbose mode. Base64 encoding of certs in response will be printed individually"); ++ + options.addOption(null, "help", false, "Show help message."); + + CommandLine cmd = parser.parse(options, args, true); +@@ -333,6 +349,7 @@ public class CMCResponse { + + String input = cmd.getOptionValue("i"); + String output = cmd.getOptionValue("o"); ++ boolean printCerts = cmd.hasOption("v"); + + if (cmd.hasOption("help")) { + printUsage(); +@@ -341,6 +358,7 @@ public class CMCResponse { + + if (input == null) { + System.err.println("ERROR: Missing input CMC response"); ++ System.err.println("Try 'CMCResponse --help' for more information."); + System.exit(1); + } + +@@ -349,7 +367,7 @@ public class CMCResponse { + + // display CMC response + CMCResponse response = new CMCResponse(data); +- response.printContent(); ++ response.printContent(printCerts); + + // terminate if any of the statuses is not a SUCCESS + Collection statusInfos = response.getStatusInfos(); +@@ -379,6 +397,7 @@ public class CMCResponse { + try (FileWriter fw = new FileWriter(output)) { + fw.write(pkcs7.toPEMString()); + } ++ System.out.println("\nPKCS#7 now stored in file: " + output); + } + } + } +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java +index d041cd3..203bc02 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java +@@ -115,6 +115,7 @@ public class CMCRevoke { + "-p " + + "-h " + + "-c "); ++ System.out.println("\nNOTE: You can alternatively use CMCRequest instead for better usability."); + for (int i = 0; i < s.length; i++) { + System.out.println(i + ":" + s[i]); + } +-- +1.8.3.1 + + +From e6881a52e9998bd328a0021600b82d26534ff912 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 8 Mar 2018 18:46:16 +1100 +Subject: [PATCH 13/20] Move parseACL to ACL.java + +The parseACL function currently lives in CMSEngine, which is an +awkward place for it. Move it into the ACL class as a static +method. + +Part of: https://pagure.io/dogtagpki/issue/2957 +Change-Id: I2a22618a8e295864e218e067fadf4255ceada9b3 + +(cherry picked from commit 80577d3480c8f5aa917db86f962b8acf6f750c55) +--- + base/common/src/com/netscape/certsrv/acls/ACL.java | 120 ++++++++++++++++++++ + base/common/src/com/netscape/certsrv/apps/CMS.java | 18 --- + .../src/com/netscape/certsrv/apps/ICMSEngine.java | 16 --- + .../com/netscape/cms/authorization/AAclAuthz.java | 4 +- + .../src/com/netscape/cmscore/apps/CMSEngine.java | 121 --------------------- + .../netscape/cmscore/app/CMSEngineDefaultStub.java | 6 - + 6 files changed, 122 insertions(+), 163 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java +index 8672081..fc031e4 100644 +--- a/base/common/src/com/netscape/certsrv/acls/ACL.java ++++ b/base/common/src/com/netscape/certsrv/acls/ACL.java +@@ -20,9 +20,12 @@ package com.netscape.certsrv.acls; + import java.util.Collection; + import java.util.Collections; + import java.util.Enumeration; ++import java.util.StringTokenizer; + import java.util.TreeSet; + import java.util.Vector; + ++import com.netscape.certsrv.apps.CMS; ++ + /** + * A class represents an access control list (ACL). An ACL + * is associated with an protected resources. The policy +@@ -194,4 +197,121 @@ public class ACL implements IACL, java.io.Serializable { + public Enumeration rights() { + return Collections.enumeration(rights); + } ++ ++ /** ++ * Parse ACL resource attributes ++ * ++ * @param resACLs same format as the resourceACLs attribute: ++ * ++ * 
++     *     ::
++     *      () 
++     *
++ * ++ * @exception EACLsException ACL related parsing errors for resACLs ++ * @return an ACL instance built from the parsed resACLs ++ */ ++ public static ACL parseACL(String resACLs) throws EACLsException { ++ if (resACLs == null) { ++ throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "resACLs")); ++ } ++ ++ ACL acl = null; ++ Vector rights = null; ++ int idx1 = resACLs.indexOf(":"); ++ ++ if (idx1 <= 0) { ++ acl = new ACL(resACLs, rights, resACLs); ++ } else { ++ // getting resource id ++ String resource = resACLs.substring(0, idx1); ++ ++ if (resource == null) { ++ String infoMsg = "resource not specified in resourceACLS attribute:" + ++ resACLs; ++ ++ String[] params = new String[2]; ++ ++ params[0] = resACLs; ++ params[1] = infoMsg; ++ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); ++ } ++ ++ // getting list of applicable rights ++ String st = resACLs.substring(idx1 + 1); ++ int idx2 = st.indexOf(":"); ++ String rightsString = null; ++ ++ if (idx2 != -1) ++ rightsString = st.substring(0, idx2); ++ else { ++ String infoMsg = ++ "rights not specified in resourceACLS attribute:" + resACLs; ++ String[] params = new String[2]; ++ ++ params[0] = resACLs; ++ params[1] = infoMsg; ++ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); ++ } ++ ++ if (rightsString != null) { ++ rights = new Vector(); ++ StringTokenizer rtok = new StringTokenizer(rightsString, ","); ++ ++ while (rtok.hasMoreTokens()) { ++ rights.addElement(rtok.nextToken()); ++ } ++ } ++ ++ acl = new ACL(resource, rights, resACLs); ++ ++ // search *backwards* for final instance of ':', to handle case ++ // where acl expressions contain colon, e.g. in a group name. ++ String stx = st.substring(idx2 + 1); ++ int idx3 = stx.lastIndexOf(":"); ++ String aclStr = stx.substring(0, idx3); ++ ++ // getting list of acl entries ++ if (aclStr != null) { ++ StringTokenizer atok = new StringTokenizer(aclStr, ";"); ++ ++ while (atok.hasMoreTokens()) { ++ String acs = atok.nextToken(); ++ ++ // construct ACL entry ++ ACLEntry entry = ACLEntry.parseACLEntry(acl, acs); ++ ++ if (entry == null) { ++ String infoMsg = "parseACLEntry() call failed"; ++ String[] params = new String[2]; ++ ++ params[0] = "ACLEntry = " + acs; ++ params[1] = infoMsg; ++ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); ++ } ++ ++ entry.setACLEntryString(acs); ++ acl.addEntry(entry); ++ } ++ } else { ++ // fine ++ String infoMsg = "acls not specified in resourceACLS attribute:" + ++ ++ resACLs; ++ ++ String[] params = new String[2]; ++ ++ params[0] = resACLs; ++ params[1] = infoMsg; ++ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); ++ } ++ ++ // getting description ++ String desc = stx.substring(idx3 + 1); ++ ++ acl.setDescription(desc); ++ } ++ ++ return (acl); ++ } + } +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index a6cd582..d04223f 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -36,8 +36,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; + import org.mozilla.jss.CryptoManager.CertificateUsage; + import org.mozilla.jss.util.PasswordCallback; + +-import com.netscape.certsrv.acls.EACLsException; +-import com.netscape.certsrv.acls.IACL; + import com.netscape.certsrv.authentication.IAuthSubsystem; + import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.authority.IAuthority; +@@ -316,22 +314,6 @@ public final class CMS { + } + + /** +- * Parse ACL resource attributes +- * +- * @param resACLs same format as the resourceACLs attribute: +- * +- * 
+-     *     ::
+-     *      () 
+-     *
+- * @exception EACLsException ACL related parsing errors for resACLs +- * @return an ACL instance built from the parsed resACLs +- */ +- public static IACL parseACL(String resACLs) throws EACLsException { +- return _engine.parseACL(resACLs); +- } +- +- /** + * Creates an issuing poing record. + * + * @return issuing record +diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +index f861b95..d996d90 100644 +--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java ++++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +@@ -36,8 +36,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; + import org.mozilla.jss.CryptoManager.CertificateUsage; + import org.mozilla.jss.util.PasswordCallback; + +-import com.netscape.certsrv.acls.EACLsException; +-import com.netscape.certsrv.acls.IACL; + import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.authority.IAuthority; + import com.netscape.certsrv.base.EBaseException; +@@ -468,20 +466,6 @@ public interface ICMSEngine extends ISubsystem { + String p7, String p8, String p9, String p10); + + /** +- * Parse ACL resource attributes +- * +- * @param resACLs same format as the resourceACLs attribute: +- * +- * 
+-     *     ::
+-     *      () 
+-     *
+- * @exception EACLsException ACL related parsing errors for resACLs +- * @return an ACL instance built from the parsed resACLs +- */ +- public IACL parseACL(String resACLs) throws EACLsException; +- +- /** + * Creates an issuing poing record. + * + * @return issuing record +diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +index 4e864fd..2d4a94f 100644 +--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java ++++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +@@ -180,7 +180,7 @@ public abstract class AAclAuthz implements IAuthzManager { + * @throws EBaseException parsing error from parseACL + */ + public void addACLs(String resACLs) throws EBaseException { +- ACL acl = (ACL) CMS.parseACL(resACLs); ++ ACL acl = ACL.parseACL(resACLs); + + if (acl != null) { + ACL curACL = mACLs.get(acl.getName()); +@@ -791,7 +791,7 @@ public abstract class AAclAuthz implements IAuthzManager { + ACL ac = null; + + try { +- ac = (ACL) CMS.parseACL(resourceACLs); ++ ac = ACL.parseACL(resourceACLs); + } catch (EBaseException ex) { + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR_0")); + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index b1df429..eaf57fa 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -38,7 +38,6 @@ import java.util.Hashtable; + import java.util.List; + import java.util.Locale; + import java.util.ResourceBundle; +-import java.util.StringTokenizer; + import java.util.Timer; + import java.util.Vector; + +@@ -62,10 +61,6 @@ import org.mozilla.jss.util.PasswordCallback; + import org.w3c.dom.Element; + import org.w3c.dom.NodeList; + +-import com.netscape.certsrv.acls.ACL; +-import com.netscape.certsrv.acls.ACLEntry; +-import com.netscape.certsrv.acls.EACLsException; +-import com.netscape.certsrv.acls.IACL; + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.apps.ICMSEngine; + import com.netscape.certsrv.apps.ICommandQueue; +@@ -618,122 +613,6 @@ public class CMSEngine implements ICMSEngine { + } + + /** +- * Parse ACL resource attributes +- * +- * @param resACLs same format as the resourceACLs attribute: +- * +- * 
+-     *     ::
+-     *      () 
+-     *
+- * @exception EACLsException ACL related parsing errors for resACLs +- * @return an ACL instance built from the parsed resACLs +- */ +- public IACL parseACL(String resACLs) throws EACLsException { +- if (resACLs == null) { +- throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "resACLs")); +- } +- +- ACL acl = null; +- Vector rights = null; +- int idx1 = resACLs.indexOf(":"); +- +- if (idx1 <= 0) { +- acl = new ACL(resACLs, rights, resACLs); +- } else { +- // getting resource id +- String resource = resACLs.substring(0, idx1); +- +- if (resource == null) { +- String infoMsg = "resource not specified in resourceACLS attribute:" + +- resACLs; +- +- String[] params = new String[2]; +- +- params[0] = resACLs; +- params[1] = infoMsg; +- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); +- } +- +- // getting list of applicable rights +- String st = resACLs.substring(idx1 + 1); +- int idx2 = st.indexOf(":"); +- String rightsString = null; +- +- if (idx2 != -1) +- rightsString = st.substring(0, idx2); +- else { +- String infoMsg = +- "rights not specified in resourceACLS attribute:" + resACLs; +- String[] params = new String[2]; +- +- params[0] = resACLs; +- params[1] = infoMsg; +- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); +- } +- +- if (rightsString != null) { +- rights = new Vector(); +- StringTokenizer rtok = new StringTokenizer(rightsString, ","); +- +- while (rtok.hasMoreTokens()) { +- rights.addElement(rtok.nextToken()); +- } +- } +- +- acl = new ACL(resource, rights, resACLs); +- +- // search *backwards* for final instance of ':', to handle case +- // where acl expressions contain colon, e.g. in a group name. +- String stx = st.substring(idx2 + 1); +- int idx3 = stx.lastIndexOf(":"); +- String aclStr = stx.substring(0, idx3); +- +- // getting list of acl entries +- if (aclStr != null) { +- StringTokenizer atok = new StringTokenizer(aclStr, ";"); +- +- while (atok.hasMoreTokens()) { +- String acs = atok.nextToken(); +- +- // construct ACL entry +- ACLEntry entry = ACLEntry.parseACLEntry(acl, acs); +- +- if (entry == null) { +- String infoMsg = "parseACLEntry() call failed"; +- String[] params = new String[2]; +- +- params[0] = "ACLEntry = " + acs; +- params[1] = infoMsg; +- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); +- } +- +- entry.setACLEntryString(acs); +- acl.addEntry(entry); +- } +- } else { +- // fine +- String infoMsg = "acls not specified in resourceACLS attribute:" + +- +- resACLs; +- +- String[] params = new String[2]; +- +- params[0] = resACLs; +- params[1] = infoMsg; +- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); +- } +- +- // getting description +- String desc = stx.substring(idx3 + 1); +- +- acl.setDescription(desc); +- } +- +- return (acl); +- } +- +- /** + * Parse server.xml to get the ports and IPs + * @throws EBaseException + */ +diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +index b314dac..b65dae1 100644 +--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java ++++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +@@ -19,8 +19,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; + import org.mozilla.jss.CryptoManager.CertificateUsage; + import org.mozilla.jss.util.PasswordCallback; + +-import com.netscape.certsrv.acls.EACLsException; +-import com.netscape.certsrv.acls.IACL; + import com.netscape.certsrv.apps.ICMSEngine; + import com.netscape.certsrv.apps.ICommandQueue; + import com.netscape.certsrv.authentication.ISharedToken; +@@ -260,10 +258,6 @@ public class CMSEngineDefaultStub implements ICMSEngine { + return null; + } + +- public IACL parseACL(String resACLs) throws EACLsException { +- return null; +- } +- + public ICRLIssuingPointRecord createCRLIssuingPointRecord(String id, BigInteger crlNumber, Long crlSize, + Date thisUpdate, Date nextUpdate) { + return null; +-- +1.8.3.1 + + +From 973c83b316272319ccb958ff6f391dfccb0c4e76 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 9 Mar 2018 10:39:33 +1100 +Subject: [PATCH 14/20] ACL.java: Remove unused constructor + +Part of: https://pagure.io/dogtagpki/issue/2957 +Change-Id: Id8eee2d31538e2c95debb03a6102e0a7fdb0bd60 + +(cherry picked from commit 8748541f70e1c753589b37f76331a7cadc684253) +--- + base/common/src/com/netscape/certsrv/acls/ACL.java | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java +index fc031e4..0e3c28e 100644 +--- a/base/common/src/com/netscape/certsrv/acls/ACL.java ++++ b/base/common/src/com/netscape/certsrv/acls/ACL.java +@@ -51,11 +51,6 @@ public class ACL implements IACL, java.io.Serializable { + protected String name = null; // resource name + protected String description = null; // resource description + +- /** +- * Class constructor. +- */ +- public ACL() { +- } + + /** + * Class constructor. +-- +1.8.3.1 + + +From aa1c01265acd8e92a7cf8880d594ab554dc5efbc Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 9 Mar 2018 10:58:21 +1100 +Subject: [PATCH 15/20] ACL.java: Make constructor private and add sanity check + +Part of: https://pagure.io/dogtagpki/issue/2957 +Change-Id: I5b15695df8692941646151b92ddaa893b3f93468 + +(cherry picked from commit fcacf3d579a2562b764e0caed2cab81d73aa053f) +--- + base/common/src/com/netscape/certsrv/acls/ACL.java | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java +index 0e3c28e..d1560ab 100644 +--- a/base/common/src/com/netscape/certsrv/acls/ACL.java ++++ b/base/common/src/com/netscape/certsrv/acls/ACL.java +@@ -66,8 +66,10 @@ public class ACL implements IACL, java.io.Serializable { + * Allow administrators to read and modify log + * configuration" + */ +- public ACL(String name, Collection rights, String resourceACLs) { +- setName(name); ++ private ACL(String name, Collection rights, String resourceACLs) { ++ if (name == null) ++ throw new IllegalArgumentException("ACL name cannot be null"); ++ this.name = name; + if (rights != null) { + this.rights = new TreeSet<>(rights); + } else { +-- +1.8.3.1 + + +From fd7dc5e953fccd966f940b4060e35935ef4a3146 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 9 Mar 2018 11:12:41 +1100 +Subject: [PATCH 16/20] ACL.java: retain all resourceACLs strings when merging + +When writing a merged ACL back to the database, only the first +resourceACLs string is written, and the other resourceACLs strings +are lost. + +Retain all the original resourceACLs strings when merging ACLs and +write them all back to the database when saving. + +This commit also performs some minor refactors. Extract the merging +routine into ACL.merge(). Remove the now-unused addRight(), +addEntry() and setName() methods. + +Part of: https://pagure.io/dogtagpki/issue/2957 +Change-Id: Ica36f1ed1517b4d13f13fd78259b6bb78ef1f22c + +(cherry picked from commit 414a6a63d4833cfe0e575a682378fb9515ad59a6) +--- + base/common/src/com/netscape/certsrv/acls/ACL.java | 47 ++++++++-------------- + .../com/netscape/cms/authorization/AAclAuthz.java | 9 +---- + .../netscape/cms/authorization/DirAclAuthz.java | 6 +-- + 3 files changed, 20 insertions(+), 42 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java +index d1560ab..cce41a8 100644 +--- a/base/common/src/com/netscape/certsrv/acls/ACL.java ++++ b/base/common/src/com/netscape/certsrv/acls/ACL.java +@@ -47,10 +47,11 @@ public class ACL implements IACL, java.io.Serializable { + + protected Vector entries = new Vector(); // ACL entries + protected TreeSet rights = null; // possible rights entries +- protected String resourceACLs = null; // exact resourceACLs string on ldap server + protected String name = null; // resource name + protected String description = null; // resource description + ++ // exact resourceACLs strings on ldap server ++ protected TreeSet resourceACLs = new TreeSet<>(); + + /** + * Class constructor. +@@ -75,18 +76,20 @@ public class ACL implements IACL, java.io.Serializable { + } else { + this.rights = new TreeSet<>(); + } +- this.resourceACLs = resourceACLs; +- ++ this.resourceACLs.add(resourceACLs); + } + +- /** +- * Sets the name of the resource governed by this +- * access control. ++ /** Merge the rules of the other ACL into this one. + * +- * @param name name of the resource ++ * @throws IllegalArgumentException if the ACLs do not have the same name. + */ +- public void setName(String name) { +- this.name = name; ++ public void merge(ACL other) { ++ if (!this.name.equals(other.name)) ++ throw new IllegalArgumentException("Cannot merge ACLs; names do not match."); ++ ++ this.rights.addAll(other.rights); ++ this.entries.addAll(other.entries); ++ this.resourceACLs.addAll(other.resourceACLs); + } + + /** +@@ -100,11 +103,11 @@ public class ACL implements IACL, java.io.Serializable { + } + + /** +- * Retrieves the exact string of the resourceACLs ++ * Retrieve an iterable of strings that were used to produce this ACL. + * +- * @return resource's acl ++ * @return Iterable of formatted ACLs + */ +- public String getResourceACLs() { ++ public Iterable getResourceACLs() { + return resourceACLs; + } + +@@ -129,15 +132,6 @@ public class ACL implements IACL, java.io.Serializable { + } + + /** +- * Adds an ACL entry to this list. +- * +- * @param entry the ACLEntry to be added to this resource +- */ +- public void addEntry(ACLEntry entry) { +- entries.addElement(entry); +- } +- +- /** + * Returns ACL entries. + * + * @return enumeration for the ACLEntry vector +@@ -168,15 +162,6 @@ public class ACL implements IACL, java.io.Serializable { + } + + /** +- * Adds an rights entry to this list. +- * +- * @param right The right to be added for this ACL +- */ +- public void addRight(String right) { +- rights.add(right); +- } +- +- /** + * Tells if the permission is one of the defined "rights" + * + * @param permission permission to be checked +@@ -288,7 +273,7 @@ public class ACL implements IACL, java.io.Serializable { + } + + entry.setACLEntryString(acs); +- acl.addEntry(entry); ++ acl.entries.add(entry); + } + } else { + // fine +diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +index 2d4a94f..7b69ec4 100644 +--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java ++++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +@@ -187,14 +187,7 @@ public abstract class AAclAuthz implements IAuthzManager { + if (curACL == null) { + mACLs.put(acl.getName(), acl); + } else { +- for (Enumeration entries = acl.entries() ; +- entries.hasMoreElements() ; ) { +- curACL.addEntry(entries.nextElement()); +- } +- for (Enumeration rights = acl.rights() ; +- rights.hasMoreElements() ; ) { +- curACL.addRight(rights.nextElement()); +- } ++ curACL.merge(acl); + } + } else { + log(ILogger.LL_FAILURE, "parseACL failed"); +diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +index 3e2a1b3..13360ef 100644 +--- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java ++++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +@@ -231,9 +231,9 @@ public class DirAclAuthz extends AAclAuthz + if (en.hasMoreElements() == true) { + while (en.hasMoreElements()) { + ACL a = en.nextElement(); +- String resAclString = a.getResourceACLs(); +- +- attrs.addValue(resAclString); ++ for (String s : a.getResourceACLs()) { ++ attrs.addValue(s); ++ } + } + + mod.add(LDAPModification.REPLACE, attrs); +-- +1.8.3.1 + + +From 5cf81863d7813259a526af38e32d504ca5cc59bb Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 9 Mar 2018 15:14:06 +1100 +Subject: [PATCH 17/20] ACL.java: remove setDescription method + +The only place setDescription was used was in parseACL() which is +now part of this class, so we can replace that method with a new +constructor argument and avoid another way to unreasonably mutate +an ACL. + +Part of: https://pagure.io/dogtagpki/issue/2957 +Change-Id: I8cff0cbb5cb47b80b7b0e6dc37702e16ec2a85e0 + +(cherry picked from commit 5e36d86d2c5ab2264768e64fe8029e428ce01b92) +--- + base/common/src/com/netscape/certsrv/acls/ACL.java | 29 ++++++++-------------- + 1 file changed, 10 insertions(+), 19 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java +index cce41a8..09a4b2b 100644 +--- a/base/common/src/com/netscape/certsrv/acls/ACL.java ++++ b/base/common/src/com/netscape/certsrv/acls/ACL.java +@@ -67,7 +67,11 @@ public class ACL implements IACL, java.io.Serializable { + * Allow administrators to read and modify log + * configuration" + */ +- private ACL(String name, Collection rights, String resourceACLs) { ++ private ACL( ++ String name, ++ Collection rights, ++ String desc, ++ String resourceACLs) { + if (name == null) + throw new IllegalArgumentException("ACL name cannot be null"); + this.name = name; +@@ -77,6 +81,7 @@ public class ACL implements IACL, java.io.Serializable { + this.rights = new TreeSet<>(); + } + this.resourceACLs.add(resourceACLs); ++ this.description = desc; + } + + /** Merge the rules of the other ACL into this one. +@@ -112,16 +117,6 @@ public class ACL implements IACL, java.io.Serializable { + } + + /** +- * Sets the description of the resource governed by this +- * access control. +- * +- * @param description Description of the protected resource +- */ +- public void setDescription(String description) { +- this.description = description; +- } +- +- /** + * Retrieves the description of the resource governed by + * this access control. + * +@@ -203,7 +198,7 @@ public class ACL implements IACL, java.io.Serializable { + int idx1 = resACLs.indexOf(":"); + + if (idx1 <= 0) { +- acl = new ACL(resACLs, rights, resACLs); ++ acl = new ACL(resACLs, rights, null /* desc */, resACLs); + } else { + // getting resource id + String resource = resACLs.substring(0, idx1); +@@ -245,13 +240,14 @@ public class ACL implements IACL, java.io.Serializable { + } + } + +- acl = new ACL(resource, rights, resACLs); +- + // search *backwards* for final instance of ':', to handle case + // where acl expressions contain colon, e.g. in a group name. + String stx = st.substring(idx2 + 1); + int idx3 = stx.lastIndexOf(":"); + String aclStr = stx.substring(0, idx3); ++ String desc = stx.substring(idx3 + 1); ++ ++ acl = new ACL(resource, rights, desc, resACLs); + + // getting list of acl entries + if (aclStr != null) { +@@ -287,11 +283,6 @@ public class ACL implements IACL, java.io.Serializable { + params[1] = infoMsg; + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); + } +- +- // getting description +- String desc = stx.substring(idx3 + 1); +- +- acl.setDescription(desc); + } + + return (acl); +-- +1.8.3.1 + + +From 987c3e042b0419aaa75f11e936effd52bc9da6d5 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 9 Mar 2018 16:39:20 +1100 +Subject: [PATCH 18/20] ACLEntry.java: return null on parse error + +If an ACL entry has an empty permission expression a +StringIndexOutOfBoundsException is thrown because an expected space +character cannot be found. Detect this condition and return null. + +Part of: https://pagure.io/dogtagpki/issue/2957 +Change-Id: I1518f53f68e106e877d24d7dce8a5756ca5aedbd + +(cherry picked from commit 682fcf270f6b49ff5a6e7133f022982445a74422) +--- + base/common/src/com/netscape/certsrv/acls/ACLEntry.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java +index 23f8596..5cca230 100644 +--- a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java ++++ b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java +@@ -203,6 +203,11 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { + } + // locate the second space + i = suffix.indexOf(' '); ++ if (i <= 0) { ++ // second space not found, or is at start of string ++ return null; ++ } ++ + // this prefix should be rights list, delimited by "," + prefix = suffix.substring(1, i - 1); + // the suffix is the rest, which is the "expressions" +-- +1.8.3.1 + + +From 5a918d21aba41516054f232141752dd5a708cf77 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 9 Mar 2018 17:58:39 +1100 +Subject: [PATCH 19/20] DirAclAuthz.updateACLs: re-throw ACL exception + +Currently DirAclAuthz catches EACLsException when attempting to +update an ACL, logs the error, and then throws a new EACLsException, +discarding the info about where the original exception occurred. +There is no need to throw a new exception of the same type, so +re-throw the caught exception. + +Part of: https://pagure.io/dogtagpki/issue/2957 +Change-Id: If6e38e2217b8884b54b7daf07a7b79e23b8175d7 + +(cherry picked from commit 021ebec5d54a85d8de56478fb4762c4b15ee0a3a) +--- + base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +index 13360ef..e2c1229 100644 +--- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java ++++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +@@ -211,7 +211,7 @@ public class DirAclAuthz extends AAclAuthz + + log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString())); + +- throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL")); ++ throw ex; + } + } + +-- +1.8.3.1 + + +From 65a1edc262a2abb4b3bbcf7a46d775dbaffa4937 Mon Sep 17 00:00:00 2001 +From: Amol Kahat +Date: Tue, 27 Feb 2018 19:56:31 +0530 +Subject: [PATCH 20/20] Fixed BZ 1549632: Not able to generate certificate + request with ECC using pki client-cert-request + +Change-Id: I23a51af2c9e9bcc62983332bee22fe3c56ce1409 +Signed-off-by: Amol Kahat +(cherry picked from commit 69434ec08442b92cab8c304caef98200ff71e8e2) +(cherry picked from commit 15911c8e65eb1543776a64f567ca3e281091e750) +--- + .../cmstools/client/ClientCertRequestCLI.java | 45 ++++++++++++++-------- + 1 file changed, 29 insertions(+), 16 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +index 54acd65..b440fc6 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +@@ -123,7 +123,8 @@ public class ClientCertRequestCLI extends CLI { + option.setArgName("path"); + options.addOption(option); + +- option = new Option(null, "profile", true, "Certificate profile (RSA default: caUserCert, ECC default: caECUserCert)"); ++ option = new Option(null, "profile", true, ++ "Certificate profile (RSA default: caUserCert, ECC default: caECUserCert)"); + option.setArgName("profile"); + options.addOption(option); + +@@ -242,7 +243,7 @@ public class ClientCertRequestCLI extends CLI { + throw new Exception("--issuer-id and --issuer-dn options are mutually exclusive"); + } + +- MainCLI mainCLI = (MainCLI)parent.getParent(); ++ MainCLI mainCLI = (MainCLI) parent.getParent(); + File certDatabase = mainCLI.certDatabase; + + String password = mainCLI.config.getCertPassword(); +@@ -253,13 +254,21 @@ public class ClientCertRequestCLI extends CLI { + String csr; + PKIClient client; + if ("pkcs10".equals(requestType)) { +- csr = generatePkcs10Request(certDatabase, password, algorithm, length, subjectDN); ++ if ("rsa".equals(algorithm)) { ++ csr = generatePkcs10Request(certDatabase, password, algorithm, ++ Integer.toString(length), subjectDN); ++ } ++ ++ else if ("ec".equals(algorithm)) { ++ csr = generatePkcs10Request(certDatabase, password, algorithm, curve, subjectDN); ++ } else { ++ throw new Exception("Error: Unknown algorithm: " + algorithm); ++ } + + // initialize database after PKCS10Client to avoid conflict + mainCLI.init(); + client = getClient(); + +- + } else if ("crmf".equals(requestType)) { + + // initialize database before CRMFPopClient to load transport certificate +@@ -325,8 +334,8 @@ public class ClientCertRequestCLI extends CLI { + Vector rdns = dn.getRDNs(); + + Map subjectAttributes = new HashMap(); +- for (int i=0; i< rdns.size(); i++) { +- RDN rdn = (RDN)rdns.elementAt(i); ++ for (int i = 0; i < rdns.size(); i++) { ++ RDN rdn = (RDN) rdns.elementAt(i); + String type = rdn.getTypes()[0].toLowerCase(); + String value = rdn.getValues()[0]; + subjectAttributes.put(type, value); +@@ -334,7 +343,8 @@ public class ClientCertRequestCLI extends CLI { + + ProfileInput sn = request.getInput("Subject Name"); + if (sn != null) { +- if (verbose) System.out.println("Subject Name:"); ++ if (verbose) ++ System.out.println("Subject Name:"); + + for (ProfileAttribute attribute : sn.getAttributes()) { + String name = attribute.getName(); +@@ -350,13 +360,16 @@ public class ClientCertRequestCLI extends CLI { + + } else { + // unknown attribute, ignore +- if (verbose) System.out.println(" - " + name); ++ if (verbose) ++ System.out.println(" - " + name); + continue; + } + +- if (value == null) continue; ++ if (value == null) ++ continue; + +- if (verbose) System.out.println(" - " + name + ": " + value); ++ if (verbose) ++ System.out.println(" - " + name + ": " + value); + attribute.setValue(value); + } + } +@@ -385,19 +398,20 @@ public class ClientCertRequestCLI extends CLI { + File certDatabase, + String password, + String algorithm, +- int length, +- String subjectDN +- ) throws Exception { ++ String length, ++ String subjectDN) throws Exception { + + File csrFile = File.createTempFile("pki-client-cert-request-", ".csr", certDatabase); + csrFile.deleteOnExit(); + ++ String lenOrCurve = "ec".equals(algorithm) ? "-c" : "-l"; ++ + String[] commands = { + "/usr/bin/PKCS10Client", + "-d", certDatabase.getAbsolutePath(), + "-p", password, + "-a", algorithm, +- "-l", "" + length, ++ lenOrCurve, "" + length, + "-o", csrFile.getAbsolutePath(), + "-n", subjectDN + }; +@@ -427,8 +441,7 @@ public class ClientCertRequestCLI extends CLI { + int sensitive, + int extractable, + boolean withPop, +- KeyWrapAlgorithm keyWrapAlgorithm +- ) throws Exception { ++ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { + + CryptoManager manager = CryptoManager.getInstance(); + CryptoToken token = manager.getThreadToken(); +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-batch-1.1.patch b/SOURCES/pki-core-10.5.1-batch-1.1.patch new file mode 100644 index 0000000..c90d0b6 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-batch-1.1.patch @@ -0,0 +1,87 @@ +From d34d825473a50a66b9b21d0a5b072fc12f71821c Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 22 Mar 2018 11:39:05 -0700 +Subject: [PATCH 1/3] fix TPS CS.cfg param from tps.connector.connCAList to + tps.connCAList + +Change-Id: Ic391b845358736daab4b814c86e6f7f512a209bb +(cherry picked from commit 4e237910d02918a53618154bf923204b3e2be085) +(cherry picked from commit 3f0f0d971e4382ef9ea1490d1a07644fcef0b343) +--- + base/tps/man/man5/pki-tps-connector.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/tps/man/man5/pki-tps-connector.5 b/base/tps/man/man5/pki-tps-connector.5 +index b3e405e..a2df454 100644 +--- a/base/tps/man/man5/pki-tps-connector.5 ++++ b/base/tps/man/man5/pki-tps-connector.5 +@@ -68,7 +68,7 @@ Example ops: enrollment, renewal, revoke, unrevoke, getcert. + + This property contains the connection timeout. + +-.SS tps.connector.connCAList ++.SS tps.connCAList + + This property is used for \fIRevocation Routing\fP. It contains a list of ordered ca id's separated by ',' that the revocation attempt should be made to. + Example: +-- +1.8.3.1 + + +From fbd5122bd3e7ffe3632406f006630e2ddbc41907 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 26 Mar 2018 10:09:42 -0700 +Subject: [PATCH 2/3] reflect dogtagpki url change in CMCRequest man page. + +Change-Id: I8eb5884a26850b87f378c4417939c873c27fd409 +(cherry picked from commit 3ce3ae9bd73a906beb0254a7488b15e11ddcf905) +(cherry picked from commit 08c6684dfbabb53ab9301e33e2b40389b93f18bc) +--- + base/java-tools/man/man1/CMCRequest.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1 +index f647ef7..8c67fc0 100644 +--- a/base/java-tools/man/man1/CMCRequest.1 ++++ b/base/java-tools/man/man1/CMCRequest.1 +@@ -174,7 +174,7 @@ For revocation by authenticating with user's shared secret, the following parame + CMC requests must be submitted to the CA to be processed. Tool supported by Dogtag for submitting these requests is \fBHttpClient\fP. + .PP + \fBNote:\fP For examples on how to use this tool, please see +-http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Practical_Usage_Scenarios for Practical Usage Scenarios, and their examples. ++http://www.dogtagpki.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Practical_Usage_Scenarios for Practical Usage Scenarios, and their examples. + + .SH AUTHORS + Christina Fu . +-- +1.8.3.1 + + +From 7b5a899e3d237e2be3bc1c7d9e4dd7613cdd9f24 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 29 Mar 2018 09:59:02 -0700 +Subject: [PATCH 3/3] quick fix on wrong keyType in profile + +Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87 +(cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6) +(cherry picked from commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620) +--- + base/ca/shared/profiles/ca/caUserCert.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg +index 1f62bb8..9164dac 100644 +--- a/base/ca/shared/profiles/ca/caUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caUserCert.cfg +@@ -36,7 +36,7 @@ policyset.userCertSet.2.default.params.range=180 + policyset.userCertSet.2.default.params.startTime=0 + policyset.userCertSet.3.constraint.class_id=keyConstraintImpl + policyset.userCertSet.3.constraint.name=Key Constraint +-policyset.userCertSet.3.constraint.params.keyType=EC ++policyset.userCertSet.3.constraint.params.keyType=RSA + policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.userCertSet.3.default.class_id=userKeyDefaultImpl + policyset.userCertSet.3.default.name=Key Default +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-batch-2.0.patch b/SOURCES/pki-core-10.5.1-batch-2.0.patch new file mode 100644 index 0000000..73aff94 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-batch-2.0.patch @@ -0,0 +1,1069 @@ +From c4f6b7c6d4a0d8130c46cd1f820f8980b7f314e2 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 16 Apr 2018 14:28:39 -0700 +Subject: [PATCH 1/7] Ticket #2940 post-ticket simple typo fix. + +Change-Id: I98558f607cb611981bcafd42d6500fd26a9664be +(cherry picked from commit 2e299050016094c4ab9b739bc68a27787d8aadb4) +(cherry picked from commit 7ed0b12aa3bc9a04acd417fc0757500d585c57e8) +--- + base/java-tools/man/man1/CMCSharedToken.1 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/java-tools/man/man1/CMCSharedToken.1 b/base/java-tools/man/man1/CMCSharedToken.1 +index e4a26f0..64c97f8 100644 +--- a/base/java-tools/man/man1/CMCSharedToken.1 ++++ b/base/java-tools/man/man1/CMCSharedToken.1 +@@ -48,7 +48,7 @@ Security token name (default: internal) + Security token password. + + .TP +-.B -p ++.B -s + CMC enrollment passphrase (shared secret) (put in "" if containing spaces) + + .TP +@@ -56,7 +56,7 @@ CMC enrollment passphrase (shared secret) (put in "" if containing spaces) + PEM issuance protection certificate. Note: only one of the -b or -n options should be used. + + .TP +-.B -n ++.B -n + PEM issuance protection certificate on token. Note: only one of the -b or -n options should be used. + + .TP +-- +1.8.3.1 + + +From b189ac5a9fe0eee529893ca1b3616a12fd1d0631 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 19 Apr 2018 17:11:34 -0700 +Subject: [PATCH 2/7] Ticket #2992 servlet profileSubmitCMCSimple throws NPE + +This patch addresses the issue that when auth.instance_id is not specified in +the profile, NPE is thrown. +Alternative is to add auth.instance_id value, but it's better to leave this +as manual approval only without changing the functionality. + +fixes https://pagure.io/dogtagpki/issue/2992 + +Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d +(cherry picked from commit 203db212a3dce216687dd2aac349fe37d2e92a96) +--- + .../com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 91a26b1..a0bcfb5 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -509,7 +509,10 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + CMS.debug("ProfileSubmitCMCServlet: null it out"); + ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); + } +- String signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); ++ String signingCertSerialS = null; ++ if (authToken != null) { ++ signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); ++ } + if (signingCertSerialS != null) { + CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); + ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); +-- +1.8.3.1 + + +From ff37277ba6ee49e92f9bad078f23e66b79315535 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 24 Apr 2018 02:44:15 +0200 +Subject: [PATCH 3/7] Fixed token name normalization in pki-server + subsystem-cert-validate + +The pki-server subsystem-cert-validate has been modified to +normalize cert token name before calling pki client-cert-validate. +This way "Internal Key Storage Token" will be considered as an +internal token and no longer specified as a parameter. + +https://pagure.io/dogtagpki/issue/2997 + +Change-Id: I452d8e4b404086c3add6b52a9aa2acd2993d7e97 +(cherry picked from commit d61f9729dcc102c9acbbaa8129fffb6c30fb7116) +--- + base/common/python/pki/nssdb.py | 27 +++++++++++++++++++++----- + base/server/python/pki/server/__init__.py | 7 +++++++ + base/server/python/pki/server/cli/subsystem.py | 3 +++ + base/server/sbin/pkidestroy | 13 +++++++++++-- + base/server/sbin/pkispawn | 10 ++++++++++ + 5 files changed, 53 insertions(+), 7 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 934fe8b..0f3c97a 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -43,6 +43,9 @@ CERT_FOOTER = '-----END CERTIFICATE-----' + PKCS7_HEADER = '-----BEGIN PKCS7-----' + PKCS7_FOOTER = '-----END PKCS7-----' + ++INTERNAL_TOKEN_NAME = 'internal' ++INTERNAL_TOKEN_FULL_NAME = 'Internal Key Storage Token' ++ + logger = logging.LoggerAdapter( + logging.getLogger(__name__), + extra={'indent': ''}) +@@ -112,6 +115,24 @@ def get_file_type(filename): + return None + + ++def normalize_token(token): ++ """ ++ Normalize internal token name (e.g. empty string, 'internal', ++ 'Internal Key Storage Token') into None. Other token names ++ will be unchanged. ++ """ ++ if not token: ++ return None ++ ++ if token.lower() == INTERNAL_TOKEN_NAME: ++ return None ++ ++ if token.lower() == INTERNAL_TOKEN_FULL_NAME.lower(): ++ return None ++ ++ return token ++ ++ + class NSSDatabase(object): + + def __init__(self, directory=None, token=None, password=None, +@@ -123,11 +144,7 @@ class NSSDatabase(object): + os.path.expanduser("~"), '.dogtag', 'nssdb') + + self.directory = directory +- +- if token == 'internal' or token == 'Internal Key Storage Token': +- self.token = None +- else: +- self.token = token ++ self.token = normalize_token(token) + + self.tmpdir = tempfile.mkdtemp() + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 65aee2f..b5180f0 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -28,6 +28,7 @@ import grp + import io + import ldap + import ldap.filter ++import logging + import operator + import os + import pwd +@@ -50,6 +51,10 @@ SUBSYSTEM_CLASSES = {} + + SELFTEST_CRITICAL = 'critical' + ++logger = logging.LoggerAdapter( ++ logging.getLogger(__name__), ++ extra={'indent': ''}) ++ + + class PKIServer(object): + +@@ -206,6 +211,8 @@ class PKISubsystem(object): + if cert_id: + cmd.append(cert_id) + ++ logger.debug('Command: %s', ' '.join(cmd)) ++ + subprocess.check_output( + cmd, + stderr=subprocess.STDOUT) +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 0abf90a..57093d4 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -1000,6 +1000,9 @@ class SubsystemCertValidateCLI(pki.cli.CLI): + token = cert.get('token', '') + print(' Token: %s' % token) + ++ # normalize internal token into None ++ token = pki.nssdb.normalize_token(token) ++ + # get token password and store in temporary file + passwd = instance.get_token_password(token) + +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 4df74a4..58f0541 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -24,6 +24,7 @@ from __future__ import absolute_import + from __future__ import print_function + import sys + import signal ++import subprocess + + if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: + print("Python version %s.%s.%s is too old." % sys.version_info[:3]) +@@ -235,8 +236,16 @@ def main(argv): + + scriptlet.destroy(deployer) + +- # pylint: disable=W0703 +- except Exception as e: ++ except subprocess.CalledProcessError as e: ++ log_error_details() ++ print() ++ print("Uninstallation failed: Command failed: %s" % ' '.join(e.cmd)) ++ if e.output: ++ print(e.output) ++ print() ++ sys.exit(1) ++ ++ except Exception as e: # pylint: disable=broad-except + log_error_details() + print() + print("Uninstallation failed: %s" % e) +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index b2ac8b4..ab94b8b 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -24,6 +24,7 @@ from __future__ import absolute_import + from __future__ import print_function + import sys + import signal ++import subprocess + + if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: + print("Python version %s.%s.%s is too old." % sys.version_info[:3]) +@@ -549,6 +550,15 @@ def main(argv): + + sys.exit(1) + ++ except subprocess.CalledProcessError as e: ++ log_error_details() ++ print() ++ print("Installation failed: Command failed: %s" % ' '.join(e.cmd)) ++ if e.output: ++ print(e.output) ++ print() ++ sys.exit(1) ++ + except Exception as e: # pylint: disable=broad-except + log_error_details() + print() +-- +1.8.3.1 + + +From 5df4e1a9418a9d276170c0c9c8bdec2f0de0d759 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 15 May 2018 19:06:48 -0700 +Subject: [PATCH 4/7] Ticket 1741 ECDSA Signature Algorithm encoding + +This patch addresses part of the issue where params were in the AlgorithmIdentifier of the ECDSA signature algorithm. The JSS portion is addressed by https://pagure.io/jss/issue/3 + +Fixes https://pagure.io/dogtagpki/issue/1741 + +Change-Id: I5dfea6eb2ca4711da2a983382c3f6607d95f3e0d +(cherry picked from commit 01dcdee01ab9c231e89169e422e452ce5ef22257) +--- + base/util/src/netscape/security/x509/AlgorithmId.java | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java +index a89843e..ae5975a 100644 +--- a/base/util/src/netscape/security/x509/AlgorithmId.java ++++ b/base/util/src/netscape/security/x509/AlgorithmId.java +@@ -142,7 +142,16 @@ public class AlgorithmId implements Serializable, DerEncoder { + * Figure out what class (if any) knows about this oid's + * parameters. Make one, and give it the data to decode. + */ +- AlgorithmId alg = new AlgorithmId(algid, params); ++ AlgorithmId alg = null; ++ // omit parameter field for ECDSA ++ if (!algid.equals(sha224WithEC_oid) && ++ !algid.equals(sha256WithEC_oid) && ++ !algid.equals(sha384WithEC_oid) && ++ !algid.equals(sha512WithEC_oid)) { ++ alg = new AlgorithmId(algid, params); ++ } else { ++ alg = new AlgorithmId(algid); ++ } + if (params != null) + alg.decodeParams(); + +-- +1.8.3.1 + + +From e4324c4fe54c8b139fbb522c1ad899579ce0aaec Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 16 May 2018 14:52:21 -0700 +Subject: [PATCH 5/7] Ticket 3018 CMC profiles: Some CMC profiles have wrong + input class_id + +This patch fixes the profile input area where +cmcCertReqInputImpl should replace certReqInputImpl +and submitterInfoInputImpl should not be present + +fixes https://pagure.io/dogtagpki/issue/3018 + +Change-Id: Id4e03961110b19b2c73ebd9def89919d5dd3b0ad +(cherry picked from commit ac8c853ed9b06f4dfdbeb4d00f3f425f5d479824) +--- + base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCUserCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCcaCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCocspCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCserverCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 5 ++--- + base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 2 +- + 19 files changed, 28 insertions(+), 45 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +index 5185891..b7b4881 100644 +--- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Signed CMC-Authenticated User Certificate wth ECC keys Enrollment +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +index 158d9fe..53b0c4d 100644 +--- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Server Certificate wth ECC keys Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg +index f755243..6e41e06 100644 +--- a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Subsystem Certificate Enrollment with ECC keys using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +index fe2a8b3..df47758 100644 +--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Signed CMC-Authenticated User Certificate Enrollment +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +index 967d6ef..ff4856c 100644 +--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Audit Signing Certificate Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=auditSigningCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +index 49a356d..bf6c59a 100644 +--- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Certificate Manager Signing Certificate Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=caCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +index bbe733a..1c2630d 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=KRA storage Certificate Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=drmStorageCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +index 60b19bf..3d00408 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Key Archival Authority Transport Certificate Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=transportCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg +index cd60562..14464bf 100644 +--- a/base/ca/shared/profiles/ca/caCMCocspCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=OCSP Responder Signing Certificate Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=ocspCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +index 89bbbea..9ad9fac 100644 +--- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Server Certificate Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg +index 4a922fc..c25ed79 100644 +--- a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg +@@ -5,9 +5,8 @@ enableBy=admin + auth.instance_id=CMCAuth + authz.acl=group="Certificate Manager Agents" + name=Subsystem Certificate Enrollment using CMC +-input.list=i1,i2 +-input.i1.class_id=certReqInputImpl +-input.i2.class_id=submitterInfoInputImpl ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +index 816a1f8..d0a3c25 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +@@ -4,9 +4,8 @@ enableBy=admin + name=Self-Signed CMC User Certificate Enrollment + visible=false + auth.instance_id=CMCUserSignedAuth +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +index 0116053..469dbb0 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +@@ -4,9 +4,8 @@ enableBy=admin + name=Agent-Signed CMC-Authenticated User Certificate Enrollment + visible=false + auth.instance_id=CMCAuth +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +index a15aa53..d2286de 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +@@ -4,9 +4,8 @@ enableBy=admin + name=User-Signed CMC-Authenticated User Certificate Enrollment + visible=false + auth.instance_id=CMCUserSignedAuth +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +index 14d610c..64a6ad9 100644 +--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +@@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate + visible=false + auth.instance_id= + input.list=i1 +-input.i1.class_id=certReqInputImpl ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +index 1a7c22d..6b2da33 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +@@ -4,9 +4,8 @@ enableBy=admin + name=Self-Signed CMC User Certificate Enrollment + visible=false + auth.instance_id=CMCUserSignedAuth +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +index b06f35d..dd336ad 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +@@ -4,9 +4,8 @@ enableBy=admin + name=Agent-Signed CMC-Authenticated User Certificate Enrollment + visible=false + auth.instance_id=CMCAuth +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +index 0c2b97b..9b5d3e9 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +@@ -4,9 +4,8 @@ enableBy=admin + name=User-Signed CMC-Authenticated User Certificate Enrollment + visible=false + auth.instance_id=CMCUserSignedAuth +-input.list=i1,i2 ++input.list=i1 + input.i1.class_id=cmcCertReqInputImpl +-input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +index a9c2b0c..0628a36 100644 +--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +@@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate + visible=false + auth.instance_id= + input.list=i1 +-input.i1.class_id=certReqInputImpl ++input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +-- +1.8.3.1 + + +From b66e3a729b0413d8851b6d5a875c6f6542823463 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 17 May 2018 19:36:10 -0700 +Subject: [PATCH 6/7] Ticket #2995 SAN in internal SSL server certificate in + pkispawn configuration step + +This patch adds CommonNameToSANDefault to all server profiles so that +SAN will be placed in server certs by default. +For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault +will have to be used instead. + +fixes: https://pagure.io/dogtagpki/issue/2995 + +Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641 +(cherry picked from commit 7eae0d840c1b7494db2cea67744366fe409eafea) +--- + base/ca/shared/conf/serverCert.profile | 4 +++- + base/ca/shared/profiles/ca/caAgentServerCert.cfg | 6 +++++- + base/ca/shared/profiles/ca/caECAgentServerCert.cfg | 6 +++++- + .../shared/profiles/ca/caECInternalAuthServerCert.cfg | 18 +++++++++++++++++- + base/ca/shared/profiles/ca/caECServerCert.cfg | 6 +++++- + .../ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 18 +++++++++++++++++- + base/ca/shared/profiles/ca/caServerCert.cfg | 6 +++++- + 7 files changed, 57 insertions(+), 7 deletions(-) + +diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile +index 3674cbc..e740760 100644 +--- a/base/ca/shared/conf/serverCert.profile ++++ b/base/ca/shared/conf/serverCert.profile +@@ -6,7 +6,7 @@ name=All Purpose SSL server cert Profile + description=This profile creates an SSL server certificate that is valid for SSL servers + profileIDMapping=caServerCert + profileSetIDMapping=serverCertSet +-list=2,4,5,6,7 ++list=2,4,5,6,7,8 + 2.default.class=com.netscape.cms.profile.def.ValidityDefault + 2.default.name=Validity Default + 2.default.params.range=720 +@@ -37,3 +37,5 @@ list=2,4,5,6,7 + 7.default.name=Extended Key Usage Extension Default + 7.default.params.exKeyUsageCritical=false + 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 ++8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault ++8.default.name=Copy Common Name to Subjec Alternative Name Extension +diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg +index c4d109f..0662b0a 100644 +--- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=CN=.* +@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.12.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.12.constraint.name=No Constraint ++policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension +diff --git a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg +index c56b6de..da4811e 100644 +--- a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=CN=.* +@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.12.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.12.constraint.name=No Constraint ++policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension +diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +index 4fc8a9c..8580544 100644 +--- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +@@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=CN=.* +@@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=- + # 3. change below to reflect the number of general names, and + # turn each corresponding subjAltExtPattern_ to true + # policyset.serverCertSet.9.default.params.subjAltNameNumGNs ++# ++# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault ++# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry ++# + policyset.serverCertSet.9.constraint.class_id=noConstraintImpl + policyset.serverCertSet.9.constraint.name=No Constraint + policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl +@@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa + policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName + policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false + policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 ++# ++# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be ++# specified during installation, the commonNameToSANDefaultImpl adds a simple ++# default single SAN from CN. ++# ++# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault ++# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry ++# ++policyset.serverCertSet.12.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.12.constraint.name=No Constraint ++policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension +diff --git a/base/ca/shared/profiles/ca/caECServerCert.cfg b/base/ca/shared/profiles/ca/caECServerCert.cfg +index 0ae4371..7517a5f 100644 +--- a/base/ca/shared/profiles/ca/caECServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caECServerCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* +@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.12.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.12.constraint.name=No Constraint ++policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension +diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +index dd10f6f..de3c2a5 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +@@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=CN=.* +@@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=- + # 3. change below to reflect the number of general names, and + # turn each corresponding subjAltExtPattern_ to true + # policyset.serverCertSet.9.default.params.subjAltNameNumGNs ++# ++# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault ++# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry ++# + policyset.serverCertSet.9.constraint.class_id=noConstraintImpl + policyset.serverCertSet.9.constraint.name=No Constraint + policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl +@@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa + policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName + policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false + policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 ++# ++# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be ++# specified during installation, the commonNameToSANDefaultImpl adds a simple ++# default single SAN from CN. ++# ++# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault ++# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry ++# ++policyset.serverCertSet.12.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.12.constraint.name=No Constraint ++policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension +diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg +index 2f44c96..fdb08e4 100644 +--- a/base/ca/shared/profiles/ca/caServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caServerCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* +@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.12.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.12.constraint.name=No Constraint ++policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension +-- +1.8.3.1 + + +From 1d70d69cc5e17be566867dd2c9e5176be0802e93 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Wed, 16 May 2018 15:28:38 -0700 +Subject: [PATCH 7/7] Fix #2996 ECC installation for non CA subsystems needs + improvement. + +The problem is that the installation of say a KRA, which is ECC enabled fails out of the box. + +This is due to the fact that the internal cert profiles for the following certificates is incorrect: + +1. sslserver cert +2. subsystem cert +3. admin cert + +In the ECC case there is some hard coding that references the well known cert profiles for RSA versions of the above certs. + +What we need in the ECC case is a way to correctly select the ECC versions of the above profiles. +Therefore this fix does the following: + +1. Makes the selection of either the ECC version or the RSA version of the above internal cert profiles based on the key type, ecc or rsa. This solution relies upon well known profile names, but can be modified in the future to be more customizable , should the need arise. + +2. I found a related problem when trying to create a ECC enabled KRA in a SHARED instance scenario. There was some final cloning related config code that was grossly RSA specific and throws exceptions when ECC is involved. I altered this piece of code to skip over the bad things with ECC and let the RSA case run unimpeded. We may need further refinement for the ECC case, but I felt this was needed to allow something like an ECC kra to be installed in a shared instance scenario. + +Change-Id: I1493d63fd8ea0157adb8f47ec0d5aaadc2b88b26 +(cherry picked from commit 530634991d553b25dfe8d4cd861b7f4412ad06ca) +--- + .../certsrv/system/ConfigurationRequest.java | 63 +++++++++++++++++++++- + .../cms/servlet/csadmin/ConfigurationUtils.java | 18 +++++-- + .../dogtagpki/server/rest/SystemConfigService.java | 25 +++++++-- + 3 files changed, 97 insertions(+), 9 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +index 5a65f3e..7ea24d2 100644 +--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java ++++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +@@ -43,6 +43,16 @@ public class ConfigurationRequest { + public static final String EXISTING_DOMAIN = "existingdomain"; + public static final String NEW_SUBDOMAIN = "newsubdomain"; + ++ // Hard coded values for ECC and RSA internal cert profile names ++ public static final String ECC_INTERNAL_SERVER_CERT_PROFILE = "caECInternalAuthServerCert"; ++ public static final String RSA_INTERNAL_SERVER_CERT_PROFILE = "caInternalAuthServerCert"; ++ ++ public static final String ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caECInternalAuthSubsystemCert"; ++ public static final String RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caInternalAuthSubsystemCert"; ++ ++ public static final String ECC_INTERNAL_ADMIN_CERT_PROFILE="caECAdminCert"; ++ public static final String RSA_INTERNAL_ADMIN_CERT_PROFILE="caAdminCert"; ++ + @XmlElement + protected String pin; + +@@ -605,6 +615,42 @@ public class ConfigurationRequest { + return null; + } + ++ public String getSystemCertKeyType(String tag) { ++ SystemCertData cert = getSystemCert(tag); ++ if(cert == null) ++ return null; ++ ++ return cert.getKeyType(); ++ } ++ ++ public String getSystemCertProfileID(String tag, String defaultName) { ++ String profileName = defaultName; ++ String keyType = getSystemCertKeyType(tag); ++ ++ System.out.println("getSystemCertProfileID tag: " + tag + " defaultName: " + defaultName + " keyType: " + keyType); ++ if (keyType == null) ++ return profileName; ++ ++ // Hard code for now based on key type. Method can be changed later to read pkispawn ++ // params sent over in the future. ++ if ("ecc".equalsIgnoreCase(keyType)) { ++ if ("sslserver".equalsIgnoreCase(tag)) { ++ profileName = ECC_INTERNAL_SERVER_CERT_PROFILE; ++ } else if ("subsystem".equalsIgnoreCase(tag)) { ++ profileName = ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE; ++ } ++ } else if ("rsa".equalsIgnoreCase(keyType)) { ++ if ("sslserver".equalsIgnoreCase(tag)) { ++ profileName = RSA_INTERNAL_SERVER_CERT_PROFILE; ++ } else if ("subsystem".equalsIgnoreCase(tag)) { ++ profileName = RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE; ++ } ++ } ++ ++ System.out.println("getSystemCertProfileID: returning: " + profileName); ++ return profileName; ++ } ++ + /** + * + * @param systemCerts +@@ -771,7 +817,22 @@ public class ConfigurationRequest { + * @return the adminProfileID + */ + public String getAdminProfileID() { +- return adminProfileID; ++ ++ // Modify the value returned based on key type of the ++ // subsystem cert. If keyType not found take the default ++ // sent over the server. In the future we can make sure ++ // the correct value is sent over the server. ++ String keyType = this.getSystemCertKeyType("subsystem"); ++ String actualAdminProfileID = adminProfileID; ++ if(keyType != null) { ++ if("ecc".equalsIgnoreCase(keyType)) { ++ actualAdminProfileID = ECC_INTERNAL_ADMIN_CERT_PROFILE; ++ } else if("rsa".equalsIgnoreCase(keyType)) { ++ actualAdminProfileID = RSA_INTERNAL_ADMIN_CERT_PROFILE; ++ } ++ } ++ ++ return actualAdminProfileID; + } + + /** +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 0a5cd2e..7f5341a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -2568,7 +2568,9 @@ public class ConfigurationUtils { + config.putString("preop.cert.signing.type", "remote"); + config.putString("preop.cert.signing.profile", "caInstallCACert"); + config.putString("preop.cert.sslserver.type", "remote"); +- config.putString("preop.cert.sslserver.profile", "caInternalAuthServerCert"); ++ ++ config.putString("preop.cert.sslserver.profile", ++ request.getSystemCertProfileID("sslserver", "caInternalAuthServerCert")); + + // store original caType + original_caType = caType; +@@ -2650,6 +2652,8 @@ public class ConfigurationUtils { + String v = config.getString("preop.ca.type", ""); + + CMS.debug("configCert: remote CA"); ++ CMS.debug("confgCert: tag: " + certTag); ++ + PKCS10 pkcs10 = CertUtil.getPKCS10(config, PCERT_PREFIX, certObj, context); + byte[] binRequest = pkcs10.toByteArray(); + String b64Request = CryptoUtil.base64Encode(binRequest); +@@ -2671,7 +2675,10 @@ public class ConfigurationUtils { + + MultivaluedMap content = new MultivaluedHashMap(); + content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); +- content.putSingle("profileId", profileId); ++ CMS.debug("configRemoteCert: subsystemCert: setting profileId to: " + profileId); ++ String actualProfileId = request.getSystemCertProfileID(certTag, profileId); ++ CMS.debug("configRemoteCert: subsystemCert: calculated profileId: " + actualProfileId); ++ content.putSingle("profileId", actualProfileId); + content.putSingle("cert_request_type", "pkcs10"); + content.putSingle("cert_request", b64Request); + content.putSingle("xmlOutput", "true"); +@@ -2716,7 +2723,12 @@ public class ConfigurationUtils { + + MultivaluedMap content = new MultivaluedHashMap(); + content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); +- content.putSingle("profileId", profileId); ++ //Get the correct profile id to send in case it's sslserver type: ++ CMS.debug("configRemoteCert: tag: " + certTag + " : setting profileId to: " + profileId); ++ String actualProfileId = request.getSystemCertProfileID(certTag, profileId); ++ CMS.debug("configRemoteCert: tag: " + certTag + " calculated profileId: " + actualProfileId); ++ ++ content.putSingle("profileId", actualProfileId); + content.putSingle("cert_request_type", "pkcs10"); + content.putSingle("cert_request", b64Request); + content.putSingle("xmlOutput", "true"); +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 5130a1a..fbfaed2 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -524,14 +524,27 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + nickname = cdata.getNickname(); + } + ++ boolean isECC = false; ++ String keyType = cdata.getKeyType(); ++ ++ CMS.debug("SystemConfigService:updateCloneConfiguration: keyType: " + keyType); ++ if("ecc".equalsIgnoreCase(keyType)) { ++ isECC = true; ++ } + X509Certificate cert = cryptoManager.findCertByNickname(nickname); + PublicKey pubk = cert.getPublicKey(); +- byte[] exponent = CryptoUtil.getPublicExponent(pubk); +- byte[] modulus = CryptoUtil.getModulus(pubk); ++ byte[] exponent = null; ++ byte[] modulus = null; ++ ++ if (isECC == false) { ++ exponent = CryptoUtil.getPublicExponent(pubk); ++ modulus = CryptoUtil.getModulus(pubk); ++ cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); ++ cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); ++ } ++ + PrivateKey privk = cryptoManager.findPrivKeyByCert(cert); + +- cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); +- cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); + cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.encodeKeyID(privk.getUniqueID())); + cs.putString("preop.cert." + tag + ".keyalgorithm", cdata.getKeyAlgorithm()); + cs.putString("preop.cert." + tag + ".keytype", cdata.getKeyType()); +@@ -606,6 +619,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + ca_hostname = cs.getString("securitydomain.host", ""); + ca_port = cs.getInteger("securitydomain.httpseeport"); + } ++ ++ CMS.debug("Calculated admin cert profile: " + data.getAdminProfileID()); + String b64 = ConfigurationUtils.submitAdminCertRequest(ca_hostname, ca_port, + data.getAdminProfileID(), data.getAdminCertRequestType(), + data.getAdminCertRequest(), adminSubjectDN); +@@ -859,7 +874,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + cs.putString("preop.securitydomain.select", "existing"); + cs.putString("securitydomain.select", "existing"); + cs.putString("preop.cert.subsystem.type", "remote"); +- cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); ++ cs.putString("preop.cert.subsystem.profile", data.getSystemCertProfileID("subsystem", "caInternalAuthSubsystemCert")); + String securityDomainURL = data.getSecurityDomainUri(); + domainXML = logIntoSecurityDomain(data, securityDomainURL); + } +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-batch-2.1.patch b/SOURCES/pki-core-10.5.1-batch-2.1.patch new file mode 100644 index 0000000..43a12d6 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-batch-2.1.patch @@ -0,0 +1,1025 @@ +From 95928ee1e268d242d8132c7bfefc60eb555afd9e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 10 May 2018 02:19:01 +0200 +Subject: [PATCH 01/11] Added CA signing cert validations + +The configuration.py has been modified to validate the presence of +CA signing cert for existing/external CA installation. + +The CertificateAuthority.getCACert() has been modified to validate +the content of ca.signing.cert property in CS.cfg. + +https://pagure.io/dogtagpki/issue/2999 + +Change-Id: I56f5649b16ea98463bfa5e770b0c1dd7f00b7fcd +(cherry picked from commit 313c701957bedfd59f7f6368d0c37d2928d1a4a1) +--- + .../src/com/netscape/ca/CertificateAuthority.java | 28 +++++++++++++--------- + .../server/deployment/scriptlets/configuration.py | 16 ++++++++----- + 2 files changed, 27 insertions(+), 17 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index 9aaa9cb..90a8fba 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -52,6 +52,7 @@ import java.util.concurrent.CountDownLatch; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpSession; + ++import org.apache.commons.lang.StringUtils; + import org.dogtagpki.legacy.ca.CAPolicy; + import org.dogtagpki.legacy.policy.IPolicyProcessor; + import org.mozilla.jss.CryptoManager; +@@ -1603,25 +1604,30 @@ public class CertificateAuthority + } + + public X509CertImpl getCACert() throws EBaseException { ++ + if (mCaCert != null) { + return mCaCert; + } +- // during configuration +- try { +- String cert = mConfig.getString("signing.cert", null); +- if (cert != null) { +- return new X509CertImpl(Utils.base64decode(cert)); +- } + +- } catch (EBaseException e) { +- CMS.debug(e); +- throw e; ++ String cert = mConfig.getString("signing.cert"); ++ CMS.debug("CertificateAuthority: CA signing cert: " + cert); ++ ++ if (StringUtils.isEmpty(cert)) { ++ CMS.debug("CertificateAuthority: Missing CA signing certificate"); ++ throw new EBaseException("Missing CA signing certificate"); ++ } ++ ++ byte[] bytes = Utils.base64decode(cert); ++ CMS.debug("CertificateAuthority: size: " + bytes.length + " bytes"); ++ ++ try { ++ return new X509CertImpl(bytes); + + } catch (CertificateException e) { ++ CMS.debug("Unable to parse CA signing cert: " + e.getMessage()); ++ CMS.debug(e); + throw new EBaseException(e); + } +- +- return null; + } + + public org.mozilla.jss.crypto.X509Certificate getCaX509Cert() { +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 2cda5e0..fd043a8 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -395,11 +395,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + self.import_system_cert_request(deployer, subsystem, 'subsystem') + self.import_system_cert_request(deployer, subsystem, 'sslserver') + +- def import_ca_signing_cert(self, deployer, nssdb): ++ def import_ca_signing_cert(self, deployer, nssdb, subsystem): + +- cert_file = deployer.mdict.get('pki_ca_signing_cert_path') ++ param = 'pki_ca_signing_cert_path' ++ cert_file = deployer.mdict.get(param) + if not cert_file or not os.path.exists(cert_file): +- return ++ if subsystem.name == 'ca': ++ raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) ++ else: ++ return + + nickname = deployer.mdict['pki_ca_signing_nickname'] + +@@ -589,14 +593,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + def import_system_certs(self, deployer, nssdb, subsystem): + + if subsystem.name == 'ca': +- self.import_ca_signing_cert(deployer, nssdb) ++ self.import_ca_signing_cert(deployer, nssdb, subsystem) + self.import_ca_ocsp_signing_cert(deployer, nssdb) + + if subsystem.name == 'kra': + # Always import cert chain into internal token. + internal_nssdb = subsystem.instance.open_nssdb() + try: +- self.import_ca_signing_cert(deployer, internal_nssdb) ++ self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) + finally: + internal_nssdb.close() + +@@ -608,7 +612,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # Always import cert chain into internal token. + internal_nssdb = subsystem.instance.open_nssdb() + try: +- self.import_ca_signing_cert(deployer, internal_nssdb) ++ self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) + finally: + internal_nssdb.close() + +-- +1.8.3.1 + + +From 177a51b8f51c9beaf3dab6ba06174a07fdf9e3ca Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 4 Jun 2018 10:53:12 -0700 +Subject: [PATCH 04/11] Ticket 3028 CMC CRMF request results in + InvalidKeyFormatException when signing algorithm is ECC + +This patch fixes the issue where in case of CRMF request with ECC keys the +public key was encoded incorrectly previously. + +The fix was done in a way that RSA portion is unaffected. + +Fixes https://pagure.io/dogtagpki/issue/3028 + +Change-Id: I3eb62638f2970dc7a9df37abb19015bd287b383d +(cherry picked from commit f8da5db790777ab4c0bd8ab08c5d4932e2f25349) +--- + .../src/com/netscape/cms/authentication/CMCUserSignedAuth.java | 9 +++++++-- + base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 10 +++++++++- + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index d92b33b..d5f6c34 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -697,15 +697,20 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + SubjectPublicKeyInfo pkinfo = template.getPublicKey(); + PrivateKey.Type keyType = null; + String alg = pkinfo.getAlgorithm(); +- BIT_STRING bitString = pkinfo.getSubjectPublicKey(); +- byte[] publicKeyData = bitString.getBits(); ++ byte[] publicKeyData = null; ++ + if (alg.equals("RSA")) { ++ BIT_STRING bitString = pkinfo.getSubjectPublicKey(); ++ publicKeyData = bitString.getBits(); + CMS.debug(method + "signing key alg=RSA"); + keyType = PrivateKey.RSA; + selfsign_pubK = PK11PubKey.fromRaw(keyType, publicKeyData); + } else if (alg.equals("EC")) { + CMS.debug(method + "signing key alg=EC"); + keyType = PrivateKey.EC; ++ X509Key pubKey = CryptoUtil.getX509KeyFromCRMFMsg(crm); ++ CMS.debug(method + "got X509Key "); ++ publicKeyData = (pubKey).getEncoded(); + selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); + } else { + msg = "unsupported signature algorithm: " + alg; +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 0742f8e..7f8f11e 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -1398,7 +1398,13 @@ public class CryptoUtil { + throw new IOException("invalid certificate requests"); + } + CertReqMsg msg = (CertReqMsg) crmfMsgs.elementAt(0); +- CertRequest certreq = msg.getCertReq(); ++ return getX509KeyFromCRMFMsg(msg); ++ } ++ ++ public static X509Key getX509KeyFromCRMFMsg(CertReqMsg crmfMsg) ++ throws IOException, NoSuchAlgorithmException, ++ InvalidKeyException, InvalidKeyFormatException { ++ CertRequest certreq = crmfMsg.getCertReq(); + CertTemplate certTemplate = certreq.getCertTemplate(); + SubjectPublicKeyInfo spkinfo = certTemplate.getPublicKey(); + PublicKey pkey = spkinfo.toPublicKey(); +@@ -1904,9 +1910,11 @@ public class CryptoUtil { + System.out.println(method + "extension found"); + try { + if (jssOID.equals(SKIoid)) { ++ System.out.println(method + "SKIoid == jssOID"); + extn = + new SubjectKeyIdentifierExtension(false, jssext.getExtnValue().toByteArray()); + } else { ++ System.out.println(method + "SKIoid != jssOID"); + extn = + new netscape.security.x509.Extension(csOID, false, jssext.getExtnValue().toByteArray()); + } +-- +1.8.3.1 + + +From 8f695ca9808f9060072b38b7d9b5bc79a6df4ab5 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 4 Jun 2018 11:03:20 -0700 +Subject: [PATCH 05/11] Ticket 3028 additional error checking + +Change-Id: If660fabd21b9992416dd1d5463b6ffd68fa1bf43 +(cherry picked from commit d7eca28b1d72804e1cfabeb6851aa393fafe39c7) +--- + base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 7f8f11e..d3036f3 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -1382,6 +1382,9 @@ public class CryptoUtil { + + public static SEQUENCE parseCRMFMsgs(byte cert_request[]) + throws IOException, InvalidBERException { ++ if (cert_request == null) { ++ throw new IOException("invalid certificate requests: cert_request null"); ++ } + ByteArrayInputStream crmfBlobIn = + new ByteArrayInputStream(cert_request); + SEQUENCE crmfMsgs = (SEQUENCE) +@@ -1393,6 +1396,9 @@ public class CryptoUtil { + public static X509Key getX509KeyFromCRMFMsgs(SEQUENCE crmfMsgs) + throws IOException, NoSuchAlgorithmException, + InvalidKeyException, InvalidKeyFormatException { ++ if (crmfMsgs == null) { ++ throw new IOException("invalid certificate requests: crmfMsgs null"); ++ } + int nummsgs = crmfMsgs.size(); + if (nummsgs <= 0) { + throw new IOException("invalid certificate requests"); +-- +1.8.3.1 + + +From 63035adc06628b4ce2be20457e6c569186e1832f Mon Sep 17 00:00:00 2001 +From: gkapoor +Date: Tue, 29 May 2018 19:52:15 +0530 +Subject: [PATCH 06/11] Fix for + https://bugzilla.redhat.com/show_bug.cgi?id=1544843 + +Change-Id: Id8d45bfc804a9f26a1a475cb928cf184975a8f5f +Signed-off-by: gkapoor +(cherry picked from commit b0f9a67f4ee61c5ca1f020b0a6accefceb9bbe0b) +(cherry picked from commit 0619c9e71cc0b98885739335f6c580f6b883fec2) +--- + base/common/python/pki/nssdb.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 0f3c97a..f350255 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -322,6 +322,13 @@ class NSSDatabase(object): + if key_type: + cmd.extend(['-k', key_type]) + ++ if key_type.lower() == 'ec': ++ # This is fix for Bugzilla 1544843 ++ cmd.extend([ ++ '--keyOpFlagsOn', 'sign', ++ '--keyOpFlagsOff', 'derive' ++ ]) ++ + if key_size: + cmd.extend(['-g', str(key_size)]) + +-- +1.8.3.1 + + +From 3b6edbcfd86ac0ca407f59f784a6f99dc6259504 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 14 Mar 2018 22:26:34 +1100 +Subject: [PATCH 07/11] Fix ACL evaluation in allow,deny mode + +When `authz.evaluateOrder=allow,deny', ACL evaluation returns the +wrong result: matching allow rules deny access, and matching deny +rules allow access. + +Fix the problem and improve type safety and readability by +introducing a couple of enums for ACLEntry.Type and EvaluationOrder. + +CVE-2018-1080 + +Fixes: https://pagure.io/freeipa/issue/7453 +Change-Id: Ic076ed4b90c305cda9da2c56ec90fc77b4dac039 +(cherry picked from commit b917819285bd03f5979f053f7d2bd43a2bb88e95) +--- + .../src/com/netscape/certsrv/acls/ACLEntry.java | 28 ++--- + .../com/netscape/cms/authorization/AAclAuthz.java | 124 ++++++++------------- + 2 files changed, 60 insertions(+), 92 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java +index 5cca230..cab3f68 100644 +--- a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java ++++ b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java +@@ -33,9 +33,11 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { + */ + private static final long serialVersionUID = 422656406529200393L; + ++ public enum Type { Allow , Deny }; ++ + protected Hashtable mPerms = new Hashtable(); + protected String expressions = null; +- protected boolean negative = false; ++ protected Type type = Type.Deny; + protected String aclEntryString = null; + + /** +@@ -45,20 +47,12 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { + } + + /** +- * Checks if this ACL entry is set to negative. ++ * Get the Type of the ACL entry. + * +- * @return true if this ACL entry expression is for "deny"; +- * false if this ACL entry expression is for "allow" +- */ +- public boolean isNegative() { +- return negative; +- } +- +- /** +- * Sets this ACL entry negative. This ACL entry expression is for "deny". ++ * @return Allow or Deny + */ +- public void setNegative() { +- negative = true; ++ public Type getType() { ++ return type; + } + + /** +@@ -160,7 +154,7 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { + // don't grant permission + if (mPerms.get(permission) == null) + return false; +- if (isNegative()) { ++ if (type == Type.Deny) { + return false; + } else { + return true; +@@ -195,9 +189,9 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { + ACLEntry entry = new ACLEntry(); + + if (prefix.equals("allow")) { +- // do nothing ++ entry.type = Type.Allow; + } else if (prefix.equals("deny")) { +- entry.setNegative(); ++ entry.type = Type.Deny; + } else { + return null; + } +@@ -230,7 +224,7 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { + public String toString() { + StringBuffer entry = new StringBuffer(); + +- if (isNegative()) { ++ if (type == Type.Deny) { + entry.append("deny ("); + } else { + entry.append("allow ("); +diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +index 7b69ec4..2bef101 100644 +--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java ++++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +@@ -66,6 +66,8 @@ import com.netscape.cmsutil.util.Utils; + */ + public abstract class AAclAuthz implements IAuthzManager { + ++ public enum EvaluationOrder { DenyAllow , AllowDeny }; ++ + protected static final String PROP_CLASS = "class"; + protected static final String PROP_IMPL = "impl"; + protected static final String PROP_EVAL = "accessEvaluator"; +@@ -375,7 +377,7 @@ public abstract class AAclAuthz implements IAuthzManager { + log(ILogger.LL_SECURITY, " checkACLs(): permission denied"); + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); + } +- } else if (!entry.isNegative()) { ++ } else if (entry.getType() == ACLEntry.Type.Allow) { + // didn't meet the access expression for "allow", failed + log(ILogger.LL_SECURITY, "checkACLs(): permission denied"); + throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); +@@ -503,46 +505,18 @@ public abstract class AAclAuthz implements IAuthzManager { + + CMS.debug("AAclAuthz.checkPermission(" + name + ", " + perm + ")"); + +- Vector nodev = getNodes(name); +- Enumeration nodes = nodev.elements(); +- String order = getOrder(); +- Enumeration entries = null; +- +- if (order.equals("deny")) { +- entries = getDenyEntries(nodes, perm); +- } else { +- entries = getAllowEntries(nodes, perm); +- } +- +- while (entries.hasMoreElements()) { +- ACLEntry entry = entries.nextElement(); +- +- CMS.debug("checkPermission(): expressions: " + entry.getAttributeExpressions()); +- if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { +- log(ILogger.LL_SECURITY, "checkPermission(): permission denied"); +- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); +- } +- } +- +- nodes = nodev.elements(); +- if (order.equals("deny")) { +- entries = getAllowEntries(nodes, perm); +- } else { +- entries = getDenyEntries(nodes, perm); +- } ++ Vector nodes = getNodes(name); ++ EvaluationOrder order = getOrder(); + + boolean permitted = false; +- +- while (entries.hasMoreElements()) { +- ACLEntry entry = entries.nextElement(); +- +- CMS.debug("checkPermission(): expressions: " + entry.getAttributeExpressions()); +- if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { +- permitted = true; +- } ++ if (order == EvaluationOrder.DenyAllow) { ++ checkDenyEntries(authToken, nodes, perm); ++ permitted = checkAllowEntries(authToken, nodes, perm); ++ } else if (order == EvaluationOrder.AllowDeny) { ++ permitted = checkAllowEntries(authToken, nodes, perm); ++ checkDenyEntries(authToken, nodes, perm); + } + +- nodev = null; + if (!permitted) { + String[] params = new String[2]; + params[0] = name; +@@ -560,54 +534,57 @@ public abstract class AAclAuthz implements IAuthzManager { + log(ILogger.LL_INFO, infoMsg); + } + +- protected Enumeration getAllowEntries(Enumeration nodes, String operation) { +- String name = ""; +- ACL acl = null; +- Enumeration e = null; +- Vector v = new Vector(); +- +- while (nodes.hasMoreElements()) { +- name = nodes.nextElement(); +- acl = mACLs.get(name); +- if (acl == null) +- continue; +- e = acl.entries(); +- while (e.hasMoreElements()) { +- ACLEntry entry = e.nextElement(); +- +- if (!entry.isNegative() && +- entry.containPermission(operation)) { +- v.addElement(entry); +- } ++ protected boolean checkAllowEntries( ++ IAuthToken authToken, ++ Iterable nodes, ++ String perm) { ++ for (ACLEntry entry : getEntries(ACLEntry.Type.Allow, nodes, perm)) { ++ CMS.debug("checkAllowEntries(): expressions: " + entry.getAttributeExpressions()); ++ if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { ++ return true; + } + } ++ return false; ++ } + +- return v.elements(); ++ /** throw EACLsException if a deny entry is matched */ ++ protected void checkDenyEntries( ++ IAuthToken authToken, ++ Iterable nodes, ++ String perm) ++ throws EACLsException { ++ for (ACLEntry entry : getEntries(ACLEntry.Type.Deny, nodes, perm)) { ++ CMS.debug("checkDenyEntries(): expressions: " + entry.getAttributeExpressions()); ++ if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { ++ log(ILogger.LL_SECURITY, "checkPermission(): permission denied"); ++ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); ++ } ++ } + } + +- protected Enumeration getDenyEntries(Enumeration nodes, String operation) { +- String name = ""; +- ACL acl = null; +- Enumeration e = null; ++ protected Iterable getEntries( ++ ACLEntry.Type entryType, ++ Iterable nodes, ++ String operation ++ ) { + Vector v = new Vector(); + +- while (nodes.hasMoreElements()) { +- name = nodes.nextElement(); +- acl = mACLs.get(name); ++ for (String name : nodes) { ++ ACL acl = mACLs.get(name); + if (acl == null) + continue; +- e = acl.entries(); ++ Enumeration e = acl.entries(); + while (e.hasMoreElements()) { + ACLEntry entry = e.nextElement(); + +- if (entry.isNegative() && ++ if (entry.getType() == entryType && + entry.containPermission(operation)) { + v.addElement(entry); + } + } + } + +- return v.elements(); ++ return v; + } + + /** +@@ -897,19 +874,16 @@ public abstract class AAclAuthz implements IAuthzManager { + } + } + +- public String getOrder() { +- IConfigStore mainConfig = CMS.getConfigStore(); +- String order = ""; +- ++ public static EvaluationOrder getOrder() { + try { +- order = mainConfig.getString("authz.evaluateOrder", ""); ++ String order = CMS.getConfigStore().getString("authz.evaluateOrder", ""); + if (order.startsWith("allow")) +- return "allow"; ++ return EvaluationOrder.AllowDeny; + else +- return "deny"; ++ return EvaluationOrder.DenyAllow; + } catch (Exception e) { ++ return EvaluationOrder.DenyAllow; + } +- return "deny"; + } + + public boolean evaluateACLs(IAuthToken authToken, String exp) { +-- +1.8.3.1 + + +From 71d74c61e841fbe82aac7293de28f4fc0ed05258 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 29 May 2018 15:07:30 +1000 +Subject: [PATCH 08/11] Handle empty NameConstraints subtrees when reading + extension + +When reading stored NameConstraints extension data on a request, if +includedSubtrees or excludedSubtrees is empty, an exception is +thrown. But these are valid cases, so do not thrown an exception. + +Also perform some minor drive-by refactors and add the 'static' +qualifier to a few methods to improve readability. + +Part of: https://pagure.io/dogtagpki/issue/2922 + +Change-Id: I925d8a64b96dd0f45b0548ceb11dbee4223cd64c +(cherry picked from commit adb1810ddbeb30014b9ad192118bbf7ee1efd595) +--- + .../netscape/cms/profile/def/EnrollDefault.java | 7 +++--- + .../cms/profile/def/NameConstraintsExtDefault.java | 29 +++++++--------------- + 2 files changed, 13 insertions(+), 23 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +index 173ff83..f4ed98b 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +@@ -672,7 +672,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe + return true; + } + +- protected String buildRecords(Vector recs) throws EPropertyException { ++ protected static String buildRecords(Vector recs) { + StringBuffer sb = new StringBuffer(); + + for (int i = 0; i < recs.size(); i++) { +@@ -739,7 +739,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe + return v; + } + +- protected String getGeneralNameType(GeneralName gn) ++ protected static String getGeneralNameType(GeneralName gn) + throws EPropertyException { + int type = gn.getType(); + +@@ -763,7 +763,8 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe + throw new EPropertyException("Unsupported type: " + type); + } + +- protected String getGeneralNameValue(GeneralName gn) throws EPropertyException { ++ protected static String getGeneralNameValue(GeneralName gn) ++ throws EPropertyException { + String s = gn.toString(); + int type = gn.getType(); + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java +index a3d41b7..eb87d1c 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java +@@ -478,12 +478,7 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { + CMS.debug("NameConstraintExtDefault: getValue " + e.toString()); + } + +- if (subtrees == null) { +- CMS.debug("NameConstraintsExtDefault::getValue() VAL_PERMITTED_SUBTREES is null!"); +- throw new EPropertyException("subtrees is null"); +- } +- +- return getSubtreesInfo(ext, subtrees); ++ return getSubtreesInfo(subtrees); + } else if (name.equals(VAL_EXCLUDED_SUBTREES)) { + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); +@@ -500,28 +495,22 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { + CMS.debug("NameConstraintExtDefault: getValue " + e.toString()); + } + +- if (subtrees == null) { +- CMS.debug("NameConstraintsExtDefault::getValue() VAL_EXCLUDED_SUBTREES is null!"); +- throw new EPropertyException("subtrees is null"); +- } +- +- return getSubtreesInfo(ext, subtrees); ++ return getSubtreesInfo(subtrees); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + +- private String getSubtreesInfo(NameConstraintsExtension ext, +- GeneralSubtrees subtrees) throws EPropertyException { +- Vector trees = subtrees.getSubtrees(); +- int size = trees.size(); +- +- Vector recs = new Vector(); ++ private static String getSubtreesInfo(GeneralSubtrees subtrees) ++ throws EPropertyException { ++ if (subtrees == null) ++ return ""; + +- for (int i = 0; i < size; i++) { +- GeneralSubtree tree = trees.elementAt(i); ++ Vector trees = subtrees.getSubtrees(); ++ Vector recs = new Vector<>(); + ++ for (GeneralSubtree tree : trees) { + GeneralName gn = tree.getGeneralName(); + String type = getGeneralNameType(gn); + int max = tree.getMaxValue(); +-- +1.8.3.1 + + +From a0cca30d5b42355e559d38cfe11b03bfb00c8b4c Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 29 May 2018 15:39:48 +1000 +Subject: [PATCH 09/11] IPAddressName: fix toString method + +IPAddressName.toString() is invoked when saving +NameConstraintDefault configurations. Its implementation was wrong; +it produced bogus output for the netmasked variants used for +NameConstraints. This resulted in issuance failures. Update the +method to produce correct output for both netmasked and +non-netmasked addresses. + +Fixes: https://pagure.io/dogtagpki/issue/2922 +Change-Id: I3012565379961add5ac8286043f55c8e30520ddd +(cherry picked from commit a796f490b4c8aeea228195dacc3843cabe56b3ac) +--- + .../src/netscape/security/x509/IPAddressName.java | 60 ++++++++++++++-------- + 1 file changed, 38 insertions(+), 22 deletions(-) + +diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java +index 1c01f58..a343a5f 100644 +--- a/base/util/src/netscape/security/x509/IPAddressName.java ++++ b/base/util/src/netscape/security/x509/IPAddressName.java +@@ -156,30 +156,46 @@ public class IPAddressName implements GeneralNameInterface { + * Return a printable string of IPaddress + */ + public String toString() { +- if (address.length == 4) { +- return ("IPAddress: " + (address[0] & 0xff) + "." +- + (address[1] & 0xff) + "." +- + (address[2] & 0xff) + "." + (address[3] & 0xff)); ++ StringBuilder r = new StringBuilder("IPAddress: "); ++ ByteBuffer buf = ByteBuffer.wrap(address); ++ if (address.length == IPv4_LEN) { ++ writeIPv4(r, buf); ++ } else if (address.length == IPv4_LEN * 2) { ++ writeIPv4(r, buf); ++ r.append(","); ++ writeIPv4(r, buf); ++ } else if (address.length == IPv6_LEN) { ++ writeIPv6(r, buf); ++ } else if (address.length == IPv6_LEN * 2) { ++ writeIPv6(r, buf); ++ r.append(","); ++ writeIPv6(r, buf); + } else { +- StringBuffer r = new StringBuffer("IPAddress: " + Integer.toHexString(address[0] & 0xff)); +- String hexString = Integer.toHexString(address[1] & 0xff); +- if (hexString.length() == 1) { +- r.append("0" + hexString); +- } else { +- r.append(hexString); +- } +- for (int i = 2; i < address.length;) { +- r.append(":" + Integer.toHexString(address[i] & 0xff)); +- hexString = Integer.toHexString(address[i + 1] & 0xff); +- if (hexString.length() == 1) { +- r.append("0" + hexString); +- } else { +- r.append(hexString); +- } +- i += 2; +- } +- return r.toString(); ++ // shouldn't be possible ++ r.append("0.0.0.0"); + } ++ return r.toString(); ++ } ++ ++ private static void writeIPv4(StringBuilder r, ByteBuffer buf) { ++ for (int i = 0; i < 4; i++) { ++ if (i > 0) r.append("."); ++ r.append(buf.get() & 0xff); ++ } ++ } ++ ++ private static void writeIPv6(StringBuilder r, ByteBuffer buf) { ++ for (int i = 0; i < 8; i++) { ++ if (i > 0) r.append(":"); ++ r.append(Integer.toHexString(read16BitInt(buf))); ++ } ++ } ++ ++ /** ++ * Read big-endian 16-bit int from buffer (advancing cursor) ++ */ ++ private static int read16BitInt(ByteBuffer buf) { ++ return ((buf.get() & 0xff) << 8) + (buf.get() & 0xff); + } + + /** +-- +1.8.3.1 + + +From 943bc3e77f630465906cfcd11812b917f06d1478 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 4 Jun 2018 16:47:57 -0700 +Subject: [PATCH 10/11] Ticket 3033 CRMFPopClient tool - should allow option to + do no key archival + +This patch allows key transport cert file to not be specified, which would +then not include key archive option in the CRMF request. + +fixes https://pagure.io/dogtagpki/issue/3033 + +Change-Id: Ib8c585c15057684aa049632d8eb67c2827d7e774 +(cherry picked from commit 8cf6b5b2ac6da169f1c63341159faebc09580798) +--- + .../src/com/netscape/cmstools/CRMFPopClient.java | 83 +++++++++++++--------- + 1 file changed, 48 insertions(+), 35 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index bc95983..747b7d6 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -309,7 +309,8 @@ public class CRMFPopClient { + String subjectDN = cmd.getOptionValue("n"); + boolean encodingEnabled = Boolean.parseBoolean(cmd.getOptionValue("k", "false")); + +- String transportCertFilename = cmd.getOptionValue("b", "transport.txt"); ++ // if transportCertFilename is not specified then assume no key archival ++ String transportCertFilename = cmd.getOptionValue("b"); + + String popOption = cmd.getOptionValue("q", "POP_SUCCESS"); + +@@ -444,11 +445,18 @@ public class CRMFPopClient { + CRMFPopClient client = new CRMFPopClient(); + client.setVerbose(verbose); + +- if (verbose) System.out.println("Loading transport certificate"); +- String encoded = new String(Files.readAllBytes(Paths.get(transportCertFilename))); +- byte[] transportCertData = Cert.parseCertificate(encoded); ++ String encoded = null; ++ X509Certificate transportCert = null; ++ if (transportCertFilename != null) { ++ if (verbose) System.out.println("archival option enabled"); ++ if (verbose) System.out.println("Loading transport certificate"); ++ encoded = new String(Files.readAllBytes(Paths.get(transportCertFilename))); ++ byte[] transportCertData = Cert.parseCertificate(encoded); ++ transportCert = manager.importCACertPackage(transportCertData); ++ } else { ++ if (verbose) System.out.println("archival option not enabled"); ++ } + +- X509Certificate transportCert = manager.importCACertPackage(transportCertData); + + if (verbose) System.out.println("Parsing subject DN"); + Name subject = client.createName(subjectDN, encodingEnabled); +@@ -478,7 +486,7 @@ public class CRMFPopClient { + String kid = CryptoUtil.encodeKeyID(id); + System.out.println("Keypair private key id: " + kid); + +- if (hostPort != null) { ++ if ((transportCert != null) && (hostPort != null)) { + // check the CA for the required key wrap algorithm + // if found, override whatever has been set by the command line + // options for the key wrap algorithm +@@ -492,8 +500,10 @@ public class CRMFPopClient { + kwAlg = getKeyWrapAlgotihm(pkiclient); + } + +- if (verbose) System.out.println("Using key wrap algorithm: " + kwAlg); +- keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); ++ if (verbose && (transportCert != null)) System.out.println("Using key wrap algorithm: " + kwAlg); ++ if (transportCert != null) { ++ keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); ++ } + + if (verbose) System.out.println("Creating certificate request"); + CertRequest certRequest = client.createCertRequest( +@@ -652,36 +662,39 @@ public class CRMFPopClient { + KeyPair keyPair, + Name subject, + KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { +- byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); +- OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); +- +- /* TODO(alee) +- * +- * HACK HACK! +- * algorithms like AES KeyWrap do not require an IV, but we need to include one +- * in the AlgorithmIdentifier above, or the creation and parsing of the +- * PKIArchiveOptions options will fail. So we include an IV in aid, but null it +- * later to correctly encrypt the data +- */ +- AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); +- +- Class[] iv_classes = keyWrapAlgorithm.getParameterClasses(); +- if (iv_classes == null || iv_classes.length == 0) +- iv = null; +- +- WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); +- +- PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( +- token, +- transportCert.getPublicKey(), +- (PrivateKey) keyPair.getPrivate(), +- params, +- aid); + + CertTemplate certTemplate = createCertTemplate(subject, keyPair.getPublic()); +- + SEQUENCE seq = new SEQUENCE(); +- seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts)); ++ ++ if (transportCert != null) { // add key archive Option ++ byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); ++ OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); ++ ++ /* TODO(alee) ++ * ++ * HACK HACK! ++ * algorithms like AES KeyWrap do not require an IV, but we need to include one ++ * in the AlgorithmIdentifier above, or the creation and parsing of the ++ * PKIArchiveOptions options will fail. So we include an IV in aid, but null it ++ * later to correctly encrypt the data ++ */ ++ AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); ++ ++ Class[] iv_classes = keyWrapAlgorithm.getParameterClasses(); ++ if (iv_classes == null || iv_classes.length == 0) ++ iv = null; ++ ++ WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); ++ ++ PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( ++ token, ++ transportCert.getPublicKey(), ++ (PrivateKey) keyPair.getPrivate(), ++ params, ++ aid); ++ ++ seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts)); ++ } // key archival option + + /* + OCTET_STRING ostr = createIDPOPLinkWitness(); +-- +1.8.3.1 + + +From 13f571329219958d573ba2194e58adce1239a14f Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 6 Jun 2018 11:28:55 -0700 +Subject: [PATCH 11/11] Bugzilla #1580527 CMCAuth Authorization for agents. + +This patch adds proper authz entries to enrollment profiles using CMCAuth; +It also adds proper acl check inside ProfileSubmitCMCServlet for CMCAuth. + +Fixes 2nd part of Bugzilla #1580527 + +Change-Id: I61fa1613f752c5bc203ab18d6a073eb7a13c966b +(cherry picked from commit 405b31bbbc8940354da22e2ab90215d8a19ff86e) +--- + base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 1 + + base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 1 + + .../servlet/profile/ProfileSubmitCMCServlet.java | 23 ++++++++++++++++++---- + 3 files changed, 21 insertions(+), 4 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +index 469dbb0..b24cb03 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +@@ -4,6 +4,7 @@ enableBy=admin + name=Agent-Signed CMC-Authenticated User Certificate Enrollment + visible=false + auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" + input.list=i1 + input.i1.class_id=cmcCertReqInputImpl + output.list=o1 +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +index dd336ad..c15b002 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +@@ -4,6 +4,7 @@ enableBy=admin + name=Agent-Signed CMC-Authenticated User Certificate Enrollment + visible=false + auth.instance_id=CMCAuth ++authz.acl=group="Certificate Manager Agents" + input.list=i1 + input.i1.class_id=cmcCertReqInputImpl + output.list=o1 +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index a0bcfb5..7d75e31 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -438,10 +438,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + context.put("sslClientCertProvider", + new SSLClientCertProvider(request)); + CMS.debug("ProfileSubmitCMCServlet: set sslClientCertProvider"); ++ ++ String auditSubjectID = auditSubjectID(); + if (authenticator != null) { + try { + authToken = authenticate(authenticator, request); + // authentication success ++ if (authToken != null) { ++ auditSubjectID = authToken.getInString(IAuthToken.USER_ID); ++ } + } catch (EBaseException e) { + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); +@@ -468,6 +473,20 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } catch (Exception e) { + CMS.debug("ProfileSubmitCMCServlet authorization failure: " + e.toString()); + } ++ ++ // CMCAuth should pair with additional authz check as it counts ++ // as pre-approved ++ String authMgrID = authenticator.getName(); ++ if (authMgrID.equals("CMCAuth")) { ++ authzToken = null; // reset authzToken ++ CMS.debug("ProfileSubmitCMCServlet CMCAuth requires additional authz check"); ++ try { ++ authzToken = authorize(mAclMethod, authToken, ++ "certServer.ca.certrequests", "execute"); ++ } catch (Exception e) { ++ CMS.debug("ProfileSubmitCMCServlet authorization failure: " + e.toString()); ++ } ++ } + } + + if (authzToken == null) { +@@ -486,10 +505,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + } + +- String auditSubjectID = auditSubjectID(); +- if (authToken != null) { +- auditSubjectID = authToken.getInString(IAuthToken.USER_ID); +- } + String auditMessage = CMS.getLogMessage( + AuditEvent.CMC_REQUEST_RECEIVED, + auditSubjectID, +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-beta.patch b/SOURCES/pki-core-10.5.1-beta.patch new file mode 100644 index 0000000..1349653 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-beta.patch @@ -0,0 +1,2236 @@ +From 073b60fe200768ca56ef53f9b24cf6ba9225cc52 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Mon, 27 Nov 2017 22:42:00 -0700 +Subject: Fix seobject pylint issues + +dogtagpki Pagure Issue #2856 - Pylint flags seobject failures + +Change-Id: Ied117961e8212ac0a73e78b9857282de91aa7cf7 +(cherry picked from commit c3b69ae92c884e7f230766b37a8723c2ce905eca) +--- + base/server/python/pki/server/deployment/pkihelper.py | 5 ++++- + .../python/pki/server/deployment/scriptlets/selinux_setup.py | 8 ++++---- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index c6e1597..49945b9 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -801,7 +801,9 @@ class ConfigurationFile: + extra=config.PKI_INDENTATION_LEVEL_2) + return + +- portrecs = seobject.portRecords().get_all() ++ trans = seobject.semanageRecords("targeted") ++ trans.start() ++ portrecs = seobject.portRecords(trans).get_all() + portlist = ports[:] + for port in portlist: + context = "" +@@ -829,6 +831,7 @@ class ConfigurationFile: + raise Exception( + log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT % + (port, context)) ++ trans.finish() + return + + def verify_ds_secure_connection_data(self): +diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py +index 9c926d1..d5e4b0c 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py ++++ b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py +@@ -83,7 +83,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if deployer.mdict['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + +- fcon = seobject.fcontextRecords() ++ fcon = seobject.fcontextRecords(trans) + + config.pki_log.info( + "adding selinux fcontext \"%s\"", +@@ -121,7 +121,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_database_path'] + self.suffix, + config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") + +- port_records = seobject.portRecords() ++ port_records = seobject.portRecords(trans) + for port in ports: + config.pki_log.info( + "adding selinux port %s", port, +@@ -176,7 +176,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if deployer.mdict['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + +- fcon = seobject.fcontextRecords() ++ fcon = seobject.fcontextRecords(trans) + + config.pki_log.info( + "deleting selinux fcontext \"%s\"", +@@ -212,7 +212,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_database_path'] + + self.suffix, "") + +- port_records = seobject.portRecords() ++ port_records = seobject.portRecords(trans) + for port in ports: + config.pki_log.info( + "deleting selinux port %s", port, +-- +1.8.3.1 + + +From d70d4af983bd78444e8779c24e105c13c66ab502 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 30 Nov 2017 15:28:38 -0800 +Subject: =?UTF-8?q?Ticket=20#2861=20ExternalCA:=20Failures=20in=20External?= + =?UTF-8?q?CA=20when=20tried=20to=20setup=20with=20CMC=20signed=20certific?= + =?UTF-8?q?ates=0AThe=20issue=20was=20found=20when=20the=20ValidityConstra?= + =?UTF-8?q?int=20does=20not=20restrict=20the=20cert=20signed=20to=20not=20?= + =?UTF-8?q?exceed=20the=20CA=20signing=20cert's=20expiry=20date.=20=20Upon?= + =?UTF-8?q?=20close=20examination,=20it=20appears=20that=20the=20CAValidit?= + =?UTF-8?q?yConstraint=20was=20not=20registered=20by=20default.=20=20By=20?= + =?UTF-8?q?registering=20this=20constraint=20and=20replacing=20the=20Valid?= + =?UTF-8?q?ityConstraint=20in=20the=20caCMCcaCert=20profile,=20it=20effect?= + =?UTF-8?q?ively=20sets=20the=20restriction.?= + +Change-Id: I557894cfffacc656e3b3a453fe7e7c98f0b61d87 +(cherry picked from commit a6a9576d506fbe6944b3dca32258c8661c2a800a) +--- + base/ca/shared/conf/registry.cfg | 5 ++++- + base/ca/shared/profiles/ca/caCMCcaCert.cfg | 6 ++---- + .../cms/profile/constraint/CAValidityConstraint.java | 19 +++++++++++++------ + 3 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg +index 519d854..54e4d95 100644 +--- a/base/ca/shared/conf/registry.cfg ++++ b/base/ca/shared/conf/registry.cfg +@@ -1,5 +1,5 @@ + types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl ++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl + constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint + constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint + constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +@@ -42,6 +42,9 @@ constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Na + constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint + constraintPolicy.validityConstraintImpl.desc=Validity Constraint + constraintPolicy.validityConstraintImpl.name=Validity Constraint ++constraintPolicy.caValidityConstraintImpl.class=com.netscape.cms.profile.constraint.CAValidityConstraint ++constraintPolicy.caValidityConstraintImpl.desc=CA Validity Constraint ++constraintPolicy.caValidityConstraintImpl.name=CA Validity Constraint + constraintPolicy.renewGracePeriodConstraintImpl.class=com.netscape.cms.profile.constraint.RenewGracePeriodConstraint + constraintPolicy.renewGracePeriodConstraintImpl.desc=Renewal Grace Period Constraint + constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constraint +diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +index f6df36f..9c95182 100644 +--- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg +@@ -19,11 +19,9 @@ policyset.caCertSet.1.constraint.params.accept=true + policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl + policyset.caCertSet.1.default.name=Subject Name Default + policyset.caCertSet.1.default.params.name= +-policyset.caCertSet.2.constraint.class_id=validityConstraintImpl +-policyset.caCertSet.2.constraint.name=Validity Constraint ++policyset.caCertSet.2.constraint.class_id=caValidityConstraintImpl ++policyset.caCertSet.2.constraint.name=CA Validity Constraint + policyset.caCertSet.2.constraint.params.range=7305 +-policyset.caCertSet.2.constraint.params.notBeforeCheck=false +-policyset.caCertSet.2.constraint.params.notAfterCheck=false + policyset.caCertSet.2.default.class_id=caValidityDefaultImpl + policyset.caCertSet.2.default.name=CA Certificate Validity Default + policyset.caCertSet.2.default.params.range=7305 +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java +index 77585c0..0e55f2b 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java +@@ -74,7 +74,8 @@ public class CAValidityConstraint extends CAEnrollConstraint { + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { +- CMS.debug("CAValidityConstraint: validate start"); ++ String method = "CAValidityConstraint: validate: "; ++ CMS.debug(method + "validate start"); + CertificateValidity v = null; + + try { +@@ -88,7 +89,7 @@ public class CAValidityConstraint extends CAEnrollConstraint { + try { + notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE); + } catch (IOException e) { +- CMS.debug("CAValidity: not before " + e.toString()); ++ CMS.debug(method + "not before " + e.toString()); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); + } +@@ -97,27 +98,33 @@ public class CAValidityConstraint extends CAEnrollConstraint { + try { + notAfter = (Date) v.get(CertificateValidity.NOT_AFTER); + } catch (IOException e) { +- CMS.debug("CAValidity: not after " + e.toString()); ++ CMS.debug(method + "not after " + e.toString()); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); + } + + if (mDefNotBefore != null) { +- CMS.debug("ValidtyConstraint: notBefore=" + notBefore + ++ CMS.debug(method + "notBefore=" + notBefore + + " defNotBefore=" + mDefNotBefore); + if (notBefore.before(mDefNotBefore)) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); + } + } +- CMS.debug("ValidtyConstraint: notAfter=" + notAfter + ++ CMS.debug(method + "notAfter=" + notAfter + + " defNotAfter=" + mDefNotAfter); + if (notAfter.after(mDefNotAfter)) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); + } + +- CMS.debug("CAValidtyConstraint: validate end"); ++ if (notAfter.getTime() < notBefore.getTime()) { ++ CMS.debug(method + "notAfter (" + notAfter + ") < notBefore (" + notBefore + ")"); ++ throw new ERejectException(CMS.getUserMessage(getLocale(request), ++ "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE")); ++ } ++ ++ CMS.debug(method + "validate end"); + } + + public String getText(Locale locale) { +-- +1.8.3.1 + + +From 28319a47ffa02b7dc2d02364dedde36e8738f2b6 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 4 Dec 2017 22:05:06 +0100 +Subject: Cleaned up CMake scripts. + +The CMake scripts in Tomcat folders have been cleaned up to remove +redundant find_file() invocations. + +https://pagure.io/dogtagpki/issue/2560 + +Change-Id: Idf7c21e9c55c6113111ac43cc2e3ea4239076164 +(cherry picked from commit 3a179d961561c3cbb51d19e358d7eae4b7d067a7) +--- + base/CMakeLists.txt | 7 ++ + base/server/tomcat/src/CMakeLists.txt | 118 ++------------------------------- + base/server/tomcat7/src/CMakeLists.txt | 89 ------------------------- + base/server/tomcat8/src/CMakeLists.txt | 92 +------------------------ + 4 files changed, 13 insertions(+), 293 deletions(-) + +diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt +index 0b93c51..4ece8e0 100644 +--- a/base/CMakeLists.txt ++++ b/base/CMakeLists.txt +@@ -152,6 +152,13 @@ find_file(TOMCAT_CATALINA_JAR + /usr/share/java/tomcat + ) + ++find_file(TOMCAT_COYOTE_JAR ++ NAMES ++ tomcat-coyote.jar ++ PATHS ++ /usr/share/java/tomcat ++) ++ + find_file(TOMCAT_UTIL_JAR + NAMES + tomcat-util.jar +diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt +index b9a3b4c..ebbf696 100644 +--- a/base/server/tomcat/src/CMakeLists.txt ++++ b/base/server/tomcat/src/CMakeLists.txt +@@ -1,125 +1,15 @@ + project(pki-tomcat) + +-find_file(JSS_JAR +- NAMES +- jss4.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(LDAPJDK_JAR +- NAMES +- ldapjdk.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(COMMONS_CODEC_JAR +- NAMES +- commons-codec.jar +- PATHS +- /usr/share/java +-) +- +-find_file(COMMONS_HTTPCLIENT_JAR +- NAMES +- commons-httpclient.jar +- PATHS +- /usr/share/java +-) +- +-find_file(APACHE_COMMONS_LANG_JAR +- NAMES +- apache-commons-lang.jar +- PATHS +- /usr/share/java +-) +- +-find_file(VELOCITY_JAR +- NAMES +- velocity.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(XALAN_JAR +- NAMES +- xalan-j2.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(XERCES_JAR +- NAMES +- xerces-j2.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(RESTEASY_JAXRS_JAR +- NAMES +- resteasy-jaxrs.jar +- PATHS +- ${RESTEASY_LIB} +-) +- +-find_file(RESTEASY_ATOM_PROVIDER_JAR +- NAMES +- resteasy-atom-provider.jar +- PATHS +- ${RESTEASY_LIB} +-) +- +-find_file(HTTPCLIENT_JAR +- NAMES +- httpclient.jar +- PATHS +- /usr/share/java/httpcomponents +-) +- +-find_file(HTTPCORE_JAR +- NAMES +- httpcore.jar +- PATHS +- /usr/share/java/httpcomponents +-) +- +-find_file(TOMCATJSS_JAR +- NAMES +- tomcatjss.jar +- PATHS +- /usr/share/java +-) +- +-find_file(NUXWDOG_JAR +- NAMES +- nuxwdog.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(TOMCAT_COYOTE_JAR +- NAMES +- tomcat-coyote.jar +- PATHS +- /usr/share/java/tomcat +-) +- + # build pki-tomcat + javac(pki-tomcat-classes + SOURCES + *.java + CLASSPATH +- ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} +- ${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR} +- ${TOMCAT_COYOTE_JAR} ++ ${SERVLET_JAR} ++ ${TOMCAT_CATALINA_JAR} ${TOMCAT_COYOTE_JAR} ${TOMCAT_UTIL_SCAN_JAR} ++ ${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR} + OUTPUT_DIR + ${CMAKE_BINARY_DIR}/../../tomcat + DEPENDS ++ pki-tools-jar + ) +diff --git a/base/server/tomcat7/src/CMakeLists.txt b/base/server/tomcat7/src/CMakeLists.txt +index 0293abf..58c9d87 100644 +--- a/base/server/tomcat7/src/CMakeLists.txt ++++ b/base/server/tomcat7/src/CMakeLists.txt +@@ -1,94 +1,5 @@ + project(pki-tomcat7) + +-find_file(JSS_JAR +- NAMES +- jss4.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(LDAPJDK_JAR +- NAMES +- ldapjdk.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(COMMONS_CODEC_JAR +- NAMES +- commons-codec.jar +- PATHS +- /usr/share/java +-) +- +-find_file(COMMONS_HTTPCLIENT_JAR +- NAMES +- commons-httpclient.jar +- PATHS +- /usr/share/java +-) +- +-find_file(APACHE_COMMONS_LANG_JAR +- NAMES +- apache-commons-lang.jar +- PATHS +- /usr/share/java +-) +- +-find_file(VELOCITY_JAR +- NAMES +- velocity.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(XALAN_JAR +- NAMES +- xalan-j2.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(XERCES_JAR +- NAMES +- xerces-j2.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(RESTEASY_JAXRS_JAR +- NAMES +- resteasy-jaxrs.jar +- PATHS +- ${RESTEASY_LIB} +-) +- +-find_file(RESTEASY_ATOM_PROVIDER_JAR +- NAMES +- resteasy-atom-provider.jar +- PATHS +- ${RESTEASY_LIB} +-) +- +-find_file(HTTPCLIENT_JAR +- NAMES +- httpclient.jar +- PATHS +- /usr/share/java/httpcomponents +-) +- +-find_file(HTTPCORE_JAR +- NAMES +- httpcore.jar +- PATHS +- /usr/share/java/httpcomponents +-) +- + # build pki-tomcat + javac(pki-tomcat7-classes + SOURCES +diff --git a/base/server/tomcat8/src/CMakeLists.txt b/base/server/tomcat8/src/CMakeLists.txt +index 110ad20..70d0ef6 100644 +--- a/base/server/tomcat8/src/CMakeLists.txt ++++ b/base/server/tomcat8/src/CMakeLists.txt +@@ -1,100 +1,12 @@ + project(pki-tomcat8) + +-find_file(JSS_JAR +- NAMES +- jss4.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(LDAPJDK_JAR +- NAMES +- ldapjdk.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(COMMONS_CODEC_JAR +- NAMES +- commons-codec.jar +- PATHS +- /usr/share/java +-) +- +-find_file(COMMONS_HTTPCLIENT_JAR +- NAMES +- commons-httpclient.jar +- PATHS +- /usr/share/java +-) +- +-find_file(APACHE_COMMONS_LANG_JAR +- NAMES +- apache-commons-lang.jar +- PATHS +- /usr/share/java +-) +- +-find_file(VELOCITY_JAR +- NAMES +- velocity.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(XALAN_JAR +- NAMES +- xalan-j2.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(XERCES_JAR +- NAMES +- xerces-j2.jar +- PATHS +- ${JAVA_LIB_INSTALL_DIR} +- /usr/share/java +-) +- +-find_file(RESTEASY_JAXRS_JAR +- NAMES +- resteasy-jaxrs.jar +- PATHS +- ${RESTEASY_LIB} +-) +- +-find_file(RESTEASY_ATOM_PROVIDER_JAR +- NAMES +- resteasy-atom-provider.jar +- PATHS +- ${RESTEASY_LIB} +-) +- +-find_file(HTTPCLIENT_JAR +- NAMES +- httpclient.jar +- PATHS +- /usr/share/java/httpcomponents +-) +- +-find_file(HTTPCORE_JAR +- NAMES +- httpcore.jar +- PATHS +- /usr/share/java/httpcomponents +-) +- + # build pki-tomcat + javac(pki-tomcat8-classes + SOURCES + *.java + CLASSPATH +- ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} ${TOMCAT_API_JAR} ++ ${SERVLET_JAR} ++ ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} ${TOMCAT_API_JAR} + ${JAXRS_API_JAR} + ${CMAKE_BINARY_DIR}/../../tomcat + OUTPUT_DIR +-- +1.8.3.1 + + +From 02694bab7fdc18e08f559b7a8fa219bbb39b97ae Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 5 Dec 2017 01:18:43 +0100 +Subject: Refactored instance_layout.py. + +The methods in instance_layout.py has been modified to return early. +The code has been reformatted to reduce indentations. + +https://pagure.io/dogtagpki/issue/2560 + +Change-Id: Icfac8d4b1af2b09f9df82befbc5714f9d1af38aa +(cherry picked from commit a60d4d987f1bf9dc9d72031994a6aa2fb7b9f7e4) +--- + .../deployment/scriptlets/instance_layout.py | 281 +++++++++++---------- + 1 file changed, 142 insertions(+), 139 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index a9a2840..fc08fe1 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -41,159 +41,162 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + config.pki_log.info(log.INSTANCE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + +- # if this is the first subsystem +- if len(deployer.instance.tomcat_instance_subsystems()) == 1: +- +- # establish instance logs +- deployer.directory.create(deployer.mdict['pki_instance_log_path']) ++ # if this is not the first subsystem, skip ++ if len(deployer.instance.tomcat_instance_subsystems()) != 1: ++ return + +- # copy /usr/share/pki/server/conf tree into +- # /var/lib/pki//conf +- # except common ldif files and theme deployment descriptor +- deployer.directory.copy( ++ # establish instance logs ++ deployer.directory.create(deployer.mdict['pki_instance_log_path']) ++ ++ # copy /usr/share/pki/server/conf tree into ++ # /var/lib/pki//conf ++ # except common ldif files and theme deployment descriptor ++ deployer.directory.copy( ++ deployer.mdict['pki_source_server_path'], ++ deployer.mdict['pki_instance_configuration_path'], ++ ignore_cb=file_ignore_callback_src_server) ++ ++ # Link /etc/pki//logging.properties ++ # to /usr/share/pki/server/conf/logging.properties. ++ deployer.symlink.create( ++ os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), ++ os.path.join(deployer.mdict['pki_instance_configuration_path'], ++ "logging.properties")) ++ ++ # create /etc/sysconfig/ ++ deployer.file.copy_with_slot_substitution( ++ deployer.mdict['pki_source_tomcat_conf'], ++ deployer.mdict['pki_target_tomcat_conf_instance_id'], ++ uid=0, gid=0, overwrite_flag=True) ++ ++ # create /var/lib/pki//conf/tomcat.conf ++ deployer.file.copy_with_slot_substitution( ++ deployer.mdict['pki_source_tomcat_conf'], ++ deployer.mdict['pki_target_tomcat_conf'], ++ overwrite_flag=True) ++ ++ # Deploy ROOT web application ++ deployer.deploy_webapp( ++ "ROOT", ++ os.path.join( ++ config.PKI_DEPLOYMENT_SOURCE_ROOT, ++ "server", ++ "webapps", ++ "ROOT"), ++ os.path.join( ++ deployer.mdict['pki_source_server_path'], ++ "Catalina", ++ "localhost", ++ "ROOT.xml")) ++ ++ # Deploy pki web application which includes themes, ++ # admin templates, and JS libraries ++ deployer.deploy_webapp( ++ "pki", ++ os.path.join( ++ config.PKI_DEPLOYMENT_SOURCE_ROOT, ++ "server", ++ "webapps", ++ "pki"), ++ os.path.join( + deployer.mdict['pki_source_server_path'], +- deployer.mdict['pki_instance_configuration_path'], +- ignore_cb=file_ignore_callback_src_server) ++ "Catalina", ++ "localhost", ++ "pki.xml")) + +- # Link /etc/pki//logging.properties +- # to /usr/share/pki/server/conf/logging.properties. ++ # Create Tomcat instance library ++ deployer.directory.create(deployer.mdict['pki_instance_lib']) ++ for name in os.listdir(deployer.mdict['pki_tomcat_lib_path']): + deployer.symlink.create( +- os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), +- os.path.join(deployer.mdict['pki_instance_configuration_path'], +- "logging.properties")) +- +- # create /etc/sysconfig/ +- deployer.file.copy_with_slot_substitution( +- deployer.mdict['pki_source_tomcat_conf'], +- deployer.mdict['pki_target_tomcat_conf_instance_id'], +- uid=0, gid=0, overwrite_flag=True) +- +- # create /var/lib/pki//conf/tomcat.conf +- deployer.file.copy_with_slot_substitution( +- deployer.mdict['pki_source_tomcat_conf'], +- deployer.mdict['pki_target_tomcat_conf'], +- overwrite_flag=True) +- +- # Deploy ROOT web application +- deployer.deploy_webapp( +- "ROOT", +- os.path.join( +- config.PKI_DEPLOYMENT_SOURCE_ROOT, +- "server", +- "webapps", +- "ROOT"), +- os.path.join( +- deployer.mdict['pki_source_server_path'], +- "Catalina", +- "localhost", +- "ROOT.xml")) +- +- # Deploy pki web application which includes themes, +- # admin templates, and JS libraries +- deployer.deploy_webapp( +- "pki", + os.path.join( +- config.PKI_DEPLOYMENT_SOURCE_ROOT, +- "server", +- "webapps", +- "pki"), ++ deployer.mdict['pki_tomcat_lib_path'], ++ name), + os.path.join( +- deployer.mdict['pki_source_server_path'], +- "Catalina", +- "localhost", +- "pki.xml")) +- +- # Create Tomcat instance library +- deployer.directory.create(deployer.mdict['pki_instance_lib']) +- for name in os.listdir(deployer.mdict['pki_tomcat_lib_path']): +- deployer.symlink.create( +- os.path.join( +- deployer.mdict['pki_tomcat_lib_path'], +- name), +- os.path.join( +- deployer.mdict['pki_instance_lib'], +- name)) +- +- # Link /var/lib/pki//lib/log4j.properties +- # to /usr/share/pki/server/conf/log4j.properties. +- deployer.symlink.create( +- os.path.join(deployer.mdict['pki_source_server_path'], +- "log4j.properties"), +- deployer.mdict['pki_instance_lib_log4j_properties']) +- +- # Link /var/lib/pki//common to /usr/share/pki/server/common +- deployer.symlink.create( +- '/usr/share/pki/server/common', +- deployer.mdict['pki_tomcat_common_path']) +- +- deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path']) +- +- deployer.directory.create(deployer.mdict['pki_tomcat_work_path']) +- deployer.directory.create( +- deployer.mdict['pki_tomcat_work_catalina_path']) +- deployer.directory.create( +- deployer.mdict['pki_tomcat_work_catalina_host_path']) +- deployer.directory.create( +- deployer.mdict['pki_tomcat_work_catalina_host_run_path']) +- deployer.directory.create( +- deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path']) +- # establish Tomcat instance logs +- # establish Tomcat instance registry +- # establish Tomcat instance convenience symbolic links +- deployer.symlink.create( +- deployer.mdict['pki_tomcat_bin_path'], +- deployer.mdict['pki_tomcat_bin_link']) +- deployer.symlink.create( +- deployer.mdict['pki_tomcat_systemd'], +- deployer.mdict['pki_instance_systemd_link'], +- uid=0, gid=0) +- +- # establish shared NSS security databases for this instance +- deployer.directory.create(deployer.mdict['pki_database_path']) +- # establish instance convenience symbolic links +- deployer.symlink.create( +- deployer.mdict['pki_database_path'], +- deployer.mdict['pki_instance_database_link']) +- deployer.symlink.create( +- deployer.mdict['pki_instance_configuration_path'], +- deployer.mdict['pki_instance_conf_link']) +- deployer.symlink.create( +- deployer.mdict['pki_instance_log_path'], +- deployer.mdict['pki_instance_logs_link']) +- +- # create Tomcat instance systemd service link +- deployer.symlink.create(deployer.mdict['pki_systemd_service'], +- deployer.mdict['pki_systemd_service_link']) ++ deployer.mdict['pki_instance_lib'], ++ name)) ++ ++ # Link /var/lib/pki//lib/log4j.properties ++ # to /usr/share/pki/server/conf/log4j.properties. ++ deployer.symlink.create( ++ os.path.join(deployer.mdict['pki_source_server_path'], ++ "log4j.properties"), ++ deployer.mdict['pki_instance_lib_log4j_properties']) ++ ++ # Link /var/lib/pki//common to /usr/share/pki/server/common ++ deployer.symlink.create( ++ '/usr/share/pki/server/common', ++ deployer.mdict['pki_tomcat_common_path']) ++ ++ deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path']) ++ ++ deployer.directory.create(deployer.mdict['pki_tomcat_work_path']) ++ deployer.directory.create( ++ deployer.mdict['pki_tomcat_work_catalina_path']) ++ deployer.directory.create( ++ deployer.mdict['pki_tomcat_work_catalina_host_path']) ++ deployer.directory.create( ++ deployer.mdict['pki_tomcat_work_catalina_host_run_path']) ++ deployer.directory.create( ++ deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path']) ++ # establish Tomcat instance logs ++ # establish Tomcat instance registry ++ # establish Tomcat instance convenience symbolic links ++ deployer.symlink.create( ++ deployer.mdict['pki_tomcat_bin_path'], ++ deployer.mdict['pki_tomcat_bin_link']) ++ deployer.symlink.create( ++ deployer.mdict['pki_tomcat_systemd'], ++ deployer.mdict['pki_instance_systemd_link'], ++ uid=0, gid=0) ++ ++ # establish shared NSS security databases for this instance ++ deployer.directory.create(deployer.mdict['pki_database_path']) ++ # establish instance convenience symbolic links ++ deployer.symlink.create( ++ deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_instance_database_link']) ++ deployer.symlink.create( ++ deployer.mdict['pki_instance_configuration_path'], ++ deployer.mdict['pki_instance_conf_link']) ++ deployer.symlink.create( ++ deployer.mdict['pki_instance_log_path'], ++ deployer.mdict['pki_instance_logs_link']) ++ ++ # create Tomcat instance systemd service link ++ deployer.symlink.create(deployer.mdict['pki_systemd_service'], ++ deployer.mdict['pki_systemd_service_link']) + + def destroy(self, deployer): + + config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + +- if len(deployer.instance.tomcat_instance_subsystems()) == 0: +- +- # remove Tomcat instance systemd service link +- deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) ++ # if this is not the last subsystem, skip ++ if len(deployer.instance.tomcat_instance_subsystems()) != 0: ++ return + +- # remove Tomcat instance base +- deployer.directory.delete(deployer.mdict['pki_instance_path']) +- # remove Tomcat instance logs +- deployer.directory.delete(deployer.mdict['pki_instance_log_path']) +- # remove shared NSS security database path for this instance +- deployer.directory.delete(deployer.mdict['pki_database_path']) +- # remove Tomcat instance configuration +- deployer.directory.delete( +- deployer.mdict['pki_instance_configuration_path']) +- # remove PKI 'tomcat.conf' instance file +- deployer.file.delete( +- deployer.mdict['pki_target_tomcat_conf_instance_id']) +- # remove Tomcat instance registry ++ # remove Tomcat instance systemd service link ++ deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) ++ ++ # remove Tomcat instance base ++ deployer.directory.delete(deployer.mdict['pki_instance_path']) ++ # remove Tomcat instance logs ++ deployer.directory.delete(deployer.mdict['pki_instance_log_path']) ++ # remove shared NSS security database path for this instance ++ deployer.directory.delete(deployer.mdict['pki_database_path']) ++ # remove Tomcat instance configuration ++ deployer.directory.delete( ++ deployer.mdict['pki_instance_configuration_path']) ++ # remove PKI 'tomcat.conf' instance file ++ deployer.file.delete( ++ deployer.mdict['pki_target_tomcat_conf_instance_id']) ++ # remove Tomcat instance registry ++ deployer.directory.delete( ++ deployer.mdict['pki_instance_registry_path']) ++ # remove Tomcat PKI registry (if empty) ++ if deployer.instance.tomcat_instances() == 0: + deployer.directory.delete( +- deployer.mdict['pki_instance_registry_path']) +- # remove Tomcat PKI registry (if empty) +- if deployer.instance.tomcat_instances() == 0: +- deployer.directory.delete( +- deployer.mdict['pki_instance_type_registry_path']) ++ deployer.mdict['pki_instance_type_registry_path']) + + + # Callback only when the /usr/share/pki/server/conf directory +-- +1.8.3.1 + + +From 658264176174a011c5ed5bdbad763554bdc6853d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 5 Dec 2017 18:09:57 +0100 +Subject: Refactored configuration.py. + +The code that updates the cert parameter in configure_system_cert() +has been moved into a separate update_system_cert() method to +allow reusability. + +https://pagure.io/dogtagpki/issue/2560 + +Change-Id: Ic59edf2398eca1f46037746954ced20343602580 +(cherry picked from commit a490c258c5ba5c5f3995a9bf21fe7a46b5a63002) +--- + .../server/deployment/scriptlets/configuration.py | 96 ++++++++++++++-------- + 1 file changed, 60 insertions(+), 36 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 1870505..0fe4191 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -619,69 +619,75 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + self.import_cert_chain(deployer, nssdb) + +- def configure_system_cert(self, deployer, nssdb, subsystem, tag): ++ def configure_system_cert(self, deployer, subsystem, tag): + + cert_id = self.get_cert_id(subsystem, tag) +- + nickname = deployer.mdict['pki_%s_nickname' % cert_id] +- cert_data = nssdb.get_cert( +- nickname=nickname, +- output_format='base64') + + subsystem.config['%s.%s.nickname' % (subsystem.name, tag)] = nickname + subsystem.config['%s.%s.tokenname' % (subsystem.name, tag)] = \ + deployer.mdict['pki_%s_token' % cert_id] +- subsystem.config['%s.%s.cert' % (subsystem.name, tag)] = cert_data + subsystem.config['%s.%s.defaultSigningAlgorithm' % (subsystem.name, tag)] = \ + deployer.mdict['pki_%s_key_algorithm' % cert_id] + +- def configure_ca_signing_cert(self, deployer, nssdb, subsystem): ++ def update_system_cert(self, deployer, nssdb, subsystem, tag): ++ ++ cert_id = self.get_cert_id(subsystem, tag) ++ nickname = deployer.mdict['pki_%s_nickname' % cert_id] ++ ++ cert_data = nssdb.get_cert( ++ nickname=nickname, ++ output_format='base64') ++ ++ subsystem.config['%s.%s.cert' % (subsystem.name, tag)] = cert_data ++ ++ def configure_ca_signing_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring ca_signing certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'signing') ++ self.configure_system_cert(deployer, subsystem, 'signing') + + nickname = deployer.mdict['pki_ca_signing_nickname'] + subsystem.config['ca.signing.cacertnickname'] = nickname + +- def configure_ca_ocsp_signing_cert(self, deployer, nssdb, subsystem): ++ def configure_ca_ocsp_signing_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring ca_ocsp_signing certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'ocsp_signing') ++ self.configure_system_cert(deployer, subsystem, 'ocsp_signing') + +- def configure_sslserver_cert(self, deployer, nssdb, subsystem): ++ def configure_sslserver_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring sslserver certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'sslserver') ++ self.configure_system_cert(deployer, subsystem, 'sslserver') + +- def configure_subsystem_cert(self, deployer, nssdb, subsystem): ++ def configure_subsystem_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring subsystem certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'subsystem') ++ self.configure_system_cert(deployer, subsystem, 'subsystem') + +- def configure_audit_signing_cert(self, deployer, nssdb, subsystem): ++ def configure_audit_signing_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring audit_signing certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'audit_signing') ++ self.configure_system_cert(deployer, subsystem, 'audit_signing') + +- def configure_admin_cert(self, deployer, subsystem): ++ def update_admin_cert(self, deployer, subsystem): + + config.pki_log.info( +- "configuring admin certificate", ++ "updating admin certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + + client_nssdb = pki.nssdb.NSSDatabase( +@@ -699,48 +705,65 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + finally: + client_nssdb.close() + +- def configure_kra_storage_cert(self, deployer, nssdb, subsystem): ++ def configure_kra_storage_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring kra_storage certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'storage') ++ self.configure_system_cert(deployer, subsystem, 'storage') + +- def configure_kra_transport_cert(self, deployer, nssdb, subsystem): ++ def configure_kra_transport_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring kra_transport certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'transport') ++ self.configure_system_cert(deployer, subsystem, 'transport') + +- def configure_ocsp_signing_cert(self, deployer, nssdb, subsystem): ++ def configure_ocsp_signing_cert(self, deployer, subsystem): + + config.pki_log.info( + "configuring ocsp_signing certificate", + extra=config.PKI_INDENTATION_LEVEL_2) + +- self.configure_system_cert(deployer, nssdb, subsystem, 'signing') ++ self.configure_system_cert(deployer, subsystem, 'signing') ++ ++ def configure_system_certs(self, deployer, subsystem): ++ ++ if subsystem.name == 'ca': ++ self.configure_ca_signing_cert(deployer, subsystem) ++ self.configure_ca_ocsp_signing_cert(deployer, subsystem) ++ ++ if subsystem.name == 'kra': ++ self.configure_kra_storage_cert(deployer, subsystem) ++ self.configure_kra_transport_cert(deployer, subsystem) ++ ++ if subsystem.name == 'ocsp': ++ self.configure_ocsp_signing_cert(deployer, subsystem) ++ ++ self.configure_sslserver_cert(deployer, subsystem) ++ self.configure_subsystem_cert(deployer, subsystem) ++ self.configure_audit_signing_cert(deployer, subsystem) + +- def configure_system_certs(self, deployer, nssdb, subsystem): ++ def update_system_certs(self, deployer, nssdb, subsystem): + + if subsystem.name == 'ca': +- self.configure_ca_signing_cert(deployer, nssdb, subsystem) +- self.configure_ca_ocsp_signing_cert(deployer, nssdb, subsystem) ++ self.update_system_cert(deployer, nssdb, subsystem, 'signing') ++ self.update_system_cert(deployer, nssdb, subsystem, 'ocsp_signing') + + if subsystem.name == 'kra': +- self.configure_kra_storage_cert(deployer, nssdb, subsystem) +- self.configure_kra_transport_cert(deployer, nssdb, subsystem) +- self.configure_admin_cert(deployer, subsystem) ++ self.update_system_cert(deployer, nssdb, subsystem, 'storage') ++ self.update_system_cert(deployer, nssdb, subsystem, 'transport') ++ self.update_admin_cert(deployer, subsystem) + + if subsystem.name == 'ocsp': +- self.configure_ocsp_signing_cert(deployer, nssdb, subsystem) +- self.configure_admin_cert(deployer, subsystem) ++ self.update_system_cert(deployer, nssdb, subsystem, 'signing') ++ self.update_admin_cert(deployer, subsystem) + +- self.configure_sslserver_cert(deployer, nssdb, subsystem) +- self.configure_subsystem_cert(deployer, nssdb, subsystem) +- self.configure_audit_signing_cert(deployer, nssdb, subsystem) ++ self.update_system_cert(deployer, nssdb, subsystem, 'sslserver') ++ self.update_system_cert(deployer, nssdb, subsystem, 'subsystem') ++ self.update_system_cert(deployer, nssdb, subsystem, 'audit_signing') + + def validate_system_cert(self, deployer, nssdb, subsystem, tag): + +@@ -1007,7 +1030,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + self.import_system_cert_requests(deployer, subsystem) + self.import_system_certs(deployer, nssdb, subsystem) + +- self.configure_system_certs(deployer, nssdb, subsystem) ++ self.configure_system_certs(deployer, subsystem) ++ self.update_system_certs(deployer, nssdb, subsystem) + subsystem.save() + + self.validate_system_certs(deployer, nssdb, subsystem) +-- +1.8.3.1 + + +From f9dc3ed48ec7ce33b1160df7de49032e53db54a0 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 5 Dec 2017 02:20:18 +0100 +Subject: Removed obsolete JSS connector parameters. + +The following JSS connector parameters are obsolete: +* sslOptions +* ssl2Ciphers +* ssl3Ciphers +* tlsCiphers + +They are ignored when the "range" parameters are present, so they +have been removed from server.xml templates. + +https://pagure.io/dogtagpki/issue/2630 + +Change-Id: I966add1d919a26317929a69a53b9e56cb0134b29 +(cherry picked from commit bfaa447d9ecaaf5fd7156cc1bcbdf36036122de2) +--- + base/server/config/pkislots.cfg | 4 -- + .../python/pki/server/deployment/pkiparser.py | 48 ---------------------- + base/server/tomcat7/conf/server.xml | 8 ---- + base/server/tomcat8/conf/server.xml | 8 ---- + 4 files changed, 68 deletions(-) + +diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg +index d806c1f..0f07e19 100644 +--- a/base/server/config/pkislots.cfg ++++ b/base/server/config/pkislots.cfg +@@ -74,10 +74,6 @@ TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] + TOMCAT_LOG_DIR_SLOT=[TOMCAT_LOG_DIR] + TOMCAT_PIDFILE_SLOT=[TOMCAT_PIDFILE] + TOMCAT_SERVER_PORT_SLOT=[TOMCAT_SERVER_PORT] +-TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] +-TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] +-TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] +-TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] + TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM] + TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM] + TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS] +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index c95fed1..e924908 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -1148,54 +1148,6 @@ class PKIConfigParser: + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_256_CBC_SHA" +- self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ +- "-SSL2_RC4_128_WITH_MD5," + \ +- "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ +- "-SSL2_RC2_128_CBC_WITH_MD5," + \ +- "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," + \ +- "-SSL2_DES_64_CBC_WITH_MD5," + \ +- "-SSL2_DES_192_EDE3_CBC_WITH_MD5" +- self.mdict['TOMCAT_SSL3_CIPHERS_SLOT'] = \ +- "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," + \ +- "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," + \ +- "+SSL3_RSA_WITH_RC4_128_SHA," + \ +- "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," + \ +- "-SSL3_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "-SSL3_RSA_WITH_DES_CBC_SHA," + \ +- "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," + \ +- "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," + \ +- "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," + \ +- "-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," + \ +- "-SSL3_RSA_WITH_NULL_MD5," + \ +- "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," + \ +- "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ +- "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" +- self.mdict['TOMCAT_SSL_OPTIONS_SLOT'] = \ +- "ssl2=false," + \ +- "ssl3=false," + \ +- "tls=true" +- self.mdict['TOMCAT_TLS_CIPHERS_SLOT'] = \ +- "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ +- "-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ +- "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ +- "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ +- "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ +- "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ +- "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ +- "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ +- "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + + if self.deployer.architecture == 64: + self.mdict['NUXWDOG_JNI_PATH_SLOT'] = ( +diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml +index 2db8bca..dae513d 100644 +--- a/base/server/tomcat7/conf/server.xml ++++ b/base/server/tomcat7/conf/server.xml +@@ -143,10 +143,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + 'ocspTimeout' + 'strictCiphers' + 'clientauth' (ALL lowercase) +- 'sslOptions' +- 'ssl2Ciphers' +- 'ssl3Ciphers' +- 'tlsCiphers' + 'sslVersionRangeStream' + 'sslVersionRangeDatagram' + 'sslRangeCiphers' +@@ -201,10 +197,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + ocspTimeout="10" + strictCiphers="true" + clientAuth="[PKI_AGENT_CLIENTAUTH]" +- sslOptions="[TOMCAT_SSL_OPTIONS]" +- ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" +- ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" +- tlsCiphers="[TOMCAT_TLS_CIPHERS]" + sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" + sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" + sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" +diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml +index 64b1b00..d08e3b1 100644 +--- a/base/server/tomcat8/conf/server.xml ++++ b/base/server/tomcat8/conf/server.xml +@@ -162,10 +162,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + 'ocspTimeout' + 'strictCiphers' + 'clientauth' (ALL lowercase) +- 'sslOptions' +- 'ssl2Ciphers' +- 'ssl3Ciphers' +- 'tlsCiphers' + 'sslVersionRangeStream' + 'sslVersionRangeDatagram' + 'sslRangeCiphers' +@@ -227,10 +223,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + ocspTimeout="10" + strictCiphers="true" + clientAuth="[PKI_AGENT_CLIENTAUTH]" +- sslOptions="[TOMCAT_SSL_OPTIONS]" +- ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" +- ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" +- tlsCiphers="[TOMCAT_TLS_CIPHERS]" + sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" + sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" + sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" +-- +1.8.3.1 + + +From 5d79128fc6834737bf2f93b8d9e95296154e184f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 5 Dec 2017 08:15:51 +0100 +Subject: Added pki-server cert-export CLI. + +A new pki-server cert-export CLI has been added to export a system +certificate with its key and certificate chain into a PKCS #12 file. +This is needed to export the SSL server certificate to be used by +Tomcat's built-in SSL connector. + +https://pagure.io/dogtagpki/issue/2560 + +Change-Id: Ic10af305bfb25c21641e78ef615533f70f9799b1 +(cherry picked from commit 33529f21f650a18d0ef80333158a6fd63812f770) +--- + base/server/python/pki/server/cli/cert.py | 201 ++++++++++++++++++++++++++++++ + 1 file changed, 201 insertions(+) + +diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py +index 0757b36..0885348 100644 +--- a/base/server/python/pki/server/cli/cert.py ++++ b/base/server/python/pki/server/cli/cert.py +@@ -22,6 +22,7 @@ from __future__ import absolute_import + from __future__ import print_function + + import getopt ++import getpass + import sys + import tempfile + import os +@@ -45,6 +46,7 @@ class CertCLI(pki.cli.CLI): + self.add_module(CertUpdateCLI()) + self.add_module(CertCreateCLI()) + self.add_module(CertImportCLI()) ++ self.add_module(CertExportCLI()) + + @staticmethod + def print_system_cert(cert, show_all=False): +@@ -870,3 +872,202 @@ class CertImportCLI(pki.cli.CLI): + + finally: + nssdb.close() ++ ++ ++class CertExportCLI(pki.cli.CLI): ++ def __init__(self): ++ super(CertExportCLI, self).__init__( ++ 'export', 'Export system certificate.') ++ ++ def usage(self): # flake8: noqa ++ print('Usage: pki-server cert-export [OPTIONS] ') ++ print() ++ print('Specify at least one output file: certificate, CSR, or PKCS #12.') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --cert-file Output file to store the exported certificate in PEM format.') ++ print(' --csr-file Output file to store the exported CSR in PEM format.') ++ print(' --pkcs12-file Output file to store the exported certificate and key in PKCS #12 format.') ++ print(' --pkcs12-password Password for the PKCS #12 file.') ++ print(' --pkcs12-password-file Input file containing the password for the PKCS #12 file.') ++ print(' --append Append into an existing PKCS #12 file.') ++ print(' --no-trust-flags Do not include trust flags') ++ print(' --no-key Do not include private key') ++ print(' --no-chain Do not include certificate chain') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ try: ++ opts, args = getopt.gnu_getopt(argv, 'i:v', [ ++ 'instance=', 'cert-file=', 'csr-file=', ++ 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', ++ 'append', 'no-trust-flags', 'no-key', 'no-chain', ++ 'verbose', 'debug', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ cert_file = None ++ csr_file = None ++ pkcs12_file = None ++ pkcs12_password = None ++ pkcs12_password_file = None ++ append = False ++ include_trust_flags = True ++ include_key = True ++ include_chain = True ++ debug = False ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o == '--cert-file': ++ cert_file = a ++ ++ elif o == '--csr-file': ++ csr_file = a ++ ++ elif o == '--pkcs12-file': ++ pkcs12_file = a ++ ++ elif o == '--pkcs12-password': ++ pkcs12_password = a ++ ++ elif o == '--pkcs12-password-file': ++ pkcs12_password_file = a ++ ++ elif o == '--append': ++ append = True ++ ++ elif o == '--no-trust-flags': ++ include_trust_flags = False ++ ++ elif o == '--no-key': ++ include_key = False ++ ++ elif o == '--no-chain': ++ include_chain = False ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--debug': ++ debug = True ++ ++ elif o == '--help': ++ self.usage() ++ sys.exit() ++ ++ else: ++ self.print_message('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ if len(args) < 1: ++ print('ERROR: missing cert ID') ++ self.usage() ++ sys.exit(1) ++ ++ cert_id = args[0] ++ ++ if not (cert_file or csr_file or pkcs12_file): ++ print('ERROR: missing output file') ++ self.usage() ++ sys.exit(1) ++ ++ instance = server.PKIInstance(instance_name) ++ ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ subsystem_name = None ++ cert_tag = cert_id ++ ++ if cert_id != 'sslserver' and cert_id != 'subsystem': ++ # To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split ++ temp_cert_identify = cert_id.split('_', 1) ++ subsystem_name = temp_cert_identify[0] ++ cert_tag = temp_cert_identify[1] ++ ++ # If cert ID is instance specific, get it from first subsystem ++ if not subsystem_name: ++ subsystem_name = instance.subsystems[0].name ++ ++ subsystem = instance.get_subsystem(subsystem_name) ++ ++ if not subsystem: ++ print('ERROR: No %s subsystem in instance.' ++ '%s.' % (subsystem_name, instance_name)) ++ sys.exit(1) ++ ++ nssdb = instance.open_nssdb() ++ ++ try: ++ cert = subsystem.get_subsystem_cert(cert_tag) ++ ++ if not cert: ++ print('ERROR: missing %s certificate' % cert_id) ++ self.usage() ++ sys.exit(1) ++ ++ if cert_file: ++ ++ if self.verbose: ++ print('Exporting %s certificate into %s.' % (cert_id, cert_file)) ++ ++ cert_data = cert.get('data', None) ++ if cert_data is None: ++ print("ERROR: Unable to find certificate data for %s" % cert_id) ++ sys.exit(1) ++ ++ cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') ++ with open(cert_file, 'w') as f: ++ f.write(cert_data) ++ ++ if csr_file: ++ ++ if self.verbose: ++ print('Exporting %s CSR into %s.' % (cert_id, csr_file)) ++ ++ cert_request = cert.get('request', None) ++ if cert_request is None: ++ print("ERROR: Unable to find certificate request for %s" % cert_id) ++ sys.exit(1) ++ ++ csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') ++ with open(csr_file, 'w') as f: ++ f.write(csr_data) ++ ++ if pkcs12_file: ++ ++ if self.verbose: ++ print('Exporting %s certificate and key into %s.' % (cert_id, pkcs12_file)) ++ ++ if not pkcs12_password and not pkcs12_password_file: ++ pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') ++ ++ nicknames = [] ++ nicknames.append(cert['nickname']) ++ ++ nssdb.export_pkcs12( ++ pkcs12_file=pkcs12_file, ++ pkcs12_password=pkcs12_password, ++ pkcs12_password_file=pkcs12_password_file, ++ nicknames=nicknames, ++ append=append, ++ include_trust_flags=include_trust_flags, ++ include_key=include_key, ++ include_chain=include_chain, ++ debug=debug) ++ ++ finally: ++ nssdb.close() +-- +1.8.3.1 + + +From 0f379b99a6397319962220d9fdbea8fb384db5a3 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 6 Dec 2017 19:15:11 +0100 +Subject: Updated logger for Tomcat-related classes. + +The Tomcat-related classes have been modified to use JUL logging +framework. + +https://pagure.io/dogtagpki/issue/2560 + +Change-Id: Ifb0fb61e3018940f27cd71f584cbeae2fc9e707c +(cherry picked from commit 9328085e1dae988f64445812af5d07027797fe92) +--- + .../cms/tomcat/AbstractPKIAuthenticator.java | 35 +++++++++++----------- + .../cms/tomcat/ExternalAuthenticationValve.java | 19 +++++++----- + .../src/com/netscape/cms/tomcat/PKIListener.java | 27 +++++++++-------- + 3 files changed, 43 insertions(+), 38 deletions(-) + +diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java +index f98377d..2a68a39 100644 +--- a/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java ++++ b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java +@@ -20,15 +20,16 @@ package com.netscape.cms.tomcat; + + import java.io.IOException; + import java.security.cert.X509Certificate; ++import java.util.logging.Logger; + + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + import javax.servlet.http.HttpServletResponseWrapper; + ++import org.apache.catalina.Authenticator; + import org.apache.catalina.Container; + import org.apache.catalina.Globals; + import org.apache.catalina.LifecycleException; +-import org.apache.catalina.Authenticator; + import org.apache.catalina.authenticator.AuthenticatorBase; + import org.apache.catalina.authenticator.BasicAuthenticator; + import org.apache.catalina.authenticator.FormAuthenticator; +@@ -40,6 +41,8 @@ import org.apache.catalina.connector.Request; + */ + public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + ++ final static Logger logger = Logger.getLogger(AbstractPKIAuthenticator.class.getName()); ++ + public final static String BASIC_AUTHENTICATOR = "BASIC"; + public final static String FORM_AUTHENTICATOR = "FORM"; + +@@ -49,7 +52,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator(); + + public AbstractPKIAuthenticator() { +- log("Creating SSL authenticator with fallback"); ++ logger.info("PKIAuthenticator: Creating " + getClass().getSimpleName()); + } + + public String getFallbackMethod() { +@@ -57,7 +60,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + } + + public void setFallbackMethod(String fallbackMethod) { +- log("Fallback method: "+fallbackMethod); ++ logger.info("PKIAuthenticator: Fallback method: " + fallbackMethod); + this.fallbackMethod = fallbackMethod; + + if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) { +@@ -74,25 +77,25 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + boolean result; + + if (certs != null && certs.length > 0) { +- log("Authenticate with client certificate authentication"); ++ logger.info("PKIAuthenticator: Authenticate with client certificate authentication"); + HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) { + public void setHeader(String name, String value) { +- log("SSL auth header: "+name+"="+value); ++ logger.fine("PKIAuthenticator: SSL auth header: " + name + "=" + value); + }; + public void sendError(int code) { +- log("SSL auth return code: "+code); ++ logger.fine("PKIAuthenticator: SSL auth return code: " + code); + } + }; + result = doSubAuthenticate(sslAuthenticator, request, wrapper); + + } else { +- log("Authenticating with "+fallbackMethod+" authentication"); ++ logger.info("PKIAuthenticator: Authenticating with " + fallbackMethod + " authentication"); + HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) { + public void setHeader(String name, String value) { +- log("Fallback auth header: "+name+"="+value); ++ logger.fine("PKIAuthenticator: Fallback auth header: " + name + "=" + value); + }; + public void sendError(int code) { +- log("Fallback auth return code: "+code); ++ logger.fine("PKIAuthenticator: Fallback auth return code: " + code); + } + }; + result = doSubAuthenticate(fallbackAuthenticator, request, wrapper); +@@ -101,7 +104,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + if (result) + return true; + +- log("Result: "+result); ++ logger.info("PKIAuthenticator: Result: " + result); + String realmName = doGetRealmName(request); + response.setHeader(AUTH_HEADER_NAME, + "Basic realm=\"" + (realmName == null ? REALM_NAME : realmName) + "\""); +@@ -124,7 +127,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + + @Override + public void setContainer(Container container) { +- log("Setting container"); ++ logger.fine("PKIAuthenticator: Setting container"); + super.setContainer(container); + sslAuthenticator.setContainer(container); + fallbackAuthenticator.setContainer(container); +@@ -132,7 +135,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + + @Override + protected void initInternal() throws LifecycleException { +- log("Initializing authenticators"); ++ logger.fine("PKIAuthenticator: Initializing authenticators"); + + super.initInternal(); + +@@ -145,7 +148,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + + @Override + public void startInternal() throws LifecycleException { +- log("Starting authenticators"); ++ logger.fine("PKIAuthenticator: Starting authenticators"); + super.startInternal(); + sslAuthenticator.start(); + fallbackAuthenticator.start(); +@@ -153,13 +156,9 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { + + @Override + public void stopInternal() throws LifecycleException { +- log("Stopping authenticators"); ++ logger.fine("PKIAuthenticator: Stopping authenticators"); + super.stopInternal(); + sslAuthenticator.stop(); + fallbackAuthenticator.stop(); + } +- +- public void log(String message) { +- System.out.println("SSLAuthenticatorWithFallback: "+message); +- } + } +diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java +index 6bc570b..e162840 100644 +--- a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java ++++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java +@@ -21,6 +21,8 @@ package com.netscape.cms.tomcat; + import java.io.IOException; + import java.security.Principal; + import java.util.ArrayList; ++import java.util.logging.Logger; ++ + import javax.servlet.ServletException; + + import org.apache.catalina.Session; +@@ -30,13 +32,14 @@ import org.apache.catalina.valves.ValveBase; + + public class ExternalAuthenticationValve extends ValveBase { + ++ final static Logger logger = Logger.getLogger(ExternalAuthenticationValve.class.getName()); ++ + public void invoke(Request req, Response resp) + throws IOException, ServletException { +- System.out.println("ExternalAuthenticationValve; authType: " +- + req.getAuthType()); +- System.out.println("ExternalAuthenticationValve; principal: " +- + req.getUserPrincipal()); +- //System.out.println(req.getCoyoteRequest().getAttributes().toString()); ++ ++ logger.info("ExternalAuthenticationValve: authType: " + req.getAuthType()); ++ logger.info("ExternalAuthenticationValve: principal: " + req.getUserPrincipal()); ++ //logger.info("ExternalAuthenticationValve: attributes: " + req.getCoyoteRequest().getAttributes()); + + org.apache.coyote.Request coyoteReq = req.getCoyoteRequest(); + Principal principal = req.getUserPrincipal(); +@@ -49,7 +52,7 @@ public class ExternalAuthenticationValve extends ValveBase { + try { + numGroups = new Integer(numGroupsStr); + } catch (NumberFormatException e) { +- System.out.println("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e); ++ logger.warning("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e); + } + } + +@@ -60,13 +63,13 @@ public class ExternalAuthenticationValve extends ValveBase { + if (s != null && !s.isEmpty()) + groups.add(s); + else +- System.out.println("ExternalAuthenticationValve: missing or empty attribute: " + k); ++ logger.warning("ExternalAuthenticationValve: missing or empty attribute: " + k); + } + + // replace the principal + principal = new ExternalPrincipal( + principal.getName(), null, groups, coyoteReq.getAttributes()); +- System.out.println("ExternalAuthenticationValve: setting new principal: " + principal); ++ logger.info("ExternalAuthenticationValve: setting new principal: " + principal); + req.setUserPrincipal(principal); + + // cache principal in session +diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java b/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java +index 5d1d0db..b2ed4a9 100644 +--- a/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java ++++ b/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java +@@ -19,6 +19,7 @@ + package com.netscape.cms.tomcat; + + import java.io.File; ++import java.util.logging.Logger; + + import org.apache.catalina.Context; + import org.apache.catalina.Engine; +@@ -34,27 +35,29 @@ import com.redhat.nuxwdog.WatchdogClient; + + public class PKIListener implements LifecycleListener { + ++ final static Logger logger = Logger.getLogger(PKIListener.class.getName()); ++ + private boolean startedByWD = false; + + @Override + public void lifecycleEvent(LifecycleEvent event) { + + String type = event.getType(); +- System.out.println("PKIListener: " + event.getLifecycle().getClass().getName() + "[" + type + "]"); ++ logger.info("PKIListener: " + event.getLifecycle().getClass().getName() + " [" + type + "]"); + + if (type.equals(Lifecycle.BEFORE_INIT_EVENT)) { + + String wdPipeName = System.getenv("WD_PIPE_NAME"); + if (StringUtils.isNotEmpty(wdPipeName)) { + startedByWD = true; +- System.out.println("PKIListener: Initializing the watchdog"); ++ logger.info("PKIListener: Initializing the watchdog"); + WatchdogClient.init(); + } + + } else if (type.equals(Lifecycle.AFTER_START_EVENT)) { + + if (startedByWD) { +- System.out.println("PKIListener: Sending endInit to the Watchdog"); ++ logger.info("PKIListener: Sending endInit to the watchdog"); + WatchdogClient.sendEndInit(0); + } + +@@ -88,13 +91,13 @@ public class PKIListener implements LifecycleListener { + + if (!contextXml.exists()) { + +- System.out.println("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is disabled."); ++ logger.warning("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is disabled."); + + String selftestsLog = "/var/log/pki/" + instanceName + "/" + subsystemName + "/selftests.log"; +- System.out.println("PKIListener: Check " + selftestsLog + " for possible errors."); ++ logger.warning("PKIListener: Check " + selftestsLog + " for possible errors."); + +- System.out.println("PKIListener: To enable the subsystem:"); +- System.out.println("PKIListener: pki-server subsystem-enable -i " + instanceName + " " + subsystemName); ++ logger.warning("PKIListener: To enable the subsystem:"); ++ logger.warning("PKIListener: pki-server subsystem-enable -i " + instanceName + " " + subsystemName); + + continue; + } +@@ -103,17 +106,17 @@ public class PKIListener implements LifecycleListener { + + if (context == null) { + +- System.out.println("PKIListener: " + "Subsystem " + subsystemName.toUpperCase() + " is not deployed."); ++ logger.warning("PKIListener: " + "Subsystem " + subsystemName.toUpperCase() + " is not deployed."); + + String catalinaLog = "/var/log/pki/" + instanceName + "/catalina.*.log"; +- System.out.println("PKIListener: Check " + catalinaLog); +- System.out.println("PKIListener: and Tomcat's standard output and error for possible errors:"); +- System.out.println("PKIListener: journalctl -u pki-tomcatd@" + instanceName + ".service"); ++ logger.warning("PKIListener: Check " + catalinaLog); ++ logger.warning("PKIListener: and Tomcat's standard output and error for possible errors:"); ++ logger.warning("PKIListener: journalctl -u pki-tomcatd@" + instanceName + ".service"); + + continue; + } + +- System.out.println("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is running."); ++ logger.info("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is running."); + } + } + } +-- +1.8.3.1 + + +From a56579794417083cf41b05b702f66c895dc82823 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Wed, 6 Dec 2017 16:38:33 -0700 +Subject: Set the default NSS DB type + +dogtagpki Pagure Issue #2862 - Create a mechanism to select the +default NSS DB type + +The following changes are based upon the results of an investigation +by jmagne in which he suggested using the NSS_DEFAULT_DB_TYPE +environment variable to control NSS use of 'dbm' vs. 'sql'. + +* NSS_DEFAULT_DB_TYPE Environment Variable: + + In the future, the 'pkispawn' installer, 'pkiconsole', the 'pki' + command-line tool, as well as all other non-'pki' command-line + tools will be able to select to use either 'dbm' or 'sql' as their + default NSS DB type based upon the value in the + NSS_DEFAULT_DB_TYPE environment variable; if no + NSS_DEFAULT_DB_TYPE is defined, 'dbm' will be utilized. + + NOTE: For this patch, everything has been rigged to use an NSS + default DB type of 'dbm', as 'sql' is not yet supported. + +* PKI Server Instances: + + The selected NSS DB type will be stored as the value in the + NSS_DEFAULT_DB_TYPE variable within the file called + '/etc/sysconfig/' during creation of the + first subsystem of this PKI instance. + + As a part of their 'systemctl' service management, Linux systems + utilize the information in this file via the 'EnvironmentFile' + designation within their systemctl service files, + 'pki-tomcatd@.service', and + 'pki-tomcatd-nuxwdog@.service'. + + Finally, due to the presence of the '/etc/sysconfig/' + file, each PKI instance will always have its NSS DB type limited to a + single value that is common to all subsystems that co-exist within + this PKI instance. + + Relevant files: + - base/server/python/pki/server/deployment/pkiparser.py + - base/server/etc/default.cfg + - base/server/share/conf/tomcat.conf + +* 'pki' Java Command-Line Tools + + The selected NSS DB type will be computed at runtime and + stored as the value in the NSS_DEFAULT_DB_TYPE environment + variable. + + Relevant files: + - base/common/python/pki/cli/main.py + +* non-'pki' Java Command-Line Tools + + The selected NSS DB type will be computed at runtime and + stored as the value in the NSS_DEFAULT_DB_TYPE environment + variable. + + Relevant files: + - base/java-tools/templates/pki_java_command_wrapper.in + - base/java-tools/templates/pretty_print_cert_command_wrapper.in + - base/java-tools/templates/pretty_print_crl_command_wrapper.in + +* Native Command-Line Tools + + NOTE: Although this patch does not provide out-of-box fixes for + native command-line tools, these should still work + successfully provided the environment variable + NSS_DEFAULT_DB_TYPE=dbm has been exported + into the current environment. + +Change-Id: I33c001e732ce0f585710c79af2ecf4ce18768d26 +(cherry picked from commit 29d23b0f027bd046d0a6547bd8292fb28f5d1c88) +--- + base/common/python/pki/cli/main.py | 34 ++++++++++++++++++ + .../templates/pki_java_command_wrapper.in | 34 ++++++++++++++++++ + .../templates/pretty_print_cert_command_wrapper.in | 34 ++++++++++++++++++ + .../templates/pretty_print_crl_command_wrapper.in | 34 ++++++++++++++++++ + base/server/etc/default.cfg | 1 + + .../python/pki/server/deployment/pkiparser.py | 41 ++++++++++++++++++++++ + base/server/share/conf/tomcat.conf | 3 ++ + 7 files changed, 181 insertions(+) + +diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py +index f201c1d..0eb18a5 100644 +--- a/base/common/python/pki/cli/main.py ++++ b/base/common/python/pki/cli/main.py +@@ -70,8 +70,42 @@ class PKICLI(pki.cli.CLI): + + super(PKICLI, self).print_help() + ++ def set_nss_default_db_type(self): ++ # Set default NSS DB type ++ nss_default_db_type = os.getenv('NSS_DEFAULT_DB_TYPE') ++ if nss_default_db_type is None: ++ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ elif nss_default_db_type == '': ++ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ else: ++ nss_type = nss_default_db_type.lower() ++ if nss_type == 'dbm': ++ # Always set/reset 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ elif nss_type == 'sql': ++ # Always set/reset 'sql' default NSS DB type ++ # os.putenv('NSS_DEFAULT_DB_TYPE', 'sql') ++ ++ # Warn user and set 'dbm' default NSS DB type ++ print('WARNING: NSS_DEFAULT_DB_TYPE=sql is currently ' + ++ 'unsupported!') ++ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') ++ # Currently override 'sql' with 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ else: ++ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type ++ print('WARNING: NSS_DEFAULT_DB_TYPE=%s is invalid!' ++ % nss_default_db_type) ++ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ return ++ + def execute_java(self, args, stdout=sys.stdout): + ++ self.set_nss_default_db_type() ++ + java_home = os.getenv('JAVA_HOME') + pki_lib = os.getenv('PKI_LIB') + logging_config = os.getenv('LOGGING_CONFIG') +diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in +index 696f661..bec96bd 100644 +--- a/base/java-tools/templates/pki_java_command_wrapper.in ++++ b/base/java-tools/templates/pki_java_command_wrapper.in +@@ -64,6 +64,38 @@ invalid_architecture() { + echo + } + ++set_nss_default_db_type() { ++ if [ -z ${NSS_DEFAULT_DB_TYPE+x} ]; then ++ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ elif [ -z ${NSS_DEFAULT_DB_TYPE} ] ; then ++ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ else ++ # normalize NSS_DEFAULT_DB_TYPE to all lowercase letters ++ nss_type=`echo ${NSS_DEFAULT_DB_TYPE} | tr '[:upper:]' '[:lower:]'` ++ if [ ${nss_type} = 'dbm' ] ; then ++ # Always set/reset 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ elif [ ${nss_type} = 'sql' ] ; then ++ # Always set/reset 'sql' default NSS DB type ++ # NSS_DEFAULT_DB_TYPE=sql ++ ++ # Warn user and set 'dbm' default NSS DB type ++ echo "WARNING: NSS_DEFAULT_DB_TYPE=sql is currently unsupported!" ++ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." ++ NSS_DEFAULT_DB_TYPE=dbm ++ else ++ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type ++ echo -n "WARNING: NSS_DEFAULT_DB_TYPE='${NSS_DEFAULT_DB_TYPE}' is " ++ echo "invalid!" ++ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." ++ NSS_DEFAULT_DB_TYPE=dbm ++ fi ++ fi ++ export NSS_DEFAULT_DB_TYPE ++} ++ + + ############################################################################### + ## (4) Set the LD_LIBRARY_PATH environment variable to determine the ## +@@ -116,6 +148,8 @@ fi + ## based upon the LD_LIBRARY_PATH and PKI_LIB environment variables. ## + ############################################################################### + ++set_nss_default_db_type ++ + ${JAVA} ${JAVA_OPTIONS} \ + -Djava.ext.dirs=${PKI_LIB} \ + -Djava.util.logging.config.file=${LOGGING_CONFIG} \ +diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in +index 882e7a1..486c023 100644 +--- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in ++++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in +@@ -64,6 +64,38 @@ invalid_architecture() { + echo + } + ++set_nss_default_db_type() { ++ if [ -z ${NSS_DEFAULT_DB_TYPE+x} ]; then ++ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ elif [ -z ${NSS_DEFAULT_DB_TYPE} ] ; then ++ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ else ++ # normalize NSS_DEFAULT_DB_TYPE to all lowercase letters ++ nss_type=`echo ${NSS_DEFAULT_DB_TYPE} | tr '[:upper:]' '[:lower:]'` ++ if [ ${nss_type} = 'dbm' ] ; then ++ # Always set/reset 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ elif [ ${nss_type} = 'sql' ] ; then ++ # Always set/reset 'sql' default NSS DB type ++ # NSS_DEFAULT_DB_TYPE=sql ++ ++ # Warn user and set 'dbm' default NSS DB type ++ echo "WARNING: NSS_DEFAULT_DB_TYPE=sql is currently unsupported!" ++ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." ++ NSS_DEFAULT_DB_TYPE=dbm ++ else ++ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type ++ echo -n "WARNING: NSS_DEFAULT_DB_TYPE='${NSS_DEFAULT_DB_TYPE}' is " ++ echo "invalid!" ++ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." ++ NSS_DEFAULT_DB_TYPE=dbm ++ fi ++ fi ++ export NSS_DEFAULT_DB_TYPE ++} ++ + + ############################################################################### + ## (4) Set the LD_LIBRARY_PATH environment variable to determine the ## +@@ -159,6 +191,8 @@ then + fi + fi + ++set_nss_default_db_type ++ + ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND} "$@" + exit $? + +diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in +index 0c518ce..38eb810 100644 +--- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in ++++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in +@@ -64,6 +64,38 @@ invalid_architecture() { + echo + } + ++set_nss_default_db_type() { ++ if [ -z ${NSS_DEFAULT_DB_TYPE+x} ]; then ++ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ elif [ -z ${NSS_DEFAULT_DB_TYPE} ] ; then ++ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ else ++ # normalize NSS_DEFAULT_DB_TYPE to all lowercase letters ++ nss_type=`echo ${NSS_DEFAULT_DB_TYPE} | tr '[:upper:]' '[:lower:]'` ++ if [ ${nss_type} = 'dbm' ] ; then ++ # Always set/reset 'dbm' default NSS DB type ++ NSS_DEFAULT_DB_TYPE=dbm ++ elif [ ${nss_type} = 'sql' ] ; then ++ # Always set/reset 'sql' default NSS DB type ++ # NSS_DEFAULT_DB_TYPE=sql ++ ++ # Warn user and set 'dbm' default NSS DB type ++ echo "WARNING: NSS_DEFAULT_DB_TYPE=sql is currently unsupported!" ++ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." ++ NSS_DEFAULT_DB_TYPE=dbm ++ else ++ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type ++ echo -n "WARNING: NSS_DEFAULT_DB_TYPE='${NSS_DEFAULT_DB_TYPE}' is " ++ echo "invalid!" ++ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." ++ NSS_DEFAULT_DB_TYPE=dbm ++ fi ++ fi ++ export NSS_DEFAULT_DB_TYPE ++} ++ + + ############################################################################### + ## (4) Set the LD_LIBRARY_PATH environment variable to determine the ## +@@ -146,6 +178,8 @@ then + fi + fi + ++set_nss_default_db_type ++ + ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND} "$@" + exit $? + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index ad19105..73f884f 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -11,6 +11,7 @@ + ############################################################################### + [DEFAULT] + ++NSS_DEFAULT_DB_TYPE=%(nss_default_db_type)s + JAVA_HOME=%(java_home)s + + # The sensitive_parameters contains a list of parameters which may contain +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index e924908..8c9f1aa 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -259,8 +259,48 @@ class PKIConfigParser: + self.arg_parser.print_help() + self.arg_parser.exit(-1) + ++ def set_nss_default_db_type(self): ++ # Define default NSS DB types ++ dbm = 'dbm' ++ # sql = 'sql' ++ default = dbm ++ ++ # Set default NSS DB type ++ nss_default_db_type = os.getenv('NSS_DEFAULT_DB_TYPE') ++ if nss_default_db_type is None: ++ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ elif nss_default_db_type == '': ++ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ else: ++ nss_type = nss_default_db_type.lower() ++ if nss_type == 'dbm': ++ # Always set/reset 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ elif nss_type == 'sql': ++ # Always set/reset 'sql' default NSS DB type ++ # os.putenv('NSS_DEFAULT_DB_TYPE', 'sql') ++ # default = sql ++ ++ # Warn user and set 'dbm' default NSS DB type ++ print('WARNING: NSS_DEFAULT_DB_TYPE=sql is currently ' + ++ 'unsupported!') ++ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') ++ # Currently override 'sql' with 'dbm' default NSS DB type ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ else: ++ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type ++ print('WARNING: NSS_DEFAULT_DB_TYPE=%s is invalid!' ++ % nss_default_db_type) ++ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') ++ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') ++ return default ++ + def init_config(self): + ++ nss_default_db_type = self.set_nss_default_db_type() ++ + java_home = subprocess.check_output( + '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf ' + '&& echo $JAVA_HOME', +@@ -303,6 +343,7 @@ class PKIConfigParser: + 'pki_subsystem': self.deployer.subsystem_name, + 'pki_subsystem_type': self.deployer.subsystem_name.lower(), + 'pki_root_prefix': config.pki_root_prefix, ++ 'nss_default_db_type': nss_default_db_type, + 'java_home': java_home, + 'resteasy_lib': resteasy_lib, + 'jni_jar_dir': jni_jar_dir, +diff --git a/base/server/share/conf/tomcat.conf b/base/server/share/conf/tomcat.conf +index bd2359c..c1d3900 100644 +--- a/base/server/share/conf/tomcat.conf ++++ b/base/server/share/conf/tomcat.conf +@@ -6,6 +6,9 @@ + + # This file contains instance-specific configuration. + ++# Default NSS DB type (computed at instance creation time) ++NSS_DEFAULT_DB_TYPE="[NSS_DEFAULT_DB_TYPE]" ++ + # Where your java installation lives + JAVA_HOME="[JAVA_HOME]" + +-- +1.8.3.1 + + +From 043501a4b4c10fc408b4a644381c9f2782892bb3 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Fri, 8 Dec 2017 17:17:34 -0700 +Subject: Fix nuxwdog to work on all platforms + +- dogtagpki Pagure Issue #2874 - nuxwdog won't start on Fedora + +Change-Id: I5ff65c75087aeb939cb58ee7cf888bbbacb57ad5 +(cherry picked from commit 19f04606cb58f7dc6e2872e39f62d3dad427ae22) +--- + base/server/sbin/pki-server-nuxwdog | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog +index ead9253..cb89938 100755 +--- a/base/server/sbin/pki-server-nuxwdog ++++ b/base/server/sbin/pki-server-nuxwdog +@@ -41,8 +41,8 @@ nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf" + touch ${nux_fname} + chown pkiuser: ${nux_fname} + +-echo "ExeFile ${JAVACMD}" > $nux_fname +-echo "ExeArgs ${JAVACMD} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname ++echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname ++echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname + echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname + echo "ChildSecurity 1" >> $nux_fname + echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-snapshot-1.patch b/SOURCES/pki-core-10.5.1-snapshot-1.patch new file mode 100644 index 0000000..8ef53f5 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-snapshot-1.patch @@ -0,0 +1,3920 @@ +From 5a479577ca778dd8f35501bba79eb97aa2087549 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 18 Dec 2017 21:41:08 +0100 +Subject: [PATCH 01/30] Fixed missing admin PKCS #12 file on external KRA/OCSP + installation. + +The deployment tool has been modified to generate a PKCS #12 file +that contains the admin certificate for KRA/OCSP installation with +external certificates. + +https://pagure.io/dogtagpki/issue/2873 + +Change-Id: Ide6b08ba8f2121b4cdf21208c32d745534893f0f +(cherry picked from commit ffac807486d36e031c1afbcbb2b246536d4ae240) +--- + base/server/python/pki/server/deployment/scriptlets/configuration.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 0fe4191..16a827d 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -1193,7 +1193,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # Cloned PKI subsystems do not return an Admin Certificate + if not clone: + +- if standalone: ++ if external or standalone: + if not step_two: + # NOTE: Do nothing for Stand-alone PKI (Step 1) + # as this has already been addressed +-- +1.8.3.1 + + +From 6bdb3184284ecad0d532e6fd05ca9b129ae3821f Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 2 Jan 2018 13:24:23 -0500 +Subject: [PATCH 03/30] Fix various PEP8 and pylint issues + +Change-Id: I8b2b52599ab6b2d4738b748f36598319f11477c7 +(cherry picked from commit e9b5fc7ef000abfd2cbdd6be6bfd4b2d015816a2) +--- + .../python/pki/server/deployment/pkihelper.py | 50 ++++++++++++---------- + .../python/pki/server/deployment/pkimessages.py | 25 ++++++----- + .../python/pki/server/deployment/pkiparser.py | 4 -- + .../server/deployment/scriptlets/configuration.py | 12 +++--- + base/server/sbin/pkidestroy | 4 +- + base/server/sbin/pkispawn | 4 +- + 6 files changed, 52 insertions(+), 47 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 49945b9..9c732d0 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -428,7 +428,8 @@ class ConfigurationFile: + + self.existing = config.str2bool(self.mdict['pki_existing']) + self.external = config.str2bool(self.mdict['pki_external']) +- self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two']) ++ self.external_step_one = not config.str2bool( ++ self.mdict['pki_external_step_two']) + self.external_step_two = not self.external_step_one + + if self.external: +@@ -496,7 +497,8 @@ class ConfigurationFile: + # ALWAYS defined via 'pkiparser.py' + if self.external_step_two: + # Only allowed for External CA/KRA/OCSP, or Stand-alone PKI +- if self.subsystem not in ['CA', 'KRA', 'OCSP'] and not self.standalone: ++ if (self.subsystem not in ['CA', 'KRA', 'OCSP'] and ++ not self.standalone): + config.pki_log.error(log.PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1, + self.subsystem, + extra=config.PKI_INDENTATION_LEVEL_2) +@@ -557,8 +559,9 @@ class ConfigurationFile: + # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) + if not config.str2bool(self.mdict['pki_hsm_enable']): + +- # If system certificates are already provided via pki_server_pkcs12 +- # there's no need to provide pki_clone_pkcs12. ++ # If system certificates are already provided via ++ # pki_server_pkcs12, there's no need to provide ++ # pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + self.confirm_data_exists("pki_clone_pkcs12_password") + +@@ -680,8 +683,9 @@ class ConfigurationFile: + # Check clone parameters for non-HSM clone + if not config.str2bool(self.mdict['pki_hsm_enable']): + +- # If system certificates are already provided via pki_server_pkcs12 +- # there's no need to provide pki_clone_pkcs12. ++ # If system certificates are already provided via ++ # pki_server_pkcs12, there's no need to provide ++ # pki_clone_pkcs12. + if not self.mdict['pki_server_pkcs12_path']: + self.confirm_data_exists("pki_clone_pkcs12_path") + self.confirm_file_exists("pki_clone_pkcs12_path") +@@ -1045,7 +1049,7 @@ class Instance: + "No connection - server may still be down", + extra=config.PKI_INDENTATION_LEVEL_3) + config.pki_log.debug( +- "No connection - exception thrown: " + str(exc), ++ "No connection - exception thrown: %s", exc, + extra=config.PKI_INDENTATION_LEVEL_3) + return None + +@@ -1707,7 +1711,8 @@ class File: + + def substitute_deployment_params(self, line): + """ +- Replace all occurrences of [param] in the line with the value of the deployment parameter. ++ Replace all occurrences of [param] in the line with the value of the ++ deployment parameter. + """ + + # find the first parameter in the line +@@ -2181,7 +2186,7 @@ class FIPS: + with open(os.devnull, "w") as fnull: + output = subprocess.check_output(command, stderr=fnull, + close_fds=True) +- if (output != "0"): ++ if output != "0": + # Set FIPS mode as enabled + self.mdict['pki_fips_mode_enabled'] = True + config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_ENABLED, +@@ -2214,7 +2219,7 @@ class HSM: + + def initialize(self): + if config.str2bool(self.mdict['pki_hsm_enable']): +- if (self.mdict['pki_hsm_libfile'] == config.PKI_HSM_NCIPHER_LIB): ++ if self.mdict['pki_hsm_libfile'] == config.PKI_HSM_NCIPHER_LIB: + self.initialize_ncipher() + return + +@@ -3026,8 +3031,8 @@ class KRAConnector: + sechost, secport) + except Exception as e: + config.pki_log.error( +- "unable to access security domain. Continuing .. " + +- str(e), ++ "unable to access security domain. Continuing .. %s ", ++ e, + extra=config.PKI_INDENTATION_LEVEL_2) + ca_list = [] + +@@ -3849,8 +3854,7 @@ class ConfigClient: + # Store the Administration Certificate in a file + admin_cert_file = self.mdict['pki_client_admin_cert'] + admin_cert_bin_file = admin_cert_file + ".der" +- self.save_admin_cert(log.PKI_CONFIG_ADMIN_CERT_SAVE_1, +- admin_cert, admin_cert_file, ++ self.save_admin_cert(admin_cert, admin_cert_file, + self.mdict['pki_subsystem_name']) + + # convert the cert file to binary +@@ -3983,8 +3987,9 @@ class ConfigClient: + + def save_admin_csr(self): + config.pki_log.info( +- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 + " '" + +- self.mdict['pki_admin_csr_path'] + "'", self.subsystem, ++ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_2, ++ self.subsystem, ++ self.mdict['pki_admin_csr_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create( + os.path.dirname(self.mdict['pki_admin_csr_path'])) +@@ -4005,20 +4010,20 @@ class ConfigClient: + log.PKI_CONFIG_CDATA_REQUEST + "\n" + admin_certreq, + extra=config.PKI_INDENTATION_LEVEL_2) + +- def save_admin_cert(self, message, input_data, output_file, +- subsystem_name): +- config.pki_log.debug(message + " '" + output_file + "'", ++ def save_admin_cert(self, input_data, output_file, subsystem_name): ++ config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE_2, + subsystem_name, ++ output_file, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(output_file, "w") as f: + f.write(input_data) + + def save_system_csr(self, csr, message, path, subsystem=None): + if subsystem is not None: +- config.pki_log.info(message + " '" + path + "'", subsystem, ++ config.pki_log.info(message, subsystem, path, + extra=config.PKI_INDENTATION_LEVEL_2) + else: +- config.pki_log.info(message + " '" + path + "'", ++ config.pki_log.info(message, path, + extra=config.PKI_INDENTATION_LEVEL_2) + self.deployer.directory.create(os.path.dirname(path)) + with open(path, "w") as f: +@@ -4310,7 +4315,8 @@ class ConfigClient: + password=self.mdict['pki_client_database_password']) + + try: +- data.adminCert = client_nssdb.get_cert(self.mdict['pki_admin_nickname']) ++ data.adminCert = client_nssdb.get_cert( ++ self.mdict['pki_admin_nickname']) + if data.adminCert: # already imported, return + return + +diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py +index 1158383..7f2d749 100644 +--- a/base/server/python/pki/server/deployment/pkimessages.py ++++ b/base/server/python/pki/server/deployment/pkimessages.py +@@ -358,7 +358,7 @@ PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." + PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" + PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" + +-PKI_CONFIG_ADMIN_CERT_SAVE_1 = "saving %s Admin Certificate to file:" ++PKI_CONFIG_ADMIN_CERT_SAVE_2 = "saving %s Admin Certificate to file: %s" + PKI_CONFIG_ADMIN_CERT_ATOB_1 = "converting %s Admin Certificate to binary:" + PKI_CONFIG_CDATA_TAG = "tag:" + PKI_CONFIG_CDATA_CERT = "cert:" +@@ -384,16 +384,19 @@ PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SUBSYSTEM_1 = \ + PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_AUDIT_SIGNING_1 = \ + "loading external CA signed %s Audit Signing certificate from file:" + PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" +-PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE = "saving KRA Storage CSR to file:" +-PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT = "saving KRA Transport CSR to file:" +-PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING = "saving OCSP Signing CSR to file:" +-PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 = "saving %s Admin CSR to file:" +-PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1 = \ +- "saving %s Audit Signing CSR to file:" +-PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1 = \ +- "saving %s SSL Server CSR to file:" +-PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1 = \ +- "saving %s Subsystem CSR to file:" ++PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE_1 = ( ++ "saving KRA Storage CSR to file: %s") ++PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT_1 = ( ++ "saving KRA Transport CSR to file: %s") ++PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING_1 = ( ++ "saving OCSP Signing CSR to file: %s") ++PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_2 = "saving %s Admin CSR to file: '%s'" ++PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_2 = \ ++ "saving %s Audit Signing CSR to file: %s" ++PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_2 = ( ++ "saving %s SSL Server CSR to file: %s") ++PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_2 = ( ++ "saving %s Subsystem CSR to file: %s") + PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION = \ + "Exception from Java Configuration Servlet:" + PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 8c9f1aa..18cf19d 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -617,8 +617,6 @@ class PKIConfigParser: + self.ds_connect() + self.ds_bind() + self.ds_search() +- except: +- raise + finally: + self.ds_close() + +@@ -636,8 +634,6 @@ class PKIConfigParser: + + except ldap.NO_SUCH_OBJECT: + base_dn_exists = False +- except: +- raise + finally: + self.ds_close() + return base_dn_exists +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 16a827d..8f7460c 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -1133,7 +1133,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # (Step 1) + deployer.config_client.save_system_csr( + cdata['request'], +- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1, ++ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_2, + deployer.mdict['pki_audit_signing_csr_path'], + subsystem.name) + +@@ -1142,7 +1142,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # CSR (Step 1) + deployer.config_client.save_system_csr( + cdata['request'], +- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING, ++ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING_1, + deployer.mdict['pki_signing_csr_path']) + + elif cdata['tag'].lower() == "sslserver": +@@ -1150,7 +1150,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # (Step 1) + deployer.config_client.save_system_csr( + cdata['request'], +- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1, ++ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_2, + deployer.mdict['pki_sslserver_csr_path'], + subsystem.name) + +@@ -1159,7 +1159,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # (Step 1) + deployer.config_client.save_system_csr( + cdata['request'], +- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE, ++ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE_1, + deployer.mdict['pki_storage_csr_path']) + + elif cdata['tag'].lower() == "subsystem": +@@ -1167,7 +1167,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # (Step 1) + deployer.config_client.save_system_csr( + cdata['request'], +- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1, ++ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_2, + deployer.mdict['pki_subsystem_csr_path'], + subsystem.name) + +@@ -1176,7 +1176,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # (Step 1) + deployer.config_client.save_system_csr( + cdata['request'], +- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT, ++ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT_1, + deployer.mdict['pki_transport_csr_path']) + + else: +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 4a0c6a0..036c5ef 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -255,9 +255,9 @@ def main(argv): + def log_error_details(): + e_type, e_value, e_stacktrace = sys.exc_info() + config.pki_log.debug( +- "Error Type: " + e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) ++ "Error Type: %s", e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug( +- "Error Message: " + str(e_value), extra=config.PKI_INDENTATION_LEVEL_2) ++ "Error Message: %s", e_value, extra=config.PKI_INDENTATION_LEVEL_2) + stacktrace_list = traceback.format_list(traceback.extract_tb(e_stacktrace)) + e_stacktrace = "" + for l in stacktrace_list: +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 5489622..a715efc 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -864,9 +864,9 @@ def print_final_install_information(mdict): + def log_error_details(): + e_type, e_value, e_stacktrace = sys.exc_info() + config.pki_log.debug( +- "Error Type: " + e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) ++ "Error Type: %s", e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug( +- "Error Message: " + str(e_value), extra=config.PKI_INDENTATION_LEVEL_2) ++ "Error Message: %s", e_value, extra=config.PKI_INDENTATION_LEVEL_2) + stacktrace_list = traceback.format_list(traceback.extract_tb(e_stacktrace)) + e_stacktrace = "" + for l in stacktrace_list: +-- +1.8.3.1 + + +From ae39e98d64fa5ca7e92e8fc378be400c5160cbaf Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 2 Jan 2018 13:38:40 -0500 +Subject: [PATCH 04/30] Modified systemd invocations in pkispawn to handle + nuxwdog + +The systemd invocations in pkispawn/pkidestroy did not account for +nuxwdog enabled instances. This patch allows pkispawn/pkidestroy to +use the right service name if the nuxwdog service unit files exist. + +Also modified instance_layout deployment script to delete the right +systemd link. + +Change-Id: I25eac0555aad022784d7728913ae4a335eab3463 +(cherry picked from commit c7c907c07599ef1d9b52638c25153f7bd82de999) +--- + .../python/pki/server/deployment/pkihelper.py | 55 ++++++++++------------ + .../deployment/scriptlets/instance_layout.py | 5 +- + 2 files changed, 28 insertions(+), 32 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 9c732d0..3736782 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -3491,17 +3491,28 @@ class Systemd(object): + + Args: + deployer (dictionary): PKI Deployment name/value parameters +- +- Attributes: +- +- Returns: +- +- Raises: +- +- Examples: +- + """ + self.mdict = deployer.mdict ++ instance_name = deployer.mdict['pki_instance_name'] ++ ++ unit_file = 'pki-tomcatd@%s.service' % instance_name ++ systemd_link = os.path.join( ++ '/etc/systemd/system/pki-tomcatd.target.wants', ++ unit_file) ++ ++ nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name ++ nuxwdog_systemd_link = os.path.join( ++ '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants', ++ nuxwdog_unit_file) ++ ++ if os.path.exists(nuxwdog_systemd_link): ++ self.is_nuxwdog_enabled = True ++ self.service_name = nuxwdog_unit_file ++ self.systemd_link = nuxwdog_systemd_link ++ else: ++ self.is_nuxwdog_enabled = False ++ self.service_name = unit_file ++ self.systemd_link = systemd_link + + def daemon_reload(self, critical_failure=True): + """PKI Deployment execution management lifecycle function. +@@ -3575,7 +3586,7 @@ class Systemd(object): + command = ["rm", "/etc/rc3.d/*" + + self.mdict['pki_instance_name']] + else: +- command = ["systemctl", "disable", "pki-tomcatd.target"] ++ command = ["systemctl", "disable", self.service_name] + + # Display this "systemd" execution managment command + config.pki_log.info( +@@ -3625,7 +3636,7 @@ class Systemd(object): + command = ["ln", "-s", "/etc/init.d/pki-tomcatd", + "/etc/rc3.d/S89" + self.mdict['pki_instance_name']] + else: +- command = ["systemctl", "enable", "pki-tomcatd.target"] ++ command = ["systemctl", "enable", self.service_name] + + # Display this "systemd" execution managment command + config.pki_log.info( +@@ -3669,20 +3680,15 @@ class Systemd(object): + + """ + try: +- service = None + # Execute the "systemd daemon-reload" management lifecycle command + if reload_daemon: + self.daemon_reload(critical_failure) +- # Compose this "systemd" execution management command +- service = "pki-tomcatd" + "@" +\ +- self.mdict['pki_instance_name'] + "." +\ +- "service" + + if pki.system.SYSTEM_TYPE == "debian": + command = ["/etc/init.d/pki-tomcatd", "start", + self.mdict['pki_instance_name']] + else: +- command = ["systemctl", "start", service] ++ command = ["systemctl", "start", self.service_name] + + # Display this "systemd" execution managment command + config.pki_log.info( +@@ -3722,17 +3728,11 @@ class Systemd(object): + + """ + try: +- service = None +- # Compose this "systemd" execution management command +- service = "pki-tomcatd" + "@" +\ +- self.mdict['pki_instance_name'] + "." +\ +- "service" +- + if pki.system.SYSTEM_TYPE == "debian": + command = ["/etc/init.d/pki-tomcatd", "stop", + self.mdict['pki_instance_name']] + else: +- command = ["systemctl", "stop", service] ++ command = ["systemctl", "stop", self.service_name] + + # Display this "systemd" execution managment command + config.pki_log.info( +@@ -3773,21 +3773,16 @@ class Systemd(object): + + """ + try: +- service = None + # Compose this "systemd" execution management command + # Execute the "systemd daemon-reload" management lifecycle command + if reload_daemon: + self.daemon_reload(critical_failure) + +- service = "pki-tomcatd" + "@" +\ +- self.mdict['pki_instance_name'] + "." +\ +- "service" +- + if pki.system.SYSTEM_TYPE == "debian": + command = ["/etc/init.d/pki-tomcatd", "restart", + self.mdict['pki_instance_name']] + else: +- command = ["systemctl", "restart", service] ++ command = ["systemctl", "restart", self.service_name] + + # Display this "systemd" execution managment command + config.pki_log.info( +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index fc08fe1..15c0441 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -59,7 +59,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # Link /etc/pki//logging.properties + # to /usr/share/pki/server/conf/logging.properties. + deployer.symlink.create( +- os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), ++ os.path.join(deployer.mdict['pki_source_server_path'], ++ "logging.properties"), + os.path.join(deployer.mdict['pki_instance_configuration_path'], + "logging.properties")) + +@@ -176,7 +177,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + return + + # remove Tomcat instance systemd service link +- deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) ++ deployer.symlink.delete(deployer.systemd.systemd_link) + + # remove Tomcat instance base + deployer.directory.delete(deployer.mdict['pki_instance_path']) +-- +1.8.3.1 + + +From cf50a28a14908be726cefb1e7e79233a2b13a575 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 2 Jan 2018 14:52:32 -0500 +Subject: [PATCH 05/30] Allow prompting for token passwords if not present + +Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff +(cherry picked from commit 6716b82ecc38b23de81c8f0fe18863e1df4bfddb) +--- + .../python/pki/server/deployment/__init__.py | 4 +++- + .../python/pki/server/deployment/pkihelper.py | 27 ++++++++-------------- + base/server/sbin/pkidestroy | 2 +- + base/server/sbin/pkispawn | 2 +- + 4 files changed, 15 insertions(+), 20 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py +index 70e9c9b..dbacc57 100644 +--- a/base/server/python/pki/server/deployment/__init__.py ++++ b/base/server/python/pki/server/deployment/__init__.py +@@ -66,6 +66,7 @@ class PKIDeployer: + self.systemd = None + self.tps_connector = None + self.config_client = None ++ self.parser = None + + # Set installation time + ticks = time.time() +@@ -88,7 +89,7 @@ class PKIDeployer: + if not len(self.dns_domainname): + self.dns_domainname = self.hostname + +- def init(self): ++ def init(self, parser): + + # Utility objects + self.identity = util.Identity(self) +@@ -111,6 +112,7 @@ class PKIDeployer: + self.systemd = util.Systemd(self) + self.tps_connector = util.TPSConnector(self) + self.config_client = util.ConfigClient(self) ++ self.parser = parser + + def flatten_master_dict(self): + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 3736782..26aca14 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -2053,6 +2053,7 @@ class Password: + + def __init__(self, deployer): + self.mdict = deployer.mdict ++ self.deployer = deployer + + def create_password_conf(self, path, pin, pin_sans_token=False, + overwrite_flag=False, critical_failure=True): +@@ -2142,7 +2143,7 @@ class Password: + raise + return + +- def get_password(self, path, token_name, critical_failure=True): ++ def get_password(self, path, token_name): + token_pwd = None + if os.path.exists(path) and os.path.isfile(path) and\ + os.access(path, os.R_OK): +@@ -2155,16 +2156,11 @@ class Password: + token_pwd = tokens[token_name] + + if token_pwd is None or token_pwd == '': +- # TODO prompt for this password +- config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1, +- token_name, +- extra=config.PKI_INDENTATION_LEVEL_2) +- if critical_failure: +- raise Exception( +- log.PKIHELPER_PASSWORD_NOT_FOUND_1 % +- token_name) +- else: +- return ++ self.deployer.parser.read_password( ++ 'Password for token {}'.format(token_name), ++ self.deployer.subsystem_name, ++ 'token_pwd') ++ token_pwd = self.mdict['token_pwd'] + return token_pwd + + +@@ -2994,8 +2990,7 @@ class KRAConnector: + + token_pwd = self.password.get_password( + self.mdict['pki_shared_password_conf'], +- token_name, +- critical_failure) ++ token_name) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( +@@ -3199,8 +3194,7 @@ class TPSConnector: + + token_pwd = self.password.get_password( + self.mdict['pki_shared_password_conf'], +- token_name, +- critical_failure) ++ token_name) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( +@@ -3437,8 +3431,7 @@ class SecurityDomain: + + token_pwd = self.password.get_password( + self.mdict['pki_shared_password_conf'], +- token_name, +- critical_failure) ++ token_name) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 036c5ef..0b6ef6b 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -227,7 +227,7 @@ def main(argv): + + # Process the various "scriptlets" to remove the specified PKI subsystem. + pki_subsystem_scriptlets = parser.mdict['destroy_scriplets'].split() +- deployer.init() ++ deployer.init(parser) + + try: + for scriptlet_name in pki_subsystem_scriptlets: +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index a715efc..d671ba7 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -519,7 +519,7 @@ def main(argv): + + # Process the various "scriptlets" to create the specified PKI subsystem. + pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split() +- deployer.init() ++ deployer.init(parser) + + try: + for scriptlet_name in pki_subsystem_scriptlets: +-- +1.8.3.1 + + +From af8c909653fae1d02dc801021ad73a43b548aacf Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 9 Jan 2018 21:29:39 -0600 +Subject: [PATCH 06/30] Added pki-server -audit-event-find command. + +A new pki-server -audit-event-find command has been +added to list audit events and their attributes (e.g. filter). +Currently the command can only list enabled events. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: I7319ac4e449045d7456e9ae225aca58075093bcd +(cherry picked from commit 9f3a7d6c3a190a2e937ffb3586d6c9d72fe9d2f1) +--- + base/server/python/pki/server/__init__.py | 20 +++++++ + base/server/python/pki/server/cli/audit.py | 83 ++++++++++++++++++++++++++++++ + 2 files changed, 103 insertions(+) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 9969dcc..bb01dcf 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -419,6 +419,26 @@ class PKISubsystem(object): + + pki.util.customize_file(input_file, output_file, params) + ++ def find_audit_events(self, enabled=None): ++ ++ if not enabled: ++ raise Exception('This operation is not yet supported. Specify --enabled True.') ++ ++ events = [] ++ ++ names = self.config['log.instance.SignedAudit.events'].split(',') ++ names = list(map(str.strip, names)) ++ names.sort() ++ ++ for name in names: ++ event = {} ++ event['name'] = name ++ event['enabled'] = True ++ event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) ++ events.append(event) ++ ++ return events ++ + def get_audit_log_dir(self): + + current_file_path = self.config['log.instance.SignedAudit.fileName'] +diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py +index 665fe91..bbbdd10 100644 +--- a/base/server/python/pki/server/cli/audit.py ++++ b/base/server/python/pki/server/cli/audit.py +@@ -37,10 +37,93 @@ class AuditCLI(pki.cli.CLI): + 'audit', 'Audit management commands') + + self.parent = parent ++ self.add_module(AuditEventFindCLI(self)) + self.add_module(AuditFileFindCLI(self)) + self.add_module(AuditFileVerifyCLI(self)) + + ++class AuditEventFindCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditEventFindCLI, self).__init__( ++ 'event-find', 'Find audit event configurations') ++ ++ self.parent = parent ++ ++ def print_help(self): ++ print('Usage: pki-server %s-audit-event-find [OPTIONS]' % self.parent.parent.name) ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --enabled Show enabled/disabled events only.') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ ++ try: ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ ++ 'instance=', ++ 'enabled=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.print_help() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ enabled = None ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o == '--enabled': ++ enabled = a == 'True' ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.print_help() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ subsystem_name = self.parent.parent.name ++ subsystem = instance.get_subsystem(subsystem_name) ++ if not subsystem: ++ print('ERROR: No %s subsystem in instance %s.' ++ % (subsystem_name.upper(), instance_name)) ++ sys.exit(1) ++ ++ events = subsystem.find_audit_events(enabled) ++ ++ self.print_message('%s entries matched' % len(events)) ++ ++ first = True ++ for event in events: ++ if first: ++ first = False ++ else: ++ print() ++ ++ print(' Event Name: %s' % event.get('name')) ++ print(' Enabled: %s' % event.get('enabled')) ++ print(' Filter: %s' % event.get('filter')) ++ ++ + class AuditFileFindCLI(pki.cli.CLI): + + def __init__(self, parent): +-- +1.8.3.1 + + +From 2942a723169fbd2d46605dc847ca702accf0c79e Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 20 Dec 2017 14:08:58 -0800 +Subject: [PATCH 07/30] Ticket #2604 adding FIPS support-RFE: shared token + storage and retrieval mechanism + +This patch adds FIPS support to the original ticket 2604. Two changes were +made: +1. in CMCSharedToken tool, "-p" is used to specify the password for token login +and "-s" is used to specify the shared secret (or passphrase) +2. on the server side, in SharedSecret, an existing configuration parameter, cmc.token is utilized for admin to specify +the token where the issuance protection cert's private key resides on. + +Change-Id: Ia454598bca7843bfc0a6ad21f57f6a74d05d67fe +(cherry picked from commit fc92dbafb9051ac7d1019924b62e356eb17bd0f1) +--- + .../src/com/netscape/cmstools/CMCSharedToken.java | 19 ++++++++++++---- + .../netscape/cms/authentication/SharedSecret.java | 25 +++++++++++----------- + 2 files changed, 27 insertions(+), 17 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java +index d16dd0c..f52199a 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java +@@ -38,6 +38,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException; + import org.mozilla.jss.crypto.PrivateKey; + import org.mozilla.jss.crypto.SymmetricKey; + import org.mozilla.jss.crypto.X509Certificate; ++import org.mozilla.jss.util.Password; + + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; +@@ -77,7 +78,11 @@ public class CMCSharedToken { + option.setArgName("output"); + options.addOption(option); + +- option = new Option("p", true, "passphrase"); ++ option = new Option("p", true, "password"); ++ option.setArgName("password"); ++ options.addOption(option); ++ ++ option = new Option("s", true, "passphrase"); + option.setArgName("passphrase"); + options.addOption(option); + +@@ -104,7 +109,8 @@ public class CMCSharedToken { + System.out.println("Options:"); + System.out.println(" -d Security database location (default: current directory)"); + System.out.println(" -h Security token name (default: internal)"); +- System.out.println(" -p CMC enrollment passphrase (put in \"\" if containing spaces)"); ++ System.out.println(" -p Security token password"); ++ System.out.println(" -s CMC enrollment passphrase (shared secret) (put in \"\" if containing spaces)"); + System.out.println(" Use either -b OR -n below"); + System.out.println(" -b PEM issuance protection certificate"); + System.out.println(" -n issuance protection certificate nickname"); +@@ -177,7 +183,7 @@ public class CMCSharedToken { + boolean verbose = cmd.hasOption("v"); + + String databaseDir = cmd.getOptionValue("d", "."); +- String passphrase = cmd.getOptionValue("p"); ++ String passphrase = cmd.getOptionValue("s"); + if (passphrase == null) { + printError("Missing passphrase"); + System.exit(1); +@@ -188,6 +194,7 @@ public class CMCSharedToken { + System.out.println(Arrays.toString(passphrase.getBytes("UTF-8"))); + } + String tokenName = cmd.getOptionValue("h"); ++ String tokenPassword = cmd.getOptionValue("p"); + + String issuanceProtCertFilename = cmd.getOptionValue("b"); + String issuanceProtCertNick = cmd.getOptionValue("n"); +@@ -201,6 +208,10 @@ public class CMCSharedToken { + CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); + tokenName = token.getName(); + manager.setThreadToken(token); ++ ++ Password password = new Password(tokenPassword.toCharArray()); ++ token.login(password); ++ + X509Certificate issuanceProtCert = null; + if (issuanceProtCertFilename != null) { + if (verbose) System.out.println("Loading issuance protection certificate"); +@@ -295,7 +306,7 @@ public class CMCSharedToken { + + SymmetricKey ver_session = CryptoUtil.unwrap(token, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, wrappingKey, wrapped_session, wrapAlgorithm); + byte[] ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(token, new IVParameterSpec(iv), wrapped_passphrase, +- ver_session, EncryptionAlgorithm.AES_128_CBC_PAD); ++ ver_session, encryptAlgorithm); + + String ver_spassphrase = new String(ver_passphrase, "UTF-8"); + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +index ee7a7d7..1a3d877 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +@@ -21,7 +21,6 @@ import java.math.BigInteger; + // ldap java sdk + import java.util.Enumeration; + +-import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.CryptoToken; + import org.mozilla.jss.crypto.EncryptionAlgorithm; + import org.mozilla.jss.crypto.IVParameterSpec; +@@ -143,8 +142,7 @@ public class SharedSecret extends DirBasedAuthentication + private IConfigStore shrTokLdapConfigStore = null; + + private PrivateKey issuanceProtPrivKey = null; +- protected CryptoManager cm = null; +- protected CryptoToken tmpToken = null; ++ protected CryptoToken token = null; + protected byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + EncryptionAlgorithm encryptAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; + ICertificateRepository certRepository = null; +@@ -193,15 +191,16 @@ public class SharedSecret extends DirBasedAuthentication + } + + try { +- cm = CryptoManager.getInstance(); ++ String tokenName = ++ CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); ++ CMS.debug(method + "getting token :" + tokenName); ++ token = CryptoUtil.getKeyStorageToken(tokenName); + } catch (Exception e) { +- msg = method + e.toString(); +- CMS.debug(msg); +- throw new EBaseException(msg); ++ CMS.debug(method + e); ++ throw new EBaseException(e); + } +- tmpToken = cm.getInternalKeyStorageToken(); +- if (tmpToken == null) { +- msg = method + "tmpToken null"; ++ if (token == null) { ++ msg = method + "token null"; + CMS.debug(msg); + throw new EBaseException(msg); + } +@@ -355,11 +354,11 @@ public class SharedSecret extends DirBasedAuthentication + byte wrapped_passphrase[] = wrapped_dPassphrase.getOctetString(); + CMS.debug(method + "wrapped passphrase retrieved"); + +- SymmetricKey ver_session = CryptoUtil.unwrap(tmpToken, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, ++ SymmetricKey ver_session = CryptoUtil.unwrap(token, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, + issuanceProtPrivKey, wrapped_session, wrapAlgorithm); +- ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(tmpToken, new IVParameterSpec(iv), ++ ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(token, new IVParameterSpec(iv), + wrapped_passphrase, +- ver_session, EncryptionAlgorithm.AES_128_CBC_PAD); ++ ver_session, encryptAlgorithm); + + char[] ver_spassphraseChars = CryptoUtil.bytesToChars(ver_passphrase); + return ver_spassphraseChars; +-- +1.8.3.1 + + +From 3320b3942eb27e96169bee1289af648262258ec9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 9 Jan 2018 21:41:13 -0600 +Subject: [PATCH 08/30] Merged CMC_USER_SIGNED_REQUEST_SIG_VERIFY events. + +The CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS and +CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE events have +been merged into CMC_USER_SIGNED_REQUEST_SIG_VERIFY event, +and encapsulated using CMCUserSignedRequestSigVerifyEvent +class. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: I85ec9c871526da9ca8711ebcd6c9281086e2199f +(cherry picked from commit b142b035b86d7c47818c21def377ff6d6ba903c8) +(cherry picked from commit 21c56574c2aaf9e96f50a0807bc81bc0c285b238) +--- + base/ca/shared/conf/CS.cfg | 4 +- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- + .../event/CMCUserSignedRequestSigVerifyEvent.java | 74 ++++++++++++++++++++++ + .../cms/authentication/CMCUserSignedAuth.java | 50 ++++++--------- + base/server/cmsbundle/src/LogMessages.properties | 4 +- + 5 files changed, 97 insertions(+), 39 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index aa9bf5a..908407b 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION ++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index f4b813c..8aebd0f 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -82,10 +82,6 @@ public class AuditEvent extends LogEvent { + "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; + public final static String CRL_VALIDATION = + "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2"; +- public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS = +- "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5"; +- public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE = +- "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6"; + + public final static String COMPUTE_RANDOM_DATA_REQUEST = + "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java +new file mode 100644 +index 0000000..76b4a9a +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java +@@ -0,0 +1,74 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++ ++public class CMCUserSignedRequestSigVerifyEvent extends SignedAuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS"; ++ ++ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE = ++ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE"; ++ ++ public CMCUserSignedRequestSigVerifyEvent(String messageID) { ++ super(messageID); ++ } ++ ++ public static CMCUserSignedRequestSigVerifyEvent createSuccessEvent( ++ String subjectID, ++ String reqType, ++ String certSubject, ++ String signerInfo) { ++ ++ CMCUserSignedRequestSigVerifyEvent event = new CMCUserSignedRequestSigVerifyEvent( ++ CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS); ++ ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.SUCCESS); ++ event.setAttribute("ReqType", reqType); ++ event.setAttribute("CertSubject", certSubject); ++ event.setAttribute("SignerInfo", signerInfo); ++ ++ return event; ++ } ++ ++ public static CMCUserSignedRequestSigVerifyEvent createFailureEvent( ++ String subjectID, ++ String reqType, ++ String certSubject, ++ String cmcSignerInfo, ++ String info) { ++ ++ CMCUserSignedRequestSigVerifyEvent event = new CMCUserSignedRequestSigVerifyEvent( ++ CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE); ++ ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.FAILURE); ++ event.setAttribute("ReqType", reqType); ++ event.setAttribute("CertSubject", certSubject); ++ event.setAttribute("CMCSignerInfo", cmcSignerInfo); ++ event.setAttribute("info", info); ++ ++ return event; ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index dd73055..9dbf787 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -82,8 +82,8 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.IExtendedPluginInfo; + import com.netscape.certsrv.base.SessionContext; +-import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent; + import com.netscape.certsrv.profile.EProfileException; + import com.netscape.certsrv.profile.IProfile; + import com.netscape.certsrv.profile.IProfileAuthenticator; +@@ -260,7 +260,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + String msg = ""; + CMS.debug(method + "begins"); + +- String auditMessage = null; + String auditSubjectID = getAuditSubjectID(); + String auditReqType = ILogger.UNIDENTIFIED; + String requestCertSubject = ILogger.UNIDENTIFIED; +@@ -725,22 +724,20 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } + + // For accuracy, make sure revocation by shared secret doesn't +- // log CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS ++ // log successful CMC_USER_SIGNED_REQUEST_SIG_VERIFY audit event + if (authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT) != null || + authToken.get(IAuthManager.CRED_CMC_SELF_SIGNED) != null) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, ++ ++ signedAuditLogger.log( ++ CMCUserSignedRequestSigVerifyEvent.createSuccessEvent( + getAuditSubjectID(), +- ILogger.SUCCESS, + auditReqType, + getRequestCertSubject(auditContext), +- getAuditSignerInfo(auditContext)); ++ getAuditSignerInfo(auditContext))); + +- signedAuditLogger.log(auditMessage); + } else { + CMS.debug(method +- + "audit event CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS not logged due to unsigned data for revocation with shared secret."); ++ + "successful CMC_USER_SIGNED_REQUEST_SIG_VERIFY audit event not logged due to unsigned data for revocation with shared secret."); + } + + CMS.debug(method + "ends successfully; returning authToken"); +@@ -752,49 +749,40 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + throw eAudit1; + } catch (EInvalidCredentials eAudit2) { + CMS.debug(method + eAudit2); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, ++ ++ signedAuditLogger.log( ++ CMCUserSignedRequestSigVerifyEvent.createFailureEvent( + getAuditSubjectID(), +- ILogger.FAILURE, + auditReqType, + getRequestCertSubject(auditContext), + getAuditSignerInfo(auditContext), +- eAudit2.toString()); +- +- signedAuditLogger.log(auditMessage); ++ eAudit2.toString())); + + // rethrow the specific exception to be handled later + throw eAudit2; + } catch (EBaseException eAudit3) { + CMS.debug(method + eAudit3); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, ++ ++ signedAuditLogger.log( ++ CMCUserSignedRequestSigVerifyEvent.createFailureEvent( + getAuditSubjectID(), +- ILogger.FAILURE, + auditReqType, + getRequestCertSubject(auditContext), + getAuditSignerInfo(auditContext), +- eAudit3.toString()); +- +- signedAuditLogger.log(auditMessage); ++ eAudit3.toString())); + + // rethrow the specific exception to be handled later + throw eAudit3; + } catch (Exception eAudit4) { + CMS.debug(method + eAudit4); +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, ++ ++ signedAuditLogger.log( ++ CMCUserSignedRequestSigVerifyEvent.createFailureEvent( + getAuditSubjectID(), +- ILogger.FAILURE, + auditReqType, + getRequestCertSubject(auditContext), + getAuditSignerInfo(auditContext), +- eAudit4.toString()); +- +- signedAuditLogger.log(auditMessage); ++ eAudit4.toString())); + + // rethrow the exception to be handled later + throw new EBaseException(eAudit4); +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index ceb57ca..4ec6c39 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2235,8 +2235,8 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][CMCSignerInfo={4}][info={5}] User signed CMC request signature verification failure ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification success ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification failure + + # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST + # - used for TPS to TKS to get random challenge data +-- +1.8.3.1 + + +From 57f7313a7def443fc68f952e065c69d0b47a239c Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 11 Jan 2018 15:16:02 -0500 +Subject: [PATCH 09/30] Modify get_cert to get rid of spurious certutil error + messages + +Also shortened some lines to comply with PEP8 +rhbz# 1520277 + +Change-Id: I71d5ecb24c979c1be642a0c3529aebfae6e98aa7 +(cherry picked from commit 2e5f4408a09819242de0b1b0eb023e5ddf074acd) +--- + base/common/python/pki/nssdb.py | 99 +++++++++++++++++++++++++---------------- + 1 file changed, 61 insertions(+), 38 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index bd270ab..8edfca2 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -72,19 +72,23 @@ def convert_data(data, input_format, output_format, header=None, footer=None): + + return ''.join(lines) + +- raise Exception('Unable to convert data from %s to %s' % (input_format, output_format)) ++ raise Exception('Unable to convert data from {} to {}'.format( ++ input_format, output_format)) + + + def convert_csr(csr_data, input_format, output_format): +- return convert_data(csr_data, input_format, output_format, CSR_HEADER, CSR_FOOTER) ++ return convert_data(csr_data, input_format, output_format, ++ CSR_HEADER, CSR_FOOTER) + + + def convert_cert(cert_data, input_format, output_format): +- return convert_data(cert_data, input_format, output_format, CERT_HEADER, CERT_FOOTER) ++ return convert_data(cert_data, input_format, output_format, ++ CERT_HEADER, CERT_FOOTER) + + + def convert_pkcs7(pkcs7_data, input_format, output_format): +- return convert_data(pkcs7_data, input_format, output_format, PKCS7_HEADER, PKCS7_FOOTER) ++ return convert_data(pkcs7_data, input_format, output_format, ++ PKCS7_HEADER, PKCS7_FOOTER) + + + def get_file_type(filename): +@@ -105,11 +109,13 @@ def get_file_type(filename): + + class NSSDatabase(object): + +- def __init__(self, directory=None, token=None, password=None, password_file=None, +- internal_password=None, internal_password_file=None): ++ def __init__(self, directory=None, token=None, password=None, ++ password_file=None, internal_password=None, ++ internal_password_file=None): + + if not directory: +- directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb') ++ directory = os.path.join( ++ os.path.expanduser("~"), '.dogtag', 'nssdb') + + self.directory = directory + +@@ -133,7 +139,8 @@ class NSSDatabase(object): + + if internal_password: + # Store the specified internal token into password file. +- self.internal_password_file = os.path.join(self.tmpdir, 'internal_password.txt') ++ self.internal_password_file = os.path.join( ++ self.tmpdir, 'internal_password.txt') + with open(self.internal_password_file, 'w') as f: + f.write(internal_password) + +@@ -281,7 +288,8 @@ class NSSDatabase(object): + + keystroke += '\n' + +- # Enter the path length constraint, enter to skip [<0 for unlimited path]: ++ # Enter the path length constraint, ++ # enter to skip [<0 for unlimited path]: + if basic_constraints_ext['path_length'] is not None: + keystroke += basic_constraints_ext['path_length'] + +@@ -316,7 +324,8 @@ class NSSDatabase(object): + with open(data_file, 'w') as f: + f.write(generic_ext['data']) + +- critical = 'critical' if generic_ext['critical'] else 'not-critical' ++ critical = ('critical' if generic_ext['critical'] ++ else 'not-critical') + + ext = generic_ext['oid'] + ext += ':' + critical +@@ -328,7 +337,9 @@ class NSSDatabase(object): + cmd.append(','.join(exts)) + + # generate binary request +- p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, ++ p = subprocess.Popen(cmd, ++ stdin=subprocess.PIPE, ++ stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) + + p.communicate(keystroke) +@@ -336,7 +347,8 @@ class NSSDatabase(object): + rc = p.wait() + + if rc: +- raise Exception('Failed to generate certificate request. RC: %d' % rc) ++ raise Exception( ++ 'Failed to generate certificate request. RC: %d' % rc) + + # encode binary request in base-64 + b64_request_file = os.path.join(tmpdir, 'request.b64') +@@ -358,8 +370,8 @@ class NSSDatabase(object): + + def create_cert(self, request_file, cert_file, serial, issuer=None, + key_usage_ext=None, basic_constraints_ext=None, +- aki_ext=None, ski_ext=None, aia_ext=None, ext_key_usage_ext=None, +- validity=None): ++ aki_ext=None, ski_ext=None, aia_ext=None, ++ ext_key_usage_ext=None, validity=None): + cmd = [ + 'certutil', + '-C', +@@ -448,7 +460,8 @@ class NSSDatabase(object): + + keystroke += '\n' + +- # Enter the path length constraint, enter to skip [<0 for unlimited path]: ++ # Enter the path length constraint, ++ # enter to skip [<0 for unlimited path]: + if basic_constraints_ext['path_length']: + keystroke += basic_constraints_ext['path_length'] + +@@ -482,7 +495,7 @@ class NSSDatabase(object): + # To ensure whether this is the first AIA being added + firstentry = True + +- # Enter access method type for Authority Information Access extension: ++ # Enter access method type for AIA extension: + for s in aia_ext: + if not firstentry: + keystroke += 'y\n' +@@ -507,7 +520,8 @@ class NSSDatabase(object): + # One entry is done. + firstentry = False + +- # Add another location to the Authority Information Access extension [y/N] ++ # Add another location to the Authority Information ++ # Access extension [y/N] + keystroke += '\n' + + # Is this a critical extension [y/N]? +@@ -516,7 +530,9 @@ class NSSDatabase(object): + + keystroke += '\n' + +- p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, ++ p = subprocess.Popen(cmd, ++ stdin=subprocess.PIPE, ++ stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) + + p.communicate(keystroke) +@@ -575,7 +591,8 @@ class NSSDatabase(object): + aia_ext=aia_ext) + + if rc: +- raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc) ++ raise Exception( ++ 'Failed to generate self-signed CA certificate. RC: %d' % rc) + + def show_certs(self): + +@@ -616,20 +633,22 @@ class NSSDatabase(object): + output_format_option + ]) + +- try: +- cert_data = subprocess.check_output(cmd) ++ pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE, ++ stderr=subprocess.PIPE) ++ cert_data, std_err = pipes.communicate() ++ ++ if pipes.returncode != 0: ++ # certutil returned an error ++ # raise exception unless its not cert not found ++ if std_err.startswith('certutil: Could not find cert: '): ++ return None + +- if output_format == 'base64': +- cert_data = base64.b64encode(cert_data) ++ raise Exception(std_err.strip()) + +- return cert_data ++ if output_format == 'base64': ++ cert_data = base64.b64encode(cert_data) + +- except subprocess.CalledProcessError: +- # All certutil errors return the same code (i.e. 255). +- # For now assume it was caused by missing certificate. +- # TODO: Check error message. If it's caused by other +- # issue, throw exception. +- return None ++ return cert_data + + def get_cert_info(self, nickname): + +@@ -641,23 +660,27 @@ class NSSDatabase(object): + '-n', nickname + ] + +- cert_details = subprocess.check_output(cmd_extract_serial, stderr=subprocess.STDOUT) ++ cert_details = subprocess.check_output( ++ cmd_extract_serial, stderr=subprocess.STDOUT) + cert_pem = subprocess.check_output( + cmd_extract_serial + ['-a'], stderr=subprocess.STDOUT) + +- cert_obj = x509.load_pem_x509_certificate(cert_pem, backend=default_backend()) ++ cert_obj = x509.load_pem_x509_certificate( ++ cert_pem, backend=default_backend()) + + cert["serial_number"] = cert_obj.serial_number + +- cert["issuer"] = re.search(r'Issuer:(.*)', cert_details).group(1).strip()\ +- .replace('"', '') +- cert["subject"] = re.search(r'Subject:(.*)', cert_details).group(1).strip()\ +- .replace('"', '') ++ cert["issuer"] = re.search( ++ r'Issuer:(.*)', cert_details).group(1).strip().replace('"', '') ++ cert["subject"] = re.search( ++ r'Subject:(.*)', cert_details).group(1).strip().replace('"', '') + +- str_not_before = re.search(r'Not Before.?:(.*)', cert_details).group(1).strip() ++ str_not_before = re.search( ++ r'Not Before.?:(.*)', cert_details).group(1).strip() + cert["not_before"] = self.convert_time_to_millis(str_not_before) + +- str_not_after = re.search(r'Not After.?:(.*)', cert_details).group(1).strip() ++ str_not_after = re.search( ++ r'Not After.?:(.*)', cert_details).group(1).strip() + cert["not_after"] = self.convert_time_to_millis(str_not_after) + + return cert +-- +1.8.3.1 + + +From 21b7b2ed80c5916492c89b61a758f0c337a3db4d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 11 Jan 2018 02:01:37 +0100 +Subject: [PATCH 10/30] Fixed pki-server cert-find to work with HSM. + +Previously the pki-server cert-find command would prompt for +token password if used with HSM. It has been fixed with the +following changes: + +The PKISubsystem.create_subsystem_cert_object() was modified to +get the certificate info from the proper token. + +The NSSDatabase.get_cert_info() was modified to specify the token +name in the certutil command if provided. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: If8862abe4c3057f3094c414134b9719088796963 +(cherry picked from commit e715c8a9445de93bc131ab0332d0fc64e44cca12) +(cherry picked from commit ebf46355270cb1f5a64a70336f991cda310067eb) +--- + base/common/python/pki/nssdb.py | 24 +++++++++++++++++------- + base/server/python/pki/server/__init__.py | 6 +++--- + 2 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 8edfca2..cc9194e 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -382,7 +382,7 @@ class NSSDatabase(object): + if issuer: + cmd.extend(['-c', issuer]) + else: +- cmd.extend('-x') ++ cmd.extend(['-x']) + + if self.token: + cmd.extend(['-h', self.token]) +@@ -392,7 +392,7 @@ class NSSDatabase(object): + '-a', + '-i', request_file, + '-o', cert_file, +- '-m', serial ++ '-m', str(serial) + ]) + + if validity: +@@ -653,17 +653,27 @@ class NSSDatabase(object): + def get_cert_info(self, nickname): + + cert = dict() +- cmd_extract_serial = [ ++ cmd = [ + 'certutil', + '-L', +- '-d', self.directory, +- '-n', nickname ++ '-d', self.directory + ] + ++ fullname = nickname ++ ++ if self.token: ++ cmd.extend(['-h', self.token]) ++ fullname = self.token + ':' + fullname ++ ++ cmd.extend([ ++ '-f', self.password_file, ++ '-n', fullname ++ ]) ++ + cert_details = subprocess.check_output( +- cmd_extract_serial, stderr=subprocess.STDOUT) ++ cmd, stderr=subprocess.STDOUT) + cert_pem = subprocess.check_output( +- cmd_extract_serial + ['-a'], stderr=subprocess.STDOUT) ++ cmd + ['-a'], stderr=subprocess.STDOUT) + + cert_obj = x509.load_pem_x509_certificate( + cert_pem, backend=default_backend()) +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index bb01dcf..65aee2f 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -161,12 +161,12 @@ class PKISubsystem(object): + def create_subsystem_cert_object(self, cert_id): + + nickname = self.config.get('%s.%s.nickname' % (self.name, cert_id)) ++ token = self.config.get('%s.%s.tokenname' % (self.name, cert_id)) + + cert = {} + cert['id'] = cert_id + cert['nickname'] = nickname +- cert['token'] = self.config.get( +- '%s.%s.tokenname' % (self.name, cert_id), None) ++ cert['token'] = token + cert['data'] = self.config.get( + '%s.%s.cert' % (self.name, cert_id), None) + cert['request'] = self.config.get( +@@ -177,7 +177,7 @@ class PKISubsystem(object): + if not nickname: + return cert + +- nssdb = self.instance.open_nssdb() ++ nssdb = self.instance.open_nssdb(token) + try: + cert_info = nssdb.get_cert_info(nickname) + cert.update(cert_info) +-- +1.8.3.1 + + +From 6a074d7519a475bc5245ff5a9759cbcbcfa7973c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 15 Jan 2018 16:57:13 +0100 +Subject: [PATCH 11/30] Fixed pki-server subsystem-cert-verify to work with + HSM. + +The pki-server subsystem-cert-verify has been modified to use the +proper token name to call pki client-cert-verify. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: Ifc496beb0f81c1c6310b183175037243b71a1926 +(cherry picked from commit f65ea152af4492de845295fb12180de3aac3c2f1) +(cherry picked from commit f59768f3cdc920a27f1ca90184083142fec98f63) +--- + base/server/python/pki/server/cli/subsystem.py | 29 ++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index ca5652d..0abf90a 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -1000,23 +1000,34 @@ class SubsystemCertValidateCLI(pki.cli.CLI): + token = cert.get('token', '') + print(' Token: %s' % token) + +- # get internal token password and store in temporary file +- passwd = instance.get_token_password() ++ # get token password and store in temporary file ++ passwd = instance.get_token_password(token) + + pwfile_handle, pwfile_path = tempfile.mkstemp() + os.write(pwfile_handle, passwd) + os.close(pwfile_handle) + + try: +- cmd = ['pki', +- '-d', instance.nssdb_dir, +- '-C', pwfile_path, +- 'client-cert-validate', +- nickname, +- '--certusage', usage] ++ cmd = [ ++ 'pki', ++ '-d', instance.nssdb_dir ++ ] ++ ++ fullname = nickname ++ ++ if token: ++ cmd.extend(['--token', token]) ++ fullname = token + ':' + fullname ++ ++ cmd.extend([ ++ '-C', pwfile_path, ++ 'client-cert-validate', ++ fullname, ++ '--certusage', usage ++ ]) + + if self.verbose: +- print('Command: %s' % cmd) ++ print('Command: %s' % ' '.join(cmd)) + + subprocess.check_output(cmd, stderr=subprocess.STDOUT) + print(' Status: VALID') +-- +1.8.3.1 + + +From 311a196d934c5748a61e0094f37dc24e5a120c09 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 15 Jan 2018 16:57:13 +0100 +Subject: [PATCH 12/30] Fixed nssdb.add_cert() for HSM. + +The nssdb.add_cert() has been modified to import certificates +properly. If HSM is used, the certificate will be imported into +HSM without trust attributes. If trust attributes are specified, +the certificate will be imported into internal token as well with +the trust attributes. If no HSM is used, the certificate will be +imported into the internal token with the trust attributes if +available. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: I4027b3064694ecf41bc616cf1b67581e4d103531 +(cherry picked from commit c8f9058432776500dcfe5b2c40e205018919896b) +(cherry picked from commit 3e10aa429cde0ad22f43b1217609230fca3a2517) +--- + base/common/python/pki/nssdb.py | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index cc9194e..11758f1 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -159,13 +159,14 @@ class NSSDatabase(object): + + # Add cert in two steps due to bug #1393668. + +- # First, import cert into HSM without trust attributes. ++ # If HSM is used, import cert into HSM without trust attributes. + if self.token: + cmd = [ + 'certutil', + '-A', + '-d', self.directory, + '-h', self.token, ++ '-P', self.token, + '-f', self.password_file, + '-n', nickname, + '-i', cert_file, +@@ -175,18 +176,20 @@ class NSSDatabase(object): + # Ignore return code due to bug #1393668. + subprocess.call(cmd) + +- # Then, import cert into internal token with trust attributes. +- cmd = [ +- 'certutil', +- '-A', +- '-d', self.directory, +- '-f', self.internal_password_file, +- '-n', nickname, +- '-i', cert_file, +- '-t', trust_attributes +- ] ++ # If HSM is not used, or cert has trust attributes, ++ # import cert into internal token. ++ if not self.token or trust_attributes != ',,': ++ cmd = [ ++ 'certutil', ++ '-A', ++ '-d', self.directory, ++ '-f', self.internal_password_file, ++ '-n', nickname, ++ '-i', cert_file, ++ '-t', trust_attributes ++ ] + +- subprocess.check_call(cmd) ++ subprocess.check_call(cmd) + + def modify_cert(self, nickname, trust_attributes): + cmd = [ +-- +1.8.3.1 + + +From 1fafa7125d93eeedf627c63539fe00aad7b1e15f Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 16 Jan 2018 15:10:15 -0500 +Subject: [PATCH 13/30] Make sure tomcat is running as pki user with nuxwdog + +The nuxwdog process needs to run as a privileged user to be able +to retrieve the passwords from the systemd tty agent in systemctl. +Therefore, the nuxwdog unit file should NOT specify the PKI user +there. + +However, we have added an option to nuxwdog to specify the user +in the nuxwdog config file, so that the process that nuxwdog spawns +(ie. tomcat) will run as the specified user. + +The code changes in this patch ensure that when the nuxwdog conf +file is created, the user is set correctly as the value of the +variable TOMCAT_USER. + +Change-Id: I0b4f8caedb048aaedf6a8a8f72b24fab39ad7bbf +(cherry picked from commit 96e99209b278b5ba380a61486a5b6ce6a87326a0) +--- + base/server/sbin/pki-server-nuxwdog | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog +index cb89938..ffdbc33 100755 +--- a/base/server/sbin/pki-server-nuxwdog ++++ b/base/server/sbin/pki-server-nuxwdog +@@ -39,7 +39,7 @@ set_javacmd + # create the nuxwdog config file + nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf" + touch ${nux_fname} +-chown pkiuser: ${nux_fname} ++chown ${TOMCAT_USER}: ${nux_fname} + + echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname + echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname +@@ -50,4 +50,5 @@ echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname + echo "ExeBackground 1" >> $nux_fname + echo "PidFile $NUXWDOG_PID" >> $nux_fname + echo "ChildPidFile $CATALINA_PID" >> $nux_fname ++echo "User ${TOMCAT_USER}" >> $nux_fname + +-- +1.8.3.1 + + +From 2ac0712fb41c49db35e2482039330d20d5bb8366 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 17 Jan 2018 18:31:19 -0500 +Subject: [PATCH 14/30] Allow instances to be created with custom users + +Some folks want to run instances under a different user and +group (ie. not pkiuser). They may even want a different user for +each instance. The way to do this in systemd is to create systemd +override files for the specific instance. + +The deployment scriptlets have been updated to create (and delete) +these override files. + +Change-Id: Icb0b6d15c6c8542dbbd565987d5fb3f1bddf6037 +(cherry picked from commit afe0a2525cace41a1bef2ff7fe0f8f53aa5990e5) +--- + .../python/pki/server/deployment/pkihelper.py | 55 ++++++++++++++++++++++ + .../deployment/scriptlets/instance_layout.py | 18 +++++++ + 2 files changed, 73 insertions(+) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 26aca14..96ae092 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -21,6 +21,12 @@ + # System Imports + from __future__ import absolute_import + from __future__ import print_function ++ ++try: ++ import configparser ++except ImportError: ++ import ConfigParser as configparser ++ + import errno + import sys + import os +@@ -3486,26 +3492,75 @@ class Systemd(object): + deployer (dictionary): PKI Deployment name/value parameters + """ + self.mdict = deployer.mdict ++ self.deployer = deployer + instance_name = deployer.mdict['pki_instance_name'] + + unit_file = 'pki-tomcatd@%s.service' % instance_name + systemd_link = os.path.join( + '/etc/systemd/system/pki-tomcatd.target.wants', + unit_file) ++ override_dir = '/etc/systemd/system/pki-tomcatd@{}.service.d'.format( ++ instance_name) ++ self.base_override_dir = override_dir + + nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name + nuxwdog_systemd_link = os.path.join( + '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants', + nuxwdog_unit_file) ++ nuxwdog_override_dir = ( ++ '/etc/systemd/system/pki-tomcatd-nuxwdog@{}.service.d'.format( ++ instance_name)) ++ self.nuxwdog_override_dir = nuxwdog_override_dir ++ ++ # self.overrides will be a hash of ConfigParsers indexed by filename ++ # once the overrides have been constructed, the caller should call ++ # write_overrides() ++ self.overrides = {} + + if os.path.exists(nuxwdog_systemd_link): + self.is_nuxwdog_enabled = True + self.service_name = nuxwdog_unit_file + self.systemd_link = nuxwdog_systemd_link ++ self.override_dir = nuxwdog_override_dir + else: + self.is_nuxwdog_enabled = False + self.service_name = unit_file + self.systemd_link = systemd_link ++ self.override_dir = override_dir ++ ++ def create_override_directory(self): ++ self.deployer.directory.create(self.override_dir, uid=0, gid=0) ++ ++ def create_override_file(self, fname): ++ self.create_override_directory() ++ self.deployer.file.create( ++ os.path.join(self.override_dir, fname), ++ uid=0, gid=0 ++ ) ++ ++ def set_override(self, section, param, value, fname='local.conf'): ++ if fname not in self.overrides: ++ parser = configparser.ConfigParser() ++ parser.optionxform = str ++ override_file = os.path.join(self.override_dir, fname) ++ if os.path.exists(override_file): ++ parser.read(override_file) ++ self.overrides[fname] = parser ++ else: ++ parser = self.overrides[fname] ++ ++ if not parser.has_section(section): ++ parser.add_section(section) ++ ++ parser[section][param] = value ++ ++ def write_overrides(self): ++ for fname, parser in self.overrides.items(): ++ override_file = os.path.join(self.override_dir, fname) ++ if not os.path.exists(override_file): ++ self.create_override_file(override_file) ++ with open(override_file, 'w') as fp: ++ parser.write(fp, space_around_delimiters=False) + + def daemon_reload(self, critical_failure=True): + """PKI Deployment execution management lifecycle function. +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index 15c0441..4eb5496 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -145,10 +145,21 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.symlink.create( + deployer.mdict['pki_tomcat_bin_path'], + deployer.mdict['pki_tomcat_bin_link']) ++ ++ # create systemd links + deployer.symlink.create( + deployer.mdict['pki_tomcat_systemd'], + deployer.mdict['pki_instance_systemd_link'], + uid=0, gid=0) ++ user = deployer.mdict['pki_user'] ++ group = deployer.mdict['pki_group'] ++ if user != 'pkiuser' or group != 'pkiuser': ++ deployer.systemd.set_override( ++ 'Service', 'User', user, 'user.conf') ++ deployer.systemd.set_override( ++ 'Service', 'Group', group, 'user.conf') ++ deployer.systemd.write_overrides() ++ deployer.systemd.daemon_reload() + + # establish shared NSS security databases for this instance + deployer.directory.create(deployer.mdict['pki_database_path']) +@@ -179,6 +190,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # remove Tomcat instance systemd service link + deployer.symlink.delete(deployer.systemd.systemd_link) + ++ # delete systemd override directories ++ if deployer.directory.exists(deployer.systemd.base_override_dir): ++ deployer.directory.delete(deployer.systemd.base_override_dir) ++ if deployer.directory.exists(deployer.systemd.nuxwdog_override_dir): ++ deployer.directory.delete(deployer.systemd.nuxwdog_override_dir) ++ deployer.systemd.daemon_reload() ++ + # remove Tomcat instance base + deployer.directory.delete(deployer.mdict['pki_instance_path']) + # remove Tomcat instance logs +-- +1.8.3.1 + + +From 623313038b5a90bec95faaf5bcb6afcd2dedfcbb Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 12 Jan 2018 06:58:04 +0100 +Subject: [PATCH 15/30] Added default CA cert nickname in pki + client-cert-import. + +The pki client-cert-import has been modified to support optional +nickname for CA cert. If not specified, a default nickname will +be generated based on the subject DN. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: I285a6f1ceb68d388fdf8bb5638f3767a312854a5 +(cherry picked from commit 1cda0ab32279097b73427bcfb2b4afd37408e0c4) +(cherry picked from commit 67c8376024f2ae141a26efb4f82ca1c873cd4264) +--- + .../cmstools/client/ClientCertImportCLI.java | 41 +++++++++++++++++----- + 1 file changed, 33 insertions(+), 8 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index ddab6ab..c6ad761 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -46,6 +46,7 @@ import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.dbs.certdb.CertId; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; ++import com.netscape.cmsutil.util.Cert; + + import netscape.security.pkcs.PKCS12; + import netscape.security.pkcs.PKCS7; +@@ -180,10 +181,13 @@ public class ClientCertImportCLI extends CLI { + + if (verbose) System.out.println("Importing CA certificate from " + caCertPath + "."); + ++ // initialize JSS ++ mainCLI.init(); ++ + if (trustAttributes == null) + trustAttributes = "CT,C,C"; + +- importCert( ++ importCACert( + mainCLI.certDatabase, + nssdbPasswordFile, + caCertPath, +@@ -300,13 +304,6 @@ public class ClientCertImportCLI extends CLI { + } else { + throw new Exception("Missing certificate to import"); + } +- +- if (nickname == null) { +- MainCLI.printMessage("Imported certificates from PKCS #12 file"); +- +- } else { +- MainCLI.printMessage("Imported certificate \"" + nickname + "\""); +- } + } + + public void setTrustAttributes(X509Certificate cert, String trustAttributes) +@@ -355,6 +352,30 @@ public class ClientCertImportCLI extends CLI { + } catch (Exception e) { + throw new Exception("Unable to import certificate file", e); + } ++ ++ MainCLI.printMessage("Imported certificate \"" + nickname + "\""); ++ } ++ ++ public void importCACert( ++ File dbPath, ++ File dbPasswordFile, ++ String certFile, ++ String nickname, ++ String trustAttributes) throws Exception { ++ ++ if (nickname != null) { ++ importCert(dbPath, dbPasswordFile, certFile, nickname, trustAttributes); ++ return; ++ } ++ ++ String pemCert = new String(Files.readAllBytes(Paths.get(certFile))).trim(); ++ byte[] binCert = Cert.parseCertificate(pemCert); ++ ++ CryptoManager manager = CryptoManager.getInstance(); ++ X509Certificate cert = manager.importCACertPackage(binCert); ++ setTrustAttributes(cert, trustAttributes); ++ ++ MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\""); + } + + /** +@@ -532,6 +553,8 @@ public class ClientCertImportCLI extends CLI { + "Setting trust attributes to CT,C,C"); + } + setTrustAttributes(root, "CT,C,C"); ++ ++ MainCLI.printMessage("Imported certificate \"" + nickname + "\""); + } + + public void importPKCS12( +@@ -560,5 +583,7 @@ public class ClientCertImportCLI extends CLI { + } catch (Exception e) { + throw new Exception("Unable to import PKCS #12 file", e); + } ++ ++ MainCLI.printMessage("Imported certificates from PKCS #12 file"); + } + } +-- +1.8.3.1 + + +From 8fb7b7af8a8c19093c6bb1225f251f5a9aefef3e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 19 Jan 2018 06:36:58 +0100 +Subject: [PATCH 16/30] Added NSSDatabase.add_ca_cert(). + +A new NSSDatabase.add_ca_cert() method has been added to import +CA cert without nickname using pki client-cert-import. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: I45d83938e92293dd54ec5af6e05c6edb215f80ea +(cherry picked from commit ca5e4fde0eaa1b3d26fa7c2cc4c483016833b4bb) +(cherry picked from commit e71e5957c79e03536f6adeef6e79adc8c728db5b) +--- + base/common/python/pki/nssdb.py | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 11758f1..97746c9 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -191,6 +191,26 @@ class NSSDatabase(object): + + subprocess.check_call(cmd) + ++ def add_ca_cert(self, cert_file, trust_attributes=None): ++ cmd = [ ++ 'pki', ++ '-d', self.directory, ++ '-C', self.password_file ++ ] ++ ++ if self.token: ++ cmd.extend(['--token', self.token]) ++ ++ cmd.extend([ ++ 'client-cert-import', ++ '--ca-cert', cert_file ++ ]) ++ ++ if trust_attributes: ++ cmd.extend(['--trust', trust_attributes]) ++ ++ subprocess.check_call(cmd) ++ + def modify_cert(self, nickname, trust_attributes): + cmd = [ + 'certutil', +-- +1.8.3.1 + + +From dbca3d74b6c3b296cca5afd834d7b27a9912187b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 12 Jan 2018 02:50:28 +0100 +Subject: [PATCH 17/30] Refactored ClientCertImportCLI.sort(). + +The ClientCertImportCLI.sort() has been changed to support sorting +in both directions. It also has been renamed to sortCertificateChain(). + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: I431b80e65e4a859d8d6deadf43af6af6aeefad4d +(cherry picked from commit ad67ee9989771598c85d8b3aa87523a7ae5e2d38) +(cherry picked from commit 57a0f4294d9d1858e7e59c6e605c85ee31bff2a3) +--- + .../cmstools/client/ClientCertImportCLI.java | 45 ++++++++++++++++------ + 1 file changed, 33 insertions(+), 12 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index c6ad761..46d820a 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -29,11 +29,13 @@ import java.util.ArrayList; + import java.util.Arrays; + import java.util.HashMap; + import java.util.LinkedHashMap; ++import java.util.LinkedList; + import java.util.List; + import java.util.Map; + + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; ++import org.apache.commons.lang.ArrayUtils; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.InternalCertificate; + import org.mozilla.jss.crypto.X509Certificate; +@@ -379,21 +381,22 @@ public class ClientCertImportCLI extends CLI { + } + + /** +- * Sorts certificate chain from leaf to root. ++ * Sorts certificate chain from root to leaf. + * + * This method sorts an array of certificates (e.g. from a PKCS #7 +- * data) that represents a certificate chain from leaf to root ++ * data) that represents a certificate chain from root to leaf + * according to the subject DNs and issuer DNs. + * +- * The array must contain exactly one unbranched certificate chain +- * with one leaf and one root. The subject DNs must be unique. ++ * The input array is a set of certificates that are part of a ++ * chain but not in specific order. + * +- * The result is returned in a new array. The input array is unchanged. ++ * The result is a new array that contains the certificate chain ++ * sorted from root to leaf. The input array is unchanged. + * +- * @param certs array of certificates ++ * @param certs input array of certificates + * @return new array containing sorted certificates + */ +- public java.security.cert.X509Certificate[] sort(java.security.cert.X509Certificate[] certs) throws Exception { ++ public java.security.cert.X509Certificate[] sortCertificateChain(java.security.cert.X509Certificate[] certs) throws Exception { + + // lookup map: subject DN -> cert + Map certMap = new LinkedHashMap<>(); +@@ -416,7 +419,7 @@ public class ClientCertImportCLI extends CLI { + + certMap.put(subjectDN, cert); + +- // ignore self-signed certificate when building hierarchy maps ++ // ignore self-signed certificate + if (subjectDN.equals(issuerDN)) continue; + + if (childMap.containsKey(issuerDN)) { +@@ -464,21 +467,39 @@ public class ClientCertImportCLI extends CLI { + throw new Exception("Multiple leaf certificates: " + sb); + } + +- // build cert chain from leaf cert +- List chain = new ArrayList<>(); ++ // build sorted chain ++ LinkedList chain = new LinkedList<>(); ++ ++ // start from leaf + String current = leafCerts.get(0); + + while (current != null) { + + java.security.cert.X509Certificate cert = certMap.get(current); +- chain.add(cert); + ++ // add to the beginning of chain ++ chain.addFirst(cert); ++ ++ // follow parent to root + current = parentMap.get(current); + } + + return chain.toArray(new java.security.cert.X509Certificate[chain.size()]); + } + ++ public java.security.cert.X509Certificate[] sortCertificateChain( ++ java.security.cert.X509Certificate[] certs, ++ boolean reverse) throws Exception { ++ ++ certs = sortCertificateChain(certs); ++ ++ if (reverse) { ++ ArrayUtils.reverse(certs); ++ } ++ ++ return certs; ++ } ++ + public void importPKCS7( + String pkcs7Path, + String nickname, +@@ -499,7 +520,7 @@ public class ClientCertImportCLI extends CLI { + } + + // sort certs from leaf to root +- certs = sort(certs); ++ certs = sortCertificateChain(certs, true); + + CryptoManager manager = CryptoManager.getInstance(); + +-- +1.8.3.1 + + +From c0c55cadcb45758730393b03a73720f818834bb9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 19 Jan 2018 06:15:59 +0100 +Subject: [PATCH 18/30] Moved ClientCertImportCLI.sortCertificateChain(). + +The ClientCertImportCLI.sortCertificateChain() has been moved into +CryptoUtil for reusability. It also has been changed to use SLF4J +logger. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: I465c99b9763147357c38ad0526137302acf90a5e +(cherry picked from commit 1622094ac8800bc06e932dea1be77316067f63b3) +(cherry picked from commit ee0918be9bb45611c14b2684954d14459bcb0627) +--- + .../cmstools/client/ClientCertImportCLI.java | 128 +-------------------- + base/util/src/CMakeLists.txt | 1 + + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 128 +++++++++++++++++++++ + 3 files changed, 131 insertions(+), 126 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index 46d820a..99b215e 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -27,15 +27,10 @@ import java.nio.file.Files; + import java.nio.file.Paths; + import java.util.ArrayList; + import java.util.Arrays; +-import java.util.HashMap; +-import java.util.LinkedHashMap; +-import java.util.LinkedList; + import java.util.List; +-import java.util.Map; + + import org.apache.commons.cli.CommandLine; + import org.apache.commons.cli.Option; +-import org.apache.commons.lang.ArrayUtils; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.InternalCertificate; + import org.mozilla.jss.crypto.X509Certificate; +@@ -48,6 +43,7 @@ import com.netscape.certsrv.client.PKIClient; + import com.netscape.certsrv.dbs.certdb.CertId; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; ++import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; + + import netscape.security.pkcs.PKCS12; +@@ -380,126 +376,6 @@ public class ClientCertImportCLI extends CLI { + MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\""); + } + +- /** +- * Sorts certificate chain from root to leaf. +- * +- * This method sorts an array of certificates (e.g. from a PKCS #7 +- * data) that represents a certificate chain from root to leaf +- * according to the subject DNs and issuer DNs. +- * +- * The input array is a set of certificates that are part of a +- * chain but not in specific order. +- * +- * The result is a new array that contains the certificate chain +- * sorted from root to leaf. The input array is unchanged. +- * +- * @param certs input array of certificates +- * @return new array containing sorted certificates +- */ +- public java.security.cert.X509Certificate[] sortCertificateChain(java.security.cert.X509Certificate[] certs) throws Exception { +- +- // lookup map: subject DN -> cert +- Map certMap = new LinkedHashMap<>(); +- +- // hierarchy map: subject DN -> issuer DN +- Map parentMap = new HashMap<>(); +- +- // reverse hierarchy map: issuer DN -> subject DN +- Map childMap = new HashMap<>(); +- +- // build maps +- for (java.security.cert.X509Certificate cert : certs) { +- +- String subjectDN = cert.getSubjectDN().toString(); +- String issuerDN = cert.getIssuerDN().toString(); +- +- if (certMap.containsKey(subjectDN)) { +- throw new Exception("Duplicate certificate: " + subjectDN); +- } +- +- certMap.put(subjectDN, cert); +- +- // ignore self-signed certificate +- if (subjectDN.equals(issuerDN)) continue; +- +- if (childMap.containsKey(issuerDN)) { +- throw new Exception("Branched chain: " + issuerDN); +- } +- +- parentMap.put(subjectDN, issuerDN); +- childMap.put(issuerDN, subjectDN); +- } +- +- if (verbose) { +- System.out.println("Certificates:"); +- for (String subjectDN : certMap.keySet()) { +- System.out.println(" - " + subjectDN); +- +- String parent = parentMap.get(subjectDN); +- if (parent != null) System.out.println(" parent: " + parent); +- +- String child = childMap.get(subjectDN); +- if (child != null) System.out.println(" child: " + child); +- } +- } +- +- // find leaf cert +- List leafCerts = new ArrayList<>(); +- +- for (String subjectDN : certMap.keySet()) { +- +- // if cert has a child, skip +- if (childMap.containsKey(subjectDN)) continue; +- +- // found leaf cert +- leafCerts.add(subjectDN); +- } +- +- if (leafCerts.isEmpty()) { +- throw new Exception("Unable to find leaf certificate"); +- +- } else if (leafCerts.size() > 1) { +- StringBuilder sb = new StringBuilder(); +- for (String subjectDN : leafCerts) { +- if (sb.length() > 0) sb.append(", "); +- sb.append("[" + subjectDN + "]"); +- } +- throw new Exception("Multiple leaf certificates: " + sb); +- } +- +- // build sorted chain +- LinkedList chain = new LinkedList<>(); +- +- // start from leaf +- String current = leafCerts.get(0); +- +- while (current != null) { +- +- java.security.cert.X509Certificate cert = certMap.get(current); +- +- // add to the beginning of chain +- chain.addFirst(cert); +- +- // follow parent to root +- current = parentMap.get(current); +- } +- +- return chain.toArray(new java.security.cert.X509Certificate[chain.size()]); +- } +- +- public java.security.cert.X509Certificate[] sortCertificateChain( +- java.security.cert.X509Certificate[] certs, +- boolean reverse) throws Exception { +- +- certs = sortCertificateChain(certs); +- +- if (reverse) { +- ArrayUtils.reverse(certs); +- } +- +- return certs; +- } +- + public void importPKCS7( + String pkcs7Path, + String nickname, +@@ -520,7 +396,7 @@ public class ClientCertImportCLI extends CLI { + } + + // sort certs from leaf to root +- certs = sortCertificateChain(certs, true); ++ certs = CryptoUtil.sortCertificateChain(certs, true); + + CryptoManager manager = CryptoManager.getInstance(); + +diff --git a/base/util/src/CMakeLists.txt b/base/util/src/CMakeLists.txt +index 2a00967..a2269b2 100644 +--- a/base/util/src/CMakeLists.txt ++++ b/base/util/src/CMakeLists.txt +@@ -120,6 +120,7 @@ javac(pki-cmsutil-classes + ${APACHE_COMMONS_LANG_JAR} ${HTTPCORE_JAR} ${HTTPCLIENT_JAR} + ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR} + ${JSS_JAR} ${COMMONS_CODEC_JAR} ${NUXWDOG_JAR} ++ ${SLF4J_API_JAR} + OUTPUT_DIR + ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 7a68c9b..f527967 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -47,10 +47,14 @@ import java.util.Arrays; + import java.util.Date; + import java.util.Enumeration; + import java.util.HashMap; ++import java.util.LinkedHashMap; ++import java.util.LinkedList; + import java.util.List; ++import java.util.Map; + import java.util.StringTokenizer; + import java.util.Vector; + ++import org.apache.commons.lang.ArrayUtils; + import org.apache.commons.lang.StringUtils; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.CryptoManager.NotInitializedException; +@@ -117,6 +121,8 @@ import org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant; + import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange; + import org.mozilla.jss.util.Base64OutputStream; + import org.mozilla.jss.util.Password; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; + + import com.netscape.cmsutil.util.Cert; + import com.netscape.cmsutil.util.Utils; +@@ -158,6 +164,8 @@ import netscape.security.x509.X509Key; + @SuppressWarnings("serial") + public class CryptoUtil { + ++ private static Logger logger = LoggerFactory.getLogger(CryptoUtil.class); ++ + public static enum SSLVersion { + SSL_3_0(SSLVersionRange.ssl3), + TLS_1_0(SSLVersionRange.tls1_0), +@@ -1218,6 +1226,126 @@ public class CryptoUtil { + } + return val.toString(); + } ++ /** ++ * Sorts certificate chain from root to leaf. ++ * ++ * This method sorts an array of certificates (e.g. from a PKCS #7 ++ * data) that represents a certificate chain from root to leaf ++ * according to the subject DNs and issuer DNs. ++ * ++ * The input array is a set of certificates that are part of a ++ * chain but not in specific order. ++ * ++ * The result is a new array that contains the certificate chain ++ * sorted from root to leaf. The input array is unchanged. ++ * ++ * @param certs input array of certificates ++ * @return new array containing sorted certificates ++ */ ++ public static java.security.cert.X509Certificate[] sortCertificateChain(java.security.cert.X509Certificate[] certs) throws Exception { ++ ++ // lookup map: subject DN -> cert ++ Map certMap = new LinkedHashMap<>(); ++ ++ // hierarchy map: subject DN -> issuer DN ++ Map parentMap = new HashMap<>(); ++ ++ // reverse hierarchy map: issuer DN -> subject DN ++ Map childMap = new HashMap<>(); ++ ++ // build maps ++ for (java.security.cert.X509Certificate cert : certs) { ++ ++ String subjectDN = cert.getSubjectDN().toString(); ++ String issuerDN = cert.getIssuerDN().toString(); ++ ++ if (certMap.containsKey(subjectDN)) { ++ throw new Exception("Duplicate certificate: " + subjectDN); ++ } ++ ++ certMap.put(subjectDN, cert); ++ ++ // ignore self-signed certificate ++ if (subjectDN.equals(issuerDN)) continue; ++ ++ if (childMap.containsKey(issuerDN)) { ++ throw new Exception("Branched chain: " + issuerDN); ++ } ++ ++ parentMap.put(subjectDN, issuerDN); ++ childMap.put(issuerDN, subjectDN); ++ } ++ ++ if (logger.isDebugEnabled()) { ++ logger.debug("Certificates:"); ++ for (String subjectDN : certMap.keySet()) { ++ logger.debug(" - " + subjectDN); ++ ++ String parent = parentMap.get(subjectDN); ++ if (parent != null) logger.debug(" parent: " + parent); ++ ++ String child = childMap.get(subjectDN); ++ if (child != null) logger.debug(" child: " + child); ++ } ++ } ++ ++ // find leaf cert ++ List leafCerts = new ArrayList<>(); ++ ++ for (String subjectDN : certMap.keySet()) { ++ ++ // if cert has a child, skip ++ if (childMap.containsKey(subjectDN)) continue; ++ ++ // found leaf cert ++ leafCerts.add(subjectDN); ++ } ++ ++ if (leafCerts.isEmpty()) { ++ throw new Exception("Unable to find leaf certificate"); ++ } ++ ++ if (leafCerts.size() > 1) { ++ StringBuilder sb = new StringBuilder(); ++ for (String subjectDN : leafCerts) { ++ if (sb.length() > 0) sb.append(", "); ++ sb.append("[" + subjectDN + "]"); ++ } ++ throw new Exception("Multiple leaf certificates: " + sb); ++ } ++ ++ // build sorted chain ++ LinkedList chain = new LinkedList<>(); ++ ++ // start from leaf ++ String current = leafCerts.get(0); ++ ++ while (current != null) { ++ ++ java.security.cert.X509Certificate cert = certMap.get(current); ++ ++ // add to the beginning of chain ++ chain.addFirst(cert); ++ ++ // follow parent to root ++ current = parentMap.get(current); ++ } ++ ++ return chain.toArray(new java.security.cert.X509Certificate[chain.size()]); ++ } ++ ++ public static java.security.cert.X509Certificate[] sortCertificateChain( ++ java.security.cert.X509Certificate[] certs, ++ boolean reverse) throws Exception { ++ ++ certs = sortCertificateChain(certs); ++ ++ if (reverse) { ++ ArrayUtils.reverse(certs); ++ } ++ ++ return certs; ++ } + + public static void importCertificateChain(byte[] bytes) + throws IOException, +-- +1.8.3.1 + + +From 68ac5378e421e2d4afd40f8c1b4caa788362d96c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 12 Jan 2018 04:29:30 +0100 +Subject: [PATCH 19/30] Added pki pkcs7 CLI. + +A new pki pkcs7 CLI has been added to manage a certificate chain in +a PKCS #7 file. The pki pkcs7-cert-find can be used to inspect the +certificates. The pki pkcs7-cert-export can be used to export the +certificates into separate files. The output certificates are sorted +from root to leaf so they can be processed further more consistently. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: I7e5c9e2dc0ddd12db126955114b3314f75d475d7 +(cherry picked from commit 165c786512141815d3cb77caef119357ecf5a7e4) +(cherry picked from commit 949d4731575fedc96706eb62e2359846a8668718) +--- + .../src/com/netscape/cmstools/cli/MainCLI.java | 2 + + .../src/com/netscape/cmstools/pkcs7/PKCS7CLI.java | 40 +++++++ + .../com/netscape/cmstools/pkcs7/PKCS7CertCLI.java | 41 +++++++ + .../cmstools/pkcs7/PKCS7CertExportCLI.java | 131 +++++++++++++++++++++ + .../netscape/cmstools/pkcs7/PKCS7CertFindCLI.java | 111 +++++++++++++++++ + 5 files changed, 325 insertions(+) + create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java + create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java + create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java + create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 945e10e..711625a 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -59,6 +59,7 @@ import com.netscape.cmstools.key.KeyCLI; + import com.netscape.cmstools.kra.KRACLI; + import com.netscape.cmstools.ocsp.OCSPCLI; + import com.netscape.cmstools.pkcs12.PKCS12CLI; ++import com.netscape.cmstools.pkcs7.PKCS7CLI; + import com.netscape.cmstools.system.SecurityDomainCLI; + import com.netscape.cmstools.tks.TKSCLI; + import com.netscape.cmstools.tps.TPSCLI; +@@ -113,6 +114,7 @@ public class MainCLI extends CLI { + addModule(new TKSCLI(this)); + addModule(new TPSCLI(this)); + ++ addModule(new PKCS7CLI(this)); + addModule(new PKCS12CLI(this)); + + createOptions(); +diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java +new file mode 100644 +index 0000000..782d574 +--- /dev/null ++++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java +@@ -0,0 +1,40 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cmstools.pkcs7; ++ ++import com.netscape.cmstools.cli.CLI; ++import com.netscape.cmstools.cli.MainCLI; ++ ++public class PKCS7CLI extends CLI { ++ ++ public PKCS7CLI(CLI parent) { ++ super("pkcs7", "PKCS #7 utilities", parent); ++ ++ addModule(new PKCS7CertCLI(this)); ++ } ++ ++ public String getFullName() { ++ if (parent instanceof MainCLI) { ++ // do not include MainCLI's name ++ return name; ++ } else { ++ return parent.getFullName() + "-" + name; ++ } ++ } ++} +diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java +new file mode 100644 +index 0000000..03a8a4c +--- /dev/null ++++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java +@@ -0,0 +1,41 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cmstools.pkcs7; ++ ++import java.security.cert.X509Certificate; ++ ++import com.netscape.certsrv.dbs.certdb.CertId; ++import com.netscape.cmstools.cli.CLI; ++ ++public class PKCS7CertCLI extends CLI { ++ ++ public PKCS7CertCLI(PKCS7CLI parent) { ++ super("cert", "PKCS #7 certificate management commands", parent); ++ ++ addModule(new PKCS7CertFindCLI(this)); ++ addModule(new PKCS7CertExportCLI(this)); ++ } ++ ++ public static void printCertInfo(X509Certificate cert) throws Exception { ++ ++ System.out.println(" Serial Number: " + new CertId(cert.getSerialNumber()).toHexString()); ++ System.out.println(" Subject DN: " + cert.getSubjectDN()); ++ System.out.println(" Issuer DN: " + cert.getIssuerDN()); ++ } ++} +diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java +new file mode 100644 +index 0000000..a57f34a +--- /dev/null ++++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java +@@ -0,0 +1,131 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cmstools.pkcs7; ++ ++import java.io.FileWriter; ++import java.io.PrintWriter; ++import java.nio.file.Files; ++import java.nio.file.Paths; ++import java.security.cert.X509Certificate; ++import java.util.logging.Level; ++import java.util.logging.Logger; ++ ++import org.apache.commons.cli.CommandLine; ++import org.apache.commons.cli.Option; ++ ++import com.netscape.cmstools.cli.CLI; ++import com.netscape.cmsutil.crypto.CryptoUtil; ++import com.netscape.cmsutil.util.Cert; ++import com.netscape.cmsutil.util.Utils; ++ ++import netscape.security.pkcs.PKCS7; ++ ++public class PKCS7CertExportCLI extends CLI { ++ ++ private static Logger logger = Logger.getLogger(PKCS7CertExportCLI.class.getName()); ++ ++ public PKCS7CertExportCLI(PKCS7CertCLI certCLI) { ++ super("export", "Export certificates from PKCS #7 file", certCLI); ++ ++ createOptions(); ++ } ++ ++ public void printHelp() { ++ formatter.printHelp(getFullName() + " [OPTIONS...] [nicknames...]", options); ++ } ++ ++ public void createOptions() { ++ Option option = new Option(null, "pkcs7-file", true, "PKCS #7 file"); ++ option.setArgName("path"); ++ options.addOption(option); ++ ++ option = new Option(null, "output-prefix", true, "Prefix for output file"); ++ option.setArgName("string"); ++ options.addOption(option); ++ ++ option = new Option(null, "output-suffix", true, "Suffix for output file"); ++ option.setArgName("string"); ++ options.addOption(option); ++ ++ options.addOption("v", "verbose", false, "Run in verbose mode."); ++ options.addOption(null, "debug", false, "Run in debug mode."); ++ options.addOption(null, "help", false, "Show help message."); ++ } ++ ++ public void execute(String[] args) throws Exception { ++ ++ CommandLine cmd = parser.parse(options, args, true); ++ ++ if (cmd.hasOption("help")) { ++ printHelp(); ++ return; ++ } ++ ++ if (cmd.hasOption("verbose")) { ++ Logger.getLogger("org.dogtagpki").setLevel(Level.INFO); ++ Logger.getLogger("com.netscape").setLevel(Level.INFO); ++ Logger.getLogger("netscape").setLevel(Level.INFO); ++ ++ } else if (cmd.hasOption("debug")) { ++ Logger.getLogger("org.dogtagpki").setLevel(Level.FINE); ++ Logger.getLogger("com.netscape").setLevel(Level.FINE); ++ Logger.getLogger("netscape").setLevel(Level.FINE); ++ } ++ ++ String filename = cmd.getOptionValue("pkcs7-file"); ++ ++ if (filename == null) { ++ throw new Exception("Missing PKCS #7 file."); ++ } ++ ++ logger.info("Loading PKCS #7 data from " + filename); ++ String str = new String(Files.readAllBytes(Paths.get(filename))).trim(); ++ PKCS7 pkcs7 = new PKCS7(str); ++ ++ X509Certificate[] certs = pkcs7.getCertificates(); ++ if (certs == null || certs.length == 0) { ++ System.out.println("PKCS #7 data contains no certificates"); ++ return; ++ } ++ ++ // sort certs from root to leaf ++ certs = CryptoUtil.sortCertificateChain(certs); ++ ++ String prefix = cmd.getOptionValue("output-prefix", filename + "-"); ++ String suffix = cmd.getOptionValue("output-suffix", ""); ++ int i = 0; ++ ++ for (X509Certificate cert : certs) { ++ ++ logger.info("Exporting certificate #" + i + ": " + cert.getSubjectDN()); ++ ++ String output = prefix + i + suffix; ++ ++ try (PrintWriter out = new PrintWriter(new FileWriter(output))) { ++ out.println(Cert.HEADER); ++ out.print(Utils.base64encode(cert.getEncoded(), true)); ++ out.println(Cert.FOOTER); ++ } ++ ++ System.out.println(output + ": " + cert.getSubjectDN()); ++ ++ i++; ++ } ++ } ++} +diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java +new file mode 100644 +index 0000000..7b84393 +--- /dev/null ++++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java +@@ -0,0 +1,111 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++ ++package com.netscape.cmstools.pkcs7; ++ ++import java.nio.file.Files; ++import java.nio.file.Paths; ++import java.security.cert.X509Certificate; ++import java.util.logging.Level; ++import java.util.logging.Logger; ++ ++import org.apache.commons.cli.CommandLine; ++import org.apache.commons.cli.Option; ++ ++import com.netscape.cmstools.cli.CLI; ++import com.netscape.cmsutil.crypto.CryptoUtil; ++ ++import netscape.security.pkcs.PKCS7; ++ ++public class PKCS7CertFindCLI extends CLI { ++ ++ private static Logger logger = Logger.getLogger(PKCS7CertFindCLI.class.getName()); ++ ++ public PKCS7CertFindCLI(PKCS7CertCLI certCLI) { ++ super("find", "Find certificates in PKCS #7 file", certCLI); ++ ++ createOptions(); ++ } ++ ++ public void printHelp() { ++ formatter.printHelp(getFullName() + " [OPTIONS...] [nicknames...]", options); ++ } ++ ++ public void createOptions() { ++ Option option = new Option(null, "pkcs7-file", true, "PKCS #7 file"); ++ option.setArgName("path"); ++ options.addOption(option); ++ ++ options.addOption("v", "verbose", false, "Run in verbose mode."); ++ options.addOption(null, "debug", false, "Run in debug mode."); ++ options.addOption(null, "help", false, "Show help message."); ++ } ++ ++ public void execute(String[] args) throws Exception { ++ ++ CommandLine cmd = parser.parse(options, args, true); ++ ++ if (cmd.hasOption("help")) { ++ printHelp(); ++ return; ++ } ++ ++ if (cmd.hasOption("verbose")) { ++ Logger.getLogger("org.dogtagpki").setLevel(Level.INFO); ++ Logger.getLogger("com.netscape").setLevel(Level.INFO); ++ Logger.getLogger("netscape").setLevel(Level.INFO); ++ ++ } else if (cmd.hasOption("debug")) { ++ Logger.getLogger("org.dogtagpki").setLevel(Level.FINE); ++ Logger.getLogger("com.netscape").setLevel(Level.FINE); ++ Logger.getLogger("netscape").setLevel(Level.FINE); ++ } ++ ++ String filename = cmd.getOptionValue("pkcs7-file"); ++ ++ if (filename == null) { ++ throw new Exception("Missing PKCS #7 file."); ++ } ++ ++ logger.info("Loading PKCS #7 data from " + filename); ++ String str = new String(Files.readAllBytes(Paths.get(filename))).trim(); ++ PKCS7 pkcs7 = new PKCS7(str); ++ ++ X509Certificate[] certs = pkcs7.getCertificates(); ++ if (certs == null || certs.length == 0) { ++ System.out.println("PKCS #7 data contains no certificates"); ++ return; ++ } ++ ++ // sort certs from root to leaf ++ certs = CryptoUtil.sortCertificateChain(certs); ++ ++ boolean first = true; ++ ++ for (X509Certificate cert : certs) { ++ ++ if (first) { ++ first = false; ++ } else { ++ System.out.println(); ++ } ++ ++ PKCS7CertCLI.printCertInfo(cert); ++ } ++ } ++} +-- +1.8.3.1 + + +From 845abb8d8bd5a7e8168576de63a9b5860d05e51e Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Tue, 9 Jan 2018 12:14:23 -0500 +Subject: [PATCH 20/30] Fix masking in the archived deployment.cfg + +Cherry-picked from 26bc698847b5348033ce3abb225ed24ebce4386d +Resolves rhbz#1532759 +Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4 + +(cherry picked from commit 0c9d093b790aba0d2912f7ba848e280d960c7387) +--- + .../pki/server/deployment/scriptlets/infrastructure_layout.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py +index b105378..2573e4e 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py +@@ -70,9 +70,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # parameters + sensitive_parameters = deployer.mdict['sensitive_parameters'].split() + sections = deployer.user_config.sections() ++ sections.append('DEFAULT') + for s in sections: + for k in sensitive_parameters: + deployer.user_config.set(s, k, 'XXXXXXXX') ++ ++ deployer.file.create( ++ deployer.mdict['pki_user_deployment_cfg_replica'] ++ ) ++ + with open(deployer.mdict['pki_user_deployment_cfg_replica'], 'w') as f: + deployer.user_config.write(f) + +-- +1.8.3.1 + + +From 9df879bd000951d8cc23482a78af01b9a711da5d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 15 Jan 2018 16:57:13 +0100 +Subject: [PATCH 21/30] Fixed NSSDatabase.import_pkcs7() for HSM. + +Previously NSSDatabase.import_pkcs7() was implemented using pki +client-cert-import --pkcs7 which uses JSS to import the certificate +chain from a PKCS #7 file. Apparently, when it is used with HSM +outside of PKI server JSS imports the certificates incorrectly. + +The method has been changed to use pki pkcs7-cert-export to sort +and split the certificate chain into separate files. The CA certs +will be imported with pki client-cert-import --ca-cert (such that +the nickname will be consistently generated by JSS), and the user +certificate will be imported using certutil with the nickname +provided by the caller. This method seems to be working fine with +HSM. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: If04963eb6ad86737593df7d64eef8b17f7bde75f +(cherry picked from commit 3d231ae0d6bd2a2627fc223aa86cd8e7f84872f5) +(cherry picked from commit a032321c8324b4fcd1135bb1c623615fbd0c4fdf) +--- + base/common/python/pki/nssdb.py | 46 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 37 insertions(+), 9 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 97746c9..b2339aa 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -800,15 +800,43 @@ class NSSDatabase(object): + def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None, + output_format='pem'): + +- subprocess.check_call([ +- 'pki', +- '-d', self.directory, +- '-C', self.password_file, +- 'client-cert-import', +- '--pkcs7', pkcs7_file, +- '--trust', trust_attributes, +- nickname +- ]) ++ tmpdir = tempfile.mkdtemp() ++ ++ try: ++ # Sort and split the certs from root to leaf. ++ prefix = os.path.join(tmpdir, 'cert') ++ suffix = '.crt' ++ ++ cmd = [ ++ 'pki', ++ '-d', self.directory, ++ 'pkcs7-cert-export', ++ '--pkcs7-file', pkcs7_file, ++ '--output-prefix', prefix, ++ '--output-suffix', suffix ++ ] ++ ++ subprocess.check_call(cmd) ++ ++ # Count the number of certs in the chain. ++ n = 0 ++ while True: ++ cert_file = prefix + str(n) + suffix ++ if not os.path.exists(cert_file): ++ break ++ n = n + 1 ++ ++ # Import CA certs with default nicknames and trust attributes. ++ for i in range(0, n - 1): ++ cert_file = prefix + str(i) + suffix ++ self.add_ca_cert(cert_file) ++ ++ # Import user cert with specified nickname and trust attributes. ++ cert_file = prefix + str(n - 1) + suffix ++ self.add_cert(nickname, cert_file, trust_attributes) ++ ++ finally: ++ shutil.rmtree(tmpdir) + + # convert PKCS #7 data to the requested format + with open(pkcs7_file, 'r') as f: +-- +1.8.3.1 + + +From d989c7c3576b4ad737128a1714bfc0030087646c Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 18 Jan 2018 15:53:27 -0700 +Subject: [PATCH 22/30] Fixed setup of ECC CA + +Restored ECC functionality that was lost during +'Refactoring SSL server cert creation' +(https://pagure.io/dogtagpki/issue/2786). + +Additionally, to avoid confusion, deprecated +'pki_admin_keysize' and use 'pki_admin_key_size' +to make parameters consistent across different +certificate key types. + +Fixes: https://pagure.io/dogtagpki/issue/2887 +Change-Id: I1206b37a00b7da5e30fef5b2d12fb266e2779cfb +(cherry picked from commit 5d83be16f89bcd010c9deb25ead6028e8c619574) +--- + base/server/etc/default.cfg | 1 + + base/server/man/man5/pki_default.cfg.5 | 10 +++--- + base/server/man/man8/pkispawn.8 | 37 +++++++++++----------- + .../python/pki/server/deployment/pkihelper.py | 35 ++++++++++++++++++-- + .../python/pki/server/deployment/pkimessages.py | 4 +++ + .../python/pki/server/deployment/pkiparser.py | 2 ++ + .../server/deployment/scriptlets/configuration.py | 2 ++ + 7 files changed, 65 insertions(+), 26 deletions(-) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 73f884f..9d326e2 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -72,6 +72,7 @@ pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert + pki_admin_cert_request_type=pkcs10 + pki_admin_dualkey=False + pki_admin_key_algorithm=SHA256withRSA ++# DEPRECATED: Use 'pki_admin_key_size' instead. + pki_admin_keysize=2048 + pki_admin_key_size=%(pki_admin_keysize)s + pki_admin_key_type=rsa +diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 +index a505c4b..fe3cdc7 100644 +--- a/base/server/man/man5/pki_default.cfg.5 ++++ b/base/server/man/man5/pki_default.cfg.5 +@@ -123,10 +123,10 @@ If an optional hardware security module (HSM) is being utilized (rather than the + .PP + Each system certificate can be customized using the parameters below: + .TP +-.B pki__key_type, pki__keysize, pki__key_algorithm ++.B pki__key_type, pki__key_size, pki__key_algorithm + .IP + Characteristics of the private key. See the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/ for possible options. The defaults are RSA for the type, 2048 bits for the key size, and SHA256withRSA for the algorithm. +-.TP ++.TP + .B pki__signing_algorithm + .IP + For signing certificates, the algorithm used for signing. Defaults to SHA256withRSA. +@@ -157,7 +157,7 @@ Password for the admin user. This password is used to log into the pki-console + .IP + Email address for the admin user. + .TP +-.B pki_admin_dualkey, pki_admin_keysize, pki_admin_key_type ++.B pki_admin_dualkey, pki_admin_key_size, pki_admin_key_type, pki_admin_key_algorithm + .IP + Settings for the administrator certificate and keys. + .TP +@@ -211,7 +211,7 @@ Hostname and ports for the internal database. Defaults to localhost, 389, and 6 + .PP + .B pki_ds_bind_dn, pki_ds_password + .IP +-Credentials to connect to the database during installation. Directory Manager-level access is required during installation to set up the relevant schema and database. During the installation, a more restricted Certificate Server user is set up to client authentication connections to the database. Some additional configuration is required, including setting up the directory server to use SSL. See the documentation for details. ++Credentials to connect to the database during installation. Directory Manager-level access is required during installation to set up the relevant schema and database. During the installation, a more restricted Certificate Server user is set up to client authentication connections to the database. Some additional configuration is required, including setting up the directory server to use SSL. See the documentation for details. + .PP + .B pki_ds_secure_connection + .IP +@@ -315,7 +315,7 @@ If you would like the Dogtag installer to add the indexes and reindex the data i + .TP + .B pki_clone_replication_master_port, pki_clone_replication_clone_port + .IP +-Ports on which replication occurs. These are the ports on the master and clone databases respectively. Defaults to the internal database port. ++Ports on which replication occurs. These are the ports on the master and clone databases respectively. Defaults to the internal database port. + .TP + .B pki_clone_replicate_schema + .IP +diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 +index c1feac3..1411592 100644 +--- a/base/server/man/man8/pkispawn.8 ++++ b/base/server/man/man8/pkispawn.8 +@@ -24,14 +24,14 @@ pkispawn \-s \-f [\-h] [\-v] [\-p ] + Sets up a Certificate Server subsystem (CA, KRA, OCSP, TKS, or TPS) in a + Tomcat instance. + .TP +-\fBNote:\fP ++\fBNote:\fP + A 389 Directory Server instance must be configured and running before this script can be run. Certificate Server requires an internal directory database. The default configuration assumes a Directory Server instance running on the same machine on port 389. For more information on creating a Directory Server instance, see + .B setup-ds.pl(8). + .PP +-An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem on a single machine. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. To create an instance with a CA and a KRA, simply run pkispawn twice, with values +-.I -s CA +-and +-.I -s KRA ++An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem on a single machine. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. To create an instance with a CA and a KRA, simply run pkispawn twice, with values ++.I -s CA ++and ++.I -s KRA + respectively. + .PP + The instances are created based on values for configuration parameters in the default configuration (/etc/pki/default.cfg) and the user-provided configuration file. The user-provided configuration file is read after the default configuration file, so any parameters defined in that file will override parameters in the default configuration file. In general, most users will store only those parameters which are different from the default configuration in their user-provided configuration file. +@@ -48,22 +48,22 @@ customization. + \fBNote:\fP + Any non-password related parameter values in the configuration file that needs to contain a \fB%\fP character must be properly escaped. For example, a value of \fBfoo%bar\fP would be specified as \fBfoo%%bar\fP in the configuration file. + .PP +-At a minimum, the user-defined configuration file must provide some passwords needed for the install. An example configuration file is provided in the ++At a minimum, the user-defined configuration file must provide some passwords needed for the install. An example configuration file is provided in the + .B EXAMPLES + section below. For more information on the default configuration file and the parameters it contains (and can be customized), see + .B pki_default.cfg(5). + .PP + The \fBpkispawn\fP run creates several different installation files that can be referenced later, if need be: + .IP +-* For Tomcat-based instances, a Tomcat instance is created at \fT/var/lib/pki/\fP, where pki_instance_name is defined in the configuration file. ++* For Tomcat-based instances, a Tomcat instance is created at \fT/var/lib/pki/\fP, where pki_instance_name is defined in the configuration file. + .IP +-* A log file of \fBpkispawn\fP operations is written to \fI/var/log/pki/pki--spawn..log\fP. ++* A log file of \fBpkispawn\fP operations is written to \fI/var/log/pki/pki--spawn..log\fP. + .IP +-* A .p12 (PKCS #12) file containing a certificate for a subsystem administrator is stored in pki_client_dir. ++* A .p12 (PKCS #12) file containing a certificate for a subsystem administrator is stored in pki_client_dir. + .PP +-When the utility is done running, the CA can be accessed by pointing a browser to https://:/. The agent pages can be accessed by importing the CA certificate and administrator certificate into the browser. ++When the utility is done running, the CA can be accessed by pointing a browser to https://:/. The agent pages can be accessed by importing the CA certificate and administrator certificate into the browser. + .PP +-The Certificate Server instance can also be accessed using the \fBpki\fP command line interface. See ++The Certificate Server instance can also be accessed using the \fBpki\fP command line interface. See + \fBpki(1)\fP. For more extensive documentation on how to use Certificate Server features, see the Red Hat Certificate System Documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/. + .PP + Instances created using \fBpkispawn\fP can be removed using \fBpkidestroy\fP. See +@@ -71,7 +71,7 @@ Instances created using \fBpkispawn\fP can be removed using \fBpkidestroy\fP. S + .PP + \fBpkispawn\fP supersedes and combines the functionality of \fBpkicreate\fP and \fBpkisilent\fP, which were available in earlier releases of Certificate Server. It is now possible to completely create and configure the Certificate Server subsystem in a single step using \fBpkispawn\fP. + .TP +-\fBNote:\fP ++\fBNote:\fP + Previously, as an alternative to using \fBpkisilent\fP to perform a non-interactive batch configuration, a PKI instance could be interactively configured by a GUI-based configuration wizard via a Firefox browser. GUI-based configuration of a PKI instance is unavailable in this version of the product. + .SH OPTIONS + .TP +@@ -89,7 +89,7 @@ Prints additional help information. + .TP + .B -v + Displays verbose information about the installation. This flag can be provided multiple times to increase verbosity. See +-.B pkispawn -h ++.B pkispawn -h + for details. + + .SH SEPARATE VERSUS SHARED INSTANCES +@@ -165,7 +165,7 @@ the AJP port of the Tomcat instance. The default value is 8009. + \fIManagement port:\fP + the management port of the Tomcat instance. The default value is 8005. + .TP +-\fBNote:\fP When deploying a new subsystem into an existing instance, pkispawn will attempt to read the ports from \fBdeployment.cfg\fP files stored for previously installed subsystems for this instance. If successful, the installer will not prompt for these ports. ++\fBNote:\fP When deploying a new subsystem into an existing instance, pkispawn will attempt to read the ports from \fBdeployment.cfg\fP files stored for previously installed subsystems for this instance. If successful, the installer will not prompt for these ports. + .PP + \fBAdministrative User Parameters\fP + .TP +@@ -274,7 +274,7 @@ its default configuration: + * Installed on the local machine + + .IP +-* Listening on port 389 ++* Listening on port 389 + + .IP + * The user is cn=Directory Manager, with the password specified in pki_ds_password +@@ -315,7 +315,8 @@ where \fImyconfig.txt\fP contains the following text: + .nf + [DEFAULT] + pki_admin_password=\fISecret123\fP +-pki_admin_keysize=nistp256 ++pki_admin_key_algorithm=SHA256withEC ++pki_admin_key_size=nistp256 + pki_admin_key_type=ecc + pki_client_pkcs12_password=\fISecret123\fP + pki_ds_password=\fISecret123\fP +@@ -698,7 +699,7 @@ The subsystem section is [KRA], [OCSP], [TKS], or [TPS]. + This example assumes that the specified CA hosts the security + domain. The CA must be running and accessible. + +-.PP ++.PP + A new administrator certificate is generated for the new + subsystem and stored in a PKCS #12 file + in \fI$HOME/.dogtag/\fP. +@@ -942,7 +943,7 @@ To install a CA clone execute the following command: + .IP + \x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR + +-.PP ++.PP + where \fImyconfig.txt\fP contains the following text: + + .IP +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 96ae092..a5edaa4 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -2414,8 +2414,8 @@ class Certutil: + + def generate_self_signed_certificate(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, +- token, nickname, +- subject, serial_number, ++ token, nickname, subject, ++ key_type, key_size, serial_number, + validity_period, issuer_name, + trustargs, noise_file, + password_file=None, +@@ -2455,6 +2455,35 @@ class Certutil: + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_CERTUTIL_MISSING_SUBJECT) ++ # Specify the key type ++ if key_type: ++ if key_type == "ecc": ++ command.extend(["-k", "ec"]) ++ # Specify the curve name ++ if key_size: ++ command.extend(["-q", key_size]) ++ else: ++ config.pki_log.error( ++ log.PKIHELPER_CERTUTIL_MISSING_CURVE_NAME, ++ extra=config.PKI_INDENTATION_LEVEL_2) ++ raise Exception( ++ log.PKIHELPER_CERTUTIL_MISSING_CURVE_NAME) ++ else: ++ command.extend(["-k", key_type]) ++ # Specify the key size ++ if key_size: ++ command.extend(["-g", key_size]) ++ else: ++ config.pki_log.error( ++ log.PKIHELPER_CERTUTIL_MISSING_KEY_SIZE, ++ extra=config.PKI_INDENTATION_LEVEL_2) ++ raise Exception( ++ log.PKIHELPER_CERTUTIL_MISSING_KEY_SIZE) ++ else: ++ config.pki_log.error( ++ log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE, ++ extra=config.PKI_INDENTATION_LEVEL_2) ++ raise Exception(log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE) + # Specify the serial number + if serial_number is not None: + command.extend(["-m", str(serial_number)]) +@@ -4415,7 +4444,7 @@ class ConfigClient: + self.deployer.certutil.generate_certificate_request( + self.mdict['pki_admin_subject_dn'], + self.mdict['pki_admin_key_type'], +- self.mdict['pki_admin_keysize'], ++ self.mdict['pki_admin_key_size'], + self.mdict['pki_client_password_conf'], + noise_file, + output_file, +diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py +index 7f2d749..7bb79ca 100644 +--- a/base/server/python/pki/server/deployment/pkimessages.py ++++ b/base/server/python/pki/server/deployment/pkimessages.py +@@ -179,6 +179,10 @@ PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = \ + "certutil: Missing '-c issuer-name' option!" + PKIHELPER_CERTUTIL_MISSING_KEY_TYPE = \ + "certutil: Missing '-k key-type-or-id' option (must be 'ecc' or 'rsa')!" ++PKIHELPER_CERTUTIL_MISSING_KEY_SIZE = \ ++ "certutil: Missing '-g keysize' option!" ++PKIHELPER_CERTUTIL_MISSING_CURVE_NAME = \ ++ "certutil: Missing '-q curve-name' option!" + PKIHELPER_CERTUTIL_MISSING_NICKNAME = \ + "certutil: Missing '-n nickname' option!" + PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = \ +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 18cf19d..b91c674 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -65,6 +65,8 @@ class PKIConfigParser: + # The 'new_param' is the new param name. + + DEPRECATED_DEFAULT_PARAMS = [ ++ (None, 'pki_admin_keysize', ++ None, 'pki_admin_key_size'), + (None, 'pki_external_ca_cert_path', + None, 'pki_ca_signing_cert_path'), + (None, 'pki_external_ca_cert_chain_path', +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 8f7460c..c59e679 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -866,6 +866,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_self_signed_nickname'], + deployer.mdict['pki_self_signed_subject'], ++ deployer.mdict['pki_sslserver_key_type'], ++ deployer.mdict['pki_sslserver_key_size'], + deployer.mdict['pki_self_signed_serial_number'], + deployer.mdict['pki_self_signed_validity_period'], + deployer.mdict['pki_self_signed_issuer_name'], +-- +1.8.3.1 + + +From e7b2dae4cf003e35b463b39a641e6235f5658be9 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 16 Jan 2018 18:15:21 -0800 +Subject: [PATCH 23/30] Ticket #2675 additional fix to allow requests without + POP + +This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism. + +Fixes: https://pagure.io/dogtagpki/issue/2675 +Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b +(cherry picked from commit c52c51c6516cd39caec52441d0756b1756050ae3) +(cherry picked from commit bb10545e728f0ff86ea4b3899d2de42b2398acfa) +--- + base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 9051baf..7c57064 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -1052,7 +1052,10 @@ public abstract class EnrollProfile extends BasicProfile + msgs[i] = (TaggedRequest) reqSeq.elementAt(i); + if (id_cmc_revokeRequest) + continue; ++ ++ CertReqMsg crm = msgs[i].getCrm(); + if (popLinkWitnessRequired && ++ crm.hasPop() && // popLinkWitness needs POP + !context.containsKey("POPLinkWitnessV2") && + !context.containsKey("POPLinkWitness")) { + CMS.debug(method + "popLinkWitness(V2) required"); +-- +1.8.3.1 + + +From 39deb83ed9fc573165c0e806eccd8152d696e935 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 19 Jan 2018 14:45:17 -0800 +Subject: [PATCH 24/30] Ticket #2675 take care of PKCS#10 for + cmc.popLinkWitnessRequired + +This patch adds support to handle PKCS#10 which was neglected in previous +"additional" fix. + +Fixes: https://pagure.io/dogtagpki/issue/2675 +Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055 +(cherry picked from commit 91c6c781e5e2c26b77619e6f4c08dc5d77bb5adf) +(cherry picked from commit d69c11d56d0e1f4368ab21715c2c5496fb08f969) +--- + .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 7c57064..caa466c 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -1053,9 +1053,14 @@ public abstract class EnrollProfile extends BasicProfile + if (id_cmc_revokeRequest) + continue; + +- CertReqMsg crm = msgs[i].getCrm(); ++ boolean hasPop = true; ++ if (msgs[i].getType().equals(TaggedRequest.CRMF)) { ++ CertReqMsg crm = msgs[i].getCrm(); ++ if (!crm.hasPop()) ++ hasPop = false; ++ } + if (popLinkWitnessRequired && +- crm.hasPop() && // popLinkWitness needs POP ++ hasPop && // popLinkWitness needs POP + !context.containsKey("POPLinkWitnessV2") && + !context.containsKey("POPLinkWitness")) { + CMS.debug(method + "popLinkWitness(V2) required"); +-- +1.8.3.1 + + +From 3ee72c5c688af6f4434fdac3c082d00619a49535 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 18 Jan 2018 05:00:28 +0100 +Subject: [PATCH 25/30] Fixed cert chain importation. + +For KRA/OCSP installation with external certs, the installer has +been modified to always import the cert chain into the internal +token regardless if HSM is used. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: Ifedb54e88ea6c8fc2ef3b562e15fb4077ec5179a +(cherry picked from commit 2ffa44852bf5286529877203f60f1084e740f7df) +(cherry picked from commit a338f3fab9b4a9986657a7517dc6c1e3bacaad0b) +--- + .../pki/server/deployment/scriptlets/configuration.py | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index c59e679..5aad372 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -593,13 +593,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + self.import_ca_ocsp_signing_cert(deployer, nssdb) + + if subsystem.name == 'kra': +- self.import_ca_signing_cert(deployer, nssdb) ++ # Always import cert chain into internal token. ++ internal_nssdb = subsystem.instance.open_nssdb() ++ try: ++ self.import_ca_signing_cert(deployer, internal_nssdb) ++ finally: ++ internal_nssdb.close() ++ + self.import_kra_storage_cert(deployer, nssdb) + self.import_kra_transport_cert(deployer, nssdb) + self.import_admin_cert(deployer) + + if subsystem.name == 'ocsp': +- self.import_ca_signing_cert(deployer, nssdb) ++ # Always import cert chain into internal token. ++ internal_nssdb = subsystem.instance.open_nssdb() ++ try: ++ self.import_ca_signing_cert(deployer, internal_nssdb) ++ finally: ++ internal_nssdb.close() ++ + self.import_ocsp_signing_cert(deployer, nssdb) + self.import_admin_cert(deployer) + +-- +1.8.3.1 + + +From 705354698c8967c7a97238721a20e33c302bbfd5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 Jan 2018 03:37:28 +0100 +Subject: [PATCH 26/30] Refactored replace_sslserver_cert() in + configuration.py. + +The replace_sslserver_cert() in configuration.py has been split into +separate methods for removing the temp SSL server cert and importing +the permanent SSL server cert. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: I35cb95e61959ff99c235f116304c7272a39694e5 +(cherry picked from commit c86eb1bc43529b24fc49444eeff8cb4e44204fef) +(cherry picked from commit 5ad7efb44f434f8695c404ba40b4baea27d6bfec) +--- + .../pki/server/deployment/scriptlets/configuration.py | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 5aad372..ef40963 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -899,7 +899,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + finally: + nssdb.close() + +- def replace_sslserver_cert(self, deployer, instance, sslserver): ++ def remove_temp_sslserver_cert(self, deployer, instance, sslserver): + + if len(deployer.instance.tomcat_instance_subsystems()) == 1: + # Modify contents of 'serverCertNick.conf' (if necessary) +@@ -922,6 +922,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + finally: + nssdb.close() + ++ def import_perm_sslserver_cert(self, deployer, instance, sslserver): ++ ++ nickname = sslserver['nickname'] + token = deployer.mdict['pki_token_name'] + + config.pki_log.info( +@@ -1225,7 +1228,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # replace it with the perm cert. + if create_temp_sslserver_cert and sslserver and sslserver['cert']: + deployer.systemd.stop() +- self.replace_sslserver_cert(deployer, instance, sslserver) ++ ++ # Remove temp SSL server cert. ++ self.remove_temp_sslserver_cert(deployer, instance, sslserver) ++ ++ # Import perm SSL server cert. ++ self.import_perm_sslserver_cert(deployer, instance, sslserver) ++ + deployer.systemd.start() + + elif config.str2bool(deployer.mdict['pki_restart_configured_instance']): +-- +1.8.3.1 + + +From 88e67a6db3dc4f942c662b7a4ba02178cf887b3b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 Jan 2018 03:37:28 +0100 +Subject: [PATCH 27/30] Fixed SSL server cert creation and replacement. + +The configuration.py has been modified to generate the temp SSL certificates +(and remove it later) in internal token regardless of HSM. It also has been +modified to import the perm cert if it has not been imported already. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: If473e2b314727399854638a94c6ec5a148fc52fb +(cherry picked from commit 249c323d23f38a6f778a46054360e705040bdda1) +(cherry picked from commit 30b499d21d731a1c3903bbfe7b23111963971038) +--- + .../server/deployment/scriptlets/configuration.py | 23 +++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index ef40963..43e9d83 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -809,12 +809,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + self.validate_system_cert(deployer, nssdb, subsystem, 'subsystem') + self.validate_system_cert(deployer, nssdb, subsystem, 'audit_signing') + +- def create_temp_sslserver_cert(self, deployer, instance, token): ++ def create_temp_sslserver_cert(self, deployer, instance): + + if len(deployer.instance.tomcat_instance_subsystems()) > 1: + return False + +- nssdb = instance.open_nssdb(token) ++ nssdb = instance.open_nssdb() + + try: + nickname = deployer.mdict['pki_self_signed_nickname'] +@@ -908,6 +908,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # TODO: replace with pki-server cert-import sslserver + + nickname = sslserver['nickname'] ++ token = deployer.mdict['pki_token_name'] + + config.pki_log.info( + "removing temp SSL server cert from internal token: %s" % nickname, +@@ -916,8 +917,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nssdb = instance.open_nssdb() + + try: +- # remove temp SSL server cert but keep the key +- nssdb.remove_cert(nickname) ++ # Remove temp SSL server cert from internal token. ++ # Remove temp key too if the perm cert uses HSM. ++ if not token or token == 'internal': ++ remove_key = False ++ else: ++ remove_key = True ++ nssdb.remove_cert(nickname, remove_key=remove_key) + + finally: + nssdb.close() +@@ -1066,7 +1072,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + finally: + nssdb.close() + +- create_temp_sslserver_cert = self.create_temp_sslserver_cert(deployer, instance, token) ++ create_temp_sslserver_cert = self.create_temp_sslserver_cert(deployer, instance) + + # Start/Restart this Tomcat PKI Process + # Optionally prepare to enable a java debugger +@@ -1232,8 +1238,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # Remove temp SSL server cert. + self.remove_temp_sslserver_cert(deployer, instance, sslserver) + +- # Import perm SSL server cert. +- self.import_perm_sslserver_cert(deployer, instance, sslserver) ++ # Import perm SSL server cert unless it's already imported ++ # earlier in external/standalone installation. ++ ++ if not (standalone or external and subsystem.name in ['kra', 'ocsp']): ++ self.import_perm_sslserver_cert(deployer, instance, sslserver) + + deployer.systemd.start() + +-- +1.8.3.1 + + +From f69f1bfa7929203e677077aa65eedaf9252a786d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 19 Jan 2018 23:26:37 +0100 +Subject: [PATCH 28/30] Fixed admin cert processing. + +For KRA/OCSP installation with external certs, the installation +tool has been modified to import the externaly-generated admin +cert and also copy it to a location normally expected by admin. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: Id18ec2b6b8b1c3f307af11e2acba7866b2b5ee75 +(cherry picked from commit 1127a63cb473b471982c273dbbaa270f19f5d90d) +(cherry picked from commit b3664cd26b90d804e311f56cf16e4e31223d5960) +--- + base/server/python/pki/server/deployment/pkihelper.py | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index a5edaa4..7f88873 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -4369,7 +4369,7 @@ class ConfigClient: + data.adminUID = self.mdict['pki_admin_uid'] + data.adminSubjectDN = self.mdict['pki_admin_subject_dn'] + +- if self.standalone: ++ if self.standalone or self.external and self.subsystem in ['KRA', 'OCSP']: + if not self.external_step_two: + # IMPORTANT: ALWAYS set 'pki_import_admin_cert' FALSE for + # Stand-alone PKI (Step 1) +@@ -4395,11 +4395,10 @@ class ConfigClient: + finally: + client_nssdb.close() + +- if self.standalone: +- # Stand-alone PKI (Step 2) ++ if self.standalone or self.external and self.subsystem in ['KRA', 'OCSP']: ++ # Stand-alone/External PKI (Step 2) + # +- # Copy the Stand-alone PKI 'Admin Certificate' +- # (that was previously generated via an external CA) into ++ # Copy the externally-issued admin certificate into + # 'ca_admin.cert' under the specified 'pki_client_dir' + # stripping the certificate HEADER/FOOTER prior to saving it. + imported_admin_cert = "" +-- +1.8.3.1 + + +From 73dee32e2636e33f8c6af43b27dc6a3f65d2b7a5 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 16 Jan 2018 14:53:51 +1100 +Subject: [PATCH 29/30] Set nextUpdate in OCSP responses + +Some OCSP clients adhere to the Lightweight OCSP Profile (RFC 5019) +which requires that the OCSP response include the nextUpdate field. + +Update the CA subsystem's OCSP responder to include the nextUpdate +field when it is configured to use the CRL cache. The nextUpdate +field in the OCSP response is set to the nextUpdate time of the +"master" CRL issuing point. + +If the OCSP responder is not configured to use the CRL cache, there +is no reasonable value for nextUpdate. In this case, we continue to +omit it. + +Fixes: https://pagure.io/dogtagpki/issue/2661 +Change-Id: Idbf7354b0ecc45c0498c4b7c05458f726f40336f +(cherry picked from commit fc3067f2e955e18405f735269bfe5fe135382d21) +(cherry picked from commit eb14d5bc86fa1c68282f84246cbaf33c9f55399b) +--- + base/ca/src/com/netscape/ca/CertificateAuthority.java | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index 6309c1b..e5d21eb 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -2571,7 +2571,6 @@ public class CertificateAuthority + + CertStatus certStatus = null; + GeneralizedTime thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); +- GeneralizedTime nextUpdate = null; + + byte[] nameHash = null; + String digestName = cid.getDigestName(); +@@ -2609,6 +2608,12 @@ public class CertificateAuthority + CRLIssuingPoint point = (CRLIssuingPoint) + getCRLIssuingPoint(issuingPointId); + ++ /* set nextUpdate to the nextUpdate time of the CRL */ ++ GeneralizedTime nextUpdate = null; ++ Date crlNextUpdate = point.getNextUpdate(); ++ if (crlNextUpdate != null) ++ nextUpdate = new GeneralizedTime(crlNextUpdate); ++ + if (point.isCRLCacheEnabled()) { + // only do this if cache is enabled + BigInteger sno = new BigInteger(serialNo.toString()); +@@ -2660,7 +2665,12 @@ public class CertificateAuthority + certStatus = new UnknownInfo(); // not issued not all + } + +- return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); ++ return new SingleResponse( ++ cid, certStatus, thisUpdate, ++ /* We are not using a CRL cache for generating OCSP ++ * responses, so there is no reasonable value for ++ * nextUpdate. */ ++ null /* nextUpdate */); + } + + /** +-- +1.8.3.1 + + +From 138ae505719adb0a0e43114d6acaa8ef8cc0fcec Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 22 Jan 2018 06:37:26 +0100 +Subject: [PATCH 30/30] Fixed cert import for exiting certs case. + +The configuration servlet has been fixed to properly import the +externally-signed certs in existing CA and external KRA/OCSP cases. + +https://pagure.io/dogtagpki/issue/2901 + +Change-Id: Ida7bd7758670c72063765462b7d735f69a465804 +(cherry picked from commit 441b832fb2172680ba3c83c3048a97c38c0c1ec0) +(cherry picked from commit 4196d2ab35c4b683228e3ff03cda98c120726702) +--- + .../org/dogtagpki/server/rest/SystemConfigService.java | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 97508b7..575f97c 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -401,12 +401,19 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + cert.setSubsystem(subsystem); + cert.setType(cs.getString("preop.cert." + tag + ".type")); + ++ String fullName; ++ if (!CryptoUtil.isInternalToken(tokenName)) { ++ fullName = tokenName + ":" + nickname; ++ } else { ++ fullName = nickname; ++ } ++ + CMS.debug("SystemConfigService: checking " + tag + " cert in NSS database"); + + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate x509Cert; + try { +- x509Cert = cm.findCertByNickname(nickname); ++ x509Cert = cm.findCertByNickname(fullName); + } catch (ObjectNotFoundException e) { + x509Cert = null; + } +@@ -414,11 +421,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + // For external/existing CA case, some/all system certs may be provided. + // The SSL server cert will always be generated for the current host. + +- // For standalone KRA/OCSP case, all system certs will be provided. ++ // For external/standalone KRA/OCSP case, all system certs will be provided. + // No system certs will be generated including the SSL server cert. + +- if (request.isExternal() && !tag.equals("sslserver") && x509Cert != null +- || request.getStandAlone()) { ++ if (request.isExternal() && "ca".equals(subsystem) && !tag.equals("sslserver") && x509Cert != null ++ || request.getStandAlone() ++ || request.isExternal() && ("kra".equals(subsystem) || "ocsp".equals(subsystem))) { + + CMS.debug("SystemConfigService: loading existing " + tag + " cert"); + byte[] bytes = x509Cert.getEncoded(); +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-snapshot-2.patch b/SOURCES/pki-core-10.5.1-snapshot-2.patch new file mode 100644 index 0000000..6b2aecb --- /dev/null +++ b/SOURCES/pki-core-10.5.1-snapshot-2.patch @@ -0,0 +1,2392 @@ +From 085966b0eddd9786003e4dc3074314ad0626c203 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Tue, 23 Jan 2018 18:31:53 -0800 +Subject: [PATCH 01/18] Fix Bug 1501436 - TPS CS.cfg should be reflected with + the changes after an in-place upgrade. + +This upgrade script will add the needed config params to an existing CS.cfg for TPS. + +The params consist of the params required for the token profile : externalRegISEtoken. + +The code also grabs the unsecure phone home url out of the instances's server.xml. +This way the new profile is configured exactly like what happens when doing a pkispawn. +The correct nonsecure url will be in place. + +Added some review changes. Also we modified the python properties file class to be able to +handle a property value that happens to contain the delimeter "=". Ex name=cn=people. + +Added directory server/upgrade/10.5.1 so rhel can use it when performing this upgrade. + +Change-Id: I2478013b396082ffdc3d99ed86a821ec86ac4c5d +(cherry picked from commit 2d1390f5d2f0ca653d03f936c601cd4cb7a488fd) +(cherry picked from commit bf199fa8b2215d68765117b79626a72374d71981) +--- + base/common/python/pki/__init__.py | 9 +- + base/server/upgrade/10.5.1/.gitignore | 4 + + .../10.5.5/01-AddTPSExternalRegISEtokenParams | 383 +++++++++++++++++++++ + 3 files changed, 391 insertions(+), 5 deletions(-) + create mode 100644 base/server/upgrade/10.5.1/.gitignore + create mode 100755 base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams + +diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py +index 1a6f5c2..dbe5629 100644 +--- a/base/common/python/pki/__init__.py ++++ b/base/common/python/pki/__init__.py +@@ -485,14 +485,13 @@ class PropertyFile(object): + for i, line in enumerate(self.lines): + + # parse +- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, ++ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), + line) + + if not match: + continue + + key = match.group(1) +- + if key.lower() == name.lower(): + return i + +@@ -511,7 +510,7 @@ class PropertyFile(object): + for line in self.lines: + + # parse +- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, ++ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), + line) + + if not match: +@@ -540,7 +539,7 @@ class PropertyFile(object): + for i, line in enumerate(self.lines): + + # parse +- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, ++ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), + line) + + if not match: +@@ -569,7 +568,7 @@ class PropertyFile(object): + for i, line in enumerate(self.lines): + + # parse +- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, ++ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), + line) + + if not match: +diff --git a/base/server/upgrade/10.5.1/.gitignore b/base/server/upgrade/10.5.1/.gitignore +new file mode 100644 +index 0000000..5e7d273 +--- /dev/null ++++ b/base/server/upgrade/10.5.1/.gitignore +@@ -0,0 +1,4 @@ ++# Ignore everything in this directory ++* ++# Except this file ++!.gitignore +diff --git a/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams b/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams +new file mode 100755 +index 0000000..85429cc +--- /dev/null ++++ b/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams +@@ -0,0 +1,383 @@ ++#!/usr/bin/python ++# Authors: ++# Jack Magne based on work ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful', ++ ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not', write to the Free Software Foundation', Inc.', ++# 51 Franklin Street', Fifth Floor', Boston', MA 02110-1301 USA. ++# ++# Copyright (C) 2017 Red Hat', Inc. ++# All rights reserved. ++ ++from __future__ import absolute_import ++import os.path ++from lxml import etree ++import socket ++ ++import pki ++from pki.server.upgrade import PKIServerUpgradeScriptlet ++ ++proplist = [ ++ ('op.format.externalRegISEtoken.auth.enable', 'true'), ++ ('op.format.externalRegISEtoken.auth.id', 'ldap1'), ++ ('op.format.externalRegISEtoken.ca.conn', 'ca1'), ++ ('op.format.externalRegISEtoken.cardmgr_instance', 'A0000000030000'), ++ ('op.format.externalRegISEtoken.cuidMustMatchKDD', 'false'), ++ ('op.format.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'), ++ ('op.format.externalRegISEtoken.issuerinfo.enable', 'true'), ++ ('op.format.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'), ++ ('op.format.externalRegISEtoken.loginRequest.enable', 'true'), ++ ('op.format.externalRegISEtoken.maximumGPKeyVersion', 'FF'), ++ ('op.format.externalRegISEtoken.minimumGPKeyVersion', '01'), ++ ('op.format.externalRegISEtoken.revokeCert', 'false'), ++ ('op.format.externalRegISEtoken.revokeCert.reason', '0'), ++ ('op.format.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'), ++ ('op.format.externalRegISEtoken.tks.conn', 'tks1'), ++ ('op.format.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'), ++ ('op.format.externalRegISEtoken.update.applet.emptyToken.enable', 'true'), ++ ('op.format.externalRegISEtoken.update.applet.encryption', 'true'), ++ ('op.format.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'), ++ ('op.format.externalRegISEtoken.update.symmetricKeys.enable', 'false'), ++ ('op.format.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'), ++ ('op.format.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true'), ++ ('op.enroll.externalRegISEtoken._000', '#########################################'), ++ ('op.enroll.externalRegISEtoken._001', '# Enrollment for externalReg'), ++ ('op.enroll.externalRegISEtoken._002', '# ID, Signing,Encryption'), ++ ('op.enroll.externalRegISEtoken._003', '# controlled by registration user record'), ++ ('op.enroll.externalRegISEtoken._004', '#########################################'), ++ ('op.enroll.externalRegISEtoken.auth.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.auth.id', 'ldap1'), ++ ('op.enroll.externalRegISEtoken.cardmgr_instance', 'A0000000030000'), ++ ('op.enroll.externalRegISEtoken.cuidMustMatchKDD', 'false'), ++ ('op.enroll.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'), ++ ('op.enroll.externalRegISEtoken.issuerinfo.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.SANpattern', '$auth.edipi$.$auth.pcc$@EXAMPLE.com'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.conn', 'ca1'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyEnrollment'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.certAttrId', 'c3'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.certId', 'C3'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.cuid_label', '$cuid$'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.keySize', '1024'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUsage', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUser', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.label', 'authentication key for $userid$'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.overwrite', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.decrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.derive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.encrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.private', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sensitive', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sign', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.signRecover', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.token', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.unwrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verify', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verifyRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.wrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyAttrId', 'k6'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyNumber', '6'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.decrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.derive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.encrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.private', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sensitive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sign', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.signRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.token', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.unwrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verify', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verifyRecover', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.wrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyAttrId', 'k7'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyNumber', '7'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason', '1'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason', '6'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason', '1'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.archive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.drm.conn', 'kra1'), ++ ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.enable', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.SANpattern', '$auth.mail$,$auth.edipi$.$auth.pcc$@EXAMPLE.com'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption._000', '#########################################'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption._001', '# encryption cert/keys are "recovered" for this profile'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption._002', '# controlled from User Registartion db'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption._003', '#########################################'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.conn', 'ca1'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.profileId', 'caTokenUserEncryptionKeyEnrollment'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.certAttrId', 'c2'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.certId', 'C2'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.cuid_label', '$cuid$'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.keySize', '1024'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUsage', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUser', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.label', 'encryption key for $userid$'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.overwrite', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.decrypt', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.derive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.encrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.private', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sensitive', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sign', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.signRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.token', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.unwrap', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verify', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verifyRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.wrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyAttrId', 'k4'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyNumber', '4'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.decrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.derive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.encrypt', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.private', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sensitive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sign', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.signRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.token', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.unwrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verify', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.wrap', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyAttrId', 'k5'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyNumber', '5'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert.reason', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.scheme', 'RecoverLast'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert.reason', '1'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason', '6'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert.reason', '1'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.archive', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.drm.conn', 'kra1'), ++ ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.enable', 'True'), ++ ('op.enroll.externalRegISEtoken.keyGen.keyType.num', '3'), ++ ('op.enroll.externalRegISEtoken.keyGen.keyType.value.0', 'signing'), ++ ('op.enroll.externalRegISEtoken.keyGen.keyType.value.1', 'authentication'), ++ ('op.enroll.externalRegISEtoken.keyGen.keyType.value.2', 'encryption'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.num', '3'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.0', 'signing'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.1', 'authentication'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.2', 'encryption'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.num', '3'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.0', 'signing'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.1', 'authentication'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.2', 'encryption'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.num', '3'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.0', 'signing'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.1', 'authentication'), ++ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.2', 'encryption'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.SANpattern', '$auth.mail$'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.ca.conn', 'ca1'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.ca.profileId', 'caTokenUserDelegateSigningKeyEnrollment'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.certAttrId', 'c1'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.certId', 'C1'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.cuid_label', '$cuid$'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.keySize', '1024'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.keyUsage', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.keyUser', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.label', 'signing key for $userid$'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.overwrite', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.decrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.derive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.encrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.private', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sensitive', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sign', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.signRecover', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.token', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.unwrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verify', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verifyRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.wrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyAttrId', 'k2'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyNumber', '2'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.decrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.derive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.encrypt', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.private', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sensitive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sign', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.signRecover', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.token', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.unwrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verify', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verifyRecover', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.wrap', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyAttrId', 'k3'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyNumber', '3'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert.reason', '0'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert.reason', '1'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason', '6'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert', 'true'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert.reason', '1'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeExpiredCerts', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.scheme', 'GenerateNewKey'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.archive', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.drm.conn', 'kra1'), ++ ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.enable', 'false'), ++ ('op.enroll.externalRegISEtoken.keyGen.tokenName', '$auth.cn$'), ++ ('op.enroll.externalRegISEtoken.loginRequest.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.maximumGPKeyVersion', 'FF'), ++ ('op.enroll.externalRegISEtoken.minimumGPKeyVersion', '01'), ++ ('op.enroll.externalRegISEtoken.pinReset.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.pinReset.pin.maxLen', '10'), ++ ('op.enroll.externalRegISEtoken.pinReset.pin.maxRetries', '127'), ++ ('op.enroll.externalRegISEtoken.pinReset.pin.minLen', '4'), ++ ('op.enroll.externalRegISEtoken.pkcs11obj.compress.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.pkcs11obj.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.renewal._000', '#########################################'), ++ ('op.enroll.externalRegISEtoken.renewal._001', '# Token Renewal.'), ++ ('op.enroll.externalRegISEtoken.renewal._002', '#'), ++ ('op.enroll.externalRegISEtoken.renewal._003', '# For each token in TPS UI, set the'), ++ ('op.enroll.externalRegISEtoken.renewal._004', '# following to trigger renewal'), ++ ('op.enroll.externalRegISEtoken.renewal._005', '# operations:'), ++ ('op.enroll.externalRegISEtoken.renewal._006', '#'), ++ ('op.enroll.externalRegISEtoken.renewal._007', '# RENEW=YES'), ++ ('op.enroll.externalRegISEtoken.renewal._008', '#'), ++ ('op.enroll.externalRegISEtoken.renewal._009', '# Optional grace period enforcement'), ++ ('op.enroll.externalRegISEtoken.renewal._010', '# must coincide exactly with what'), ++ ('op.enroll.externalRegISEtoken.renewal._011', '# the CA enforces.'), ++ ('op.enroll.externalRegISEtoken.renewal._012', '#'), ++ ('op.enroll.externalRegISEtoken.renewal._013', '# In case of renewal, encryption certId'), ++ ('op.enroll.externalRegISEtoken.renewal._014', '# values are for completeness only, server'), ++ ('op.enroll.externalRegISEtoken.renewal._015', '# code calculates actual values used.'), ++ ('op.enroll.externalRegISEtoken.renewal._016', '#'), ++ ('op.enroll.externalRegISEtoken.renewal._017', '#########################################'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.ca.conn', 'ca1'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyRenewal'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.certAttrId', 'c3'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.certId', 'C3'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.after', '30'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.before', '30'), ++ ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.enable', 'false'), ++ ('op.enroll.externalRegISEtoken.renewal.keyType.num', '2'), ++ ('op.enroll.externalRegISEtoken.renewal.keyType.value.0', 'signing'), ++ ('op.enroll.externalRegISEtoken.renewal.keyType.value.1', 'authentication'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.ca.conn', 'ca1'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.ca.profileId', 'caTokenUserSigningKeyRenewal'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.certAttrId', 'c1'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.certId', 'C1'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.after', '30'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.before', '30'), ++ ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.enable', 'false'), ++ ('op.enroll.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'), ++ ('op.enroll.externalRegISEtoken.temporaryToken.tokenType', 'externalRegISEtokenTemporary'), ++ ('op.enroll.externalRegISEtoken.tks.conn', 'tks1'), ++ ('op.enroll.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'), ++ ('op.enroll.externalRegISEtoken.update.applet.emptyToken.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.update.applet.enable', 'true'), ++ ('op.enroll.externalRegISEtoken.update.applet.encryption', 'true'), ++ ('op.enroll.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'), ++ ('op.enroll.externalRegISEtoken.update.symmetricKeys.enable', 'false'), ++ ('op.enroll.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'), ++ ('op.enroll.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true') ++] ++ ++ ++class AddTPSExternalRegISEtokenParams(PKIServerUpgradeScriptlet): ++ def __init__(self): ++ super(AddTPSExternalRegISEtokenParams, self).__init__() ++ self.parser = etree.XMLParser(remove_blank_text=True) ++ self.message = 'Add token profile params for externalRegISEtoken for TPS CS.cfg' ++ ++ def upgrade_subsystem(self, instance, subsystem): ++ if subsystem.name == 'tps': ++ self.upgrade_config(instance, subsystem) ++ ++ def upgrade_config(self, instance, subsystem): # pylint: disable=W0613 ++ filename = os.path.join(subsystem.conf_dir, 'CS.cfg') ++ server_xml = os.path.join(instance.conf_dir, 'server.xml') ++ self.backup(filename) ++ properties = pki.PropertyFile(filename) ++ properties.read() ++ ++ # Get the unsecure phone home url out of the server.xml ++ ++ tps_unsecure_port = None ++ hostname = socket.gethostname() ++ ++ document = etree.parse(server_xml, self.parser) ++ server = document.getroot() ++ connectors = server.findall('.//Connector') ++ ++ for connector in connectors: ++ # find the Secure connector ++ name = connector.get('name') ++ if name != 'Unsecure': ++ continue ++ else: ++ tps_unsecure_port = connector.get('port') ++ ++ # if the property exists, leave it alone', otherwise set ++ # it to the value defined above ++ # replace the standard non secure phone home url with value ++ # from the server.xml file, which is known correct ++ ++ for k, v in proplist: ++ cur = properties.get(k) ++ if cur is None: ++ properties.set(k, v) ++ # handle the case when we have an issuer url to plug in ++ if k.find("issuerinfo.value") != -1: ++ if tps_unsecure_port is not None: ++ properties.set(k, "http://" + hostname + ":" + tps_unsecure_port + "/tps/phoneHome") ++ ++ properties.write() +-- +1.8.3.1 + + +From 42152f3c4b43e4aeb5c08223df2f0998f56a4c34 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 Jan 2018 03:48:35 +0100 +Subject: [PATCH 03/18] Updated RollingLogFile.EXPIRATION_TIME. + +The RollingLogFile.EXPIRATION_TIME has been changed to 0 such that +log expiration is disabled in case the log.instance.*.expirationTime +parameter is missing from the CS.cfg. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: I8c8c7a1560f986920244f9660b0de10e197f93b4 +(cherry picked from commit e2a72fff7413cf084cf5f629cbaa0e8a9c2c64a0) +(cherry picked from commit 4b48f2c589f4320e23632ceccd9b20dba7ca140f) +--- + base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +index d804850..e0eb1df 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java +@@ -66,7 +66,7 @@ public class RollingLogFile extends LogFile { + /** + * The default expiration time in seconds + */ +- static final String EXPIRATION_TIME = "2592000"; ++ static final String EXPIRATION_TIME = "0"; + + /** + * The maximum file size in bytes +-- +1.8.3.1 + + +From 2c1653d822d40b5d305f76a225d18614ad3ecd89 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 Jan 2018 04:32:23 +0100 +Subject: [PATCH 04/18] Merged TOKEN_APPLET_UPGRADE events. + +The TOKEN_APPLET_UPGRADE_* events have been merged into a single +event with different outcomes. Also, it has been encapsulated into +TokenAppletUpgradeEvent class. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: Ifa34eacaa5a0da1c8026eb702e09828234d7f0f5 +(cherry picked from commit c006503ca9f99389da85da091a856d226a7eb244) +(cherry picked from commit 5d3ddcd3335023e4f8d3303fdeac95de2ea2851f) +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- + .../logging/event/TokenAppletUpgradeEvent.java | 56 ++++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 8 ++-- + .../server/tps/processor/TPSProcessor.java | 21 ++++---- + 4 files changed, 72 insertions(+), 17 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 8aebd0f..6bf2df6 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -133,10 +133,6 @@ public class AuditEvent extends LogEvent { + "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9"; + public final static String TOKEN_FORMAT_FAILURE = + "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; +- public final static String TOKEN_APPLET_UPGRADE_SUCCESS = +- "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9"; +- public final static String TOKEN_APPLET_UPGRADE_FAILURE = +- "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9"; + public final static String TOKEN_KEY_CHANGEOVER_REQUIRED = + "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; + public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java +new file mode 100644 +index 0000000..06df664 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java +@@ -0,0 +1,56 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.SignedAuditEvent; ++ ++public class TokenAppletUpgradeEvent extends SignedAuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String TOKEN_APPLET_UPGRADE_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS"; ++ ++ public final static String TOKEN_APPLET_UPGRADE_FAILURE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE"; ++ ++ public TokenAppletUpgradeEvent( ++ String messageID, ++ String ip, ++ String subjectID, ++ String cuid, ++ String msn, ++ String outcome, ++ String keyVersion, ++ String oldAppletVersion, ++ String newAppletVersion, ++ String info) { ++ ++ super(messageID); ++ ++ setAttribute("IP", ip); ++ setAttribute("SubjectID", subjectID); ++ setAttribute("CUID", cuid); ++ setAttribute("MSN", msn); ++ setAttribute("Outcome", outcome); ++ setAttribute("KeyVersion", keyVersion); ++ setAttribute("oldAppletVersion", oldAppletVersion); ++ setAttribute("newAppletVersion", newAppletVersion); ++ setAttribute("Info", info); ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 4ec6c39..183987f 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2235,8 +2235,8 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification success +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification failure ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure + + # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST + # - used for TPS to TKS to get random challenge data +@@ -2613,12 +2613,12 @@ LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9=:[AuditEv + # + # LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS + # - used when token apple upgrade succeeded +-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9=:[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success ++LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success + # + # + # LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE + # - used when token apple upgrade failed +-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9=:[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure ++LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure + # + # LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED + # - used when token key changeover is required +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index a78db64..1093d78 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -95,6 +95,7 @@ import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.LogEvent; ++import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent; + import com.netscape.certsrv.tps.token.TokenStatus; + import com.netscape.cms.logging.Logger; + import com.netscape.cms.logging.SignedAuditLogger; +@@ -4164,27 +4165,29 @@ public class TPSProcessor { + String newVersion, + String info) { + +- String auditType = ""; ++ String auditType; ++ + switch (status) { + case "success": +- auditType = AuditEvent.TOKEN_APPLET_UPGRADE_SUCCESS; ++ auditType = TokenAppletUpgradeEvent.TOKEN_APPLET_UPGRADE_SUCCESS; + break; + default: +- auditType = AuditEvent.TOKEN_APPLET_UPGRADE_FAILURE; ++ auditType = TokenAppletUpgradeEvent.TOKEN_APPLET_UPGRADE_FAILURE; + } + +- String auditMessage = CMS.getLogMessage( ++ TokenAppletUpgradeEvent event = new TokenAppletUpgradeEvent( + auditType, +- (session != null) ? session.getIpAddress() : null, ++ session != null ? session.getIpAddress() : null, + userid, +- (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, +- (aInfo != null) ? aInfo.getMSNString() : null, ++ aInfo != null ? aInfo.getCUIDhexStringPlain() : null, ++ aInfo != null ? aInfo.getMSNString() : null, + status, + keyVersion, +- (aInfo != null) ? aInfo.getFinalAppletVersion() : null, ++ aInfo != null ? aInfo.getFinalAppletVersion() : null, + newVersion, + info); +- audit(auditMessage); ++ ++ signedAuditLogger.log(event); + } + + protected void auditKeyChangeoverRequired(AppletInfo aInfo, +-- +1.8.3.1 + + +From 7ab4d71f5a6c5c5ff8be1bbeaac6528ec652cc32 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 25 Jan 2018 04:49:06 +0100 +Subject: [PATCH 05/18] Merged TOKEN_KEY_CHANGEOVER events. + +The TOKEN_KEY_CHANGEOVER_* events have been merged into a single +event with different outcomes. Also, it has been encapsulated into +TokenKeyChangeoverEvent class. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: I09c5179645c2037ff6208e923f35177104e5babd +(cherry picked from commit 2c614e982805349b1c28f8647cd2be615c9ca1cd) +(cherry picked from commit 64bd7ecf033385972988b7c675ee446be8537644) +--- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- + .../logging/event/TokenKeyChangeoverEvent.java | 58 ++++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 4 +- + .../server/tps/processor/TPSProcessor.java | 21 ++++---- + 4 files changed, 72 insertions(+), 15 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java + +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 6bf2df6..131b2a9 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -135,10 +135,6 @@ public class AuditEvent extends LogEvent { + "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; + public final static String TOKEN_KEY_CHANGEOVER_REQUIRED = + "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; +- public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = +- "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10"; +- public final static String TOKEN_KEY_CHANGEOVER_FAILURE = +- "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10"; + public final static String TOKEN_AUTH_FAILURE = + "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9"; + public final static String TOKEN_AUTH_SUCCESS = +diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java +new file mode 100644 +index 0000000..5bbfe26 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java +@@ -0,0 +1,58 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.SignedAuditEvent; ++ ++public class TokenKeyChangeoverEvent extends SignedAuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS"; ++ ++ public final static String TOKEN_KEY_CHANGEOVER_FAILURE = ++ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE"; ++ ++ public TokenKeyChangeoverEvent( ++ String messageID, ++ String ip, ++ String subjectID, ++ String cuid, ++ String msn, ++ String outcome, ++ String tokenType, ++ String appletVersion, ++ String oldKeyVersion, ++ String newKeyVersion, ++ String info) { ++ ++ super(messageID); ++ ++ setAttribute("IP", ip); ++ setAttribute("SubjectID", subjectID); ++ setAttribute("CUID", cuid); ++ setAttribute("MSN", msn); ++ setAttribute("Outcome", outcome); ++ setAttribute("tokenType", tokenType); ++ setAttribute("AppletVersion", appletVersion); ++ setAttribute("oldKeyVersion", oldKeyVersion); ++ setAttribute("newKeyVersion", newKeyVersion); ++ setAttribute("Info", info); ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 183987f..9ca508a 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2627,12 +2627,12 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success + # + # LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE + # - used when token key changeover failed + # - Info is used for storing more info in case of failure +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure + # + # LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE + # - used when authentication failed +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 1093d78..811c9a7 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -96,6 +96,7 @@ import com.netscape.certsrv.common.Constants; + import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.LogEvent; + import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent; ++import com.netscape.certsrv.logging.event.TokenKeyChangeoverEvent; + import com.netscape.certsrv.tps.token.TokenStatus; + import com.netscape.cms.logging.Logger; + import com.netscape.cms.logging.SignedAuditLogger; +@@ -4218,28 +4219,30 @@ public class TPSProcessor { + String newKeyVersion, + String info) { + +- String auditType = ""; ++ String auditType; ++ + switch (status) { + case "success": +- auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_SUCCESS; ++ auditType = TokenKeyChangeoverEvent.TOKEN_KEY_CHANGEOVER_SUCCESS; + break; + default: +- auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_FAILURE; ++ auditType = TokenKeyChangeoverEvent.TOKEN_KEY_CHANGEOVER_FAILURE; + } + +- String auditMessage = CMS.getLogMessage( ++ TokenKeyChangeoverEvent event = new TokenKeyChangeoverEvent( + auditType, +- (session != null) ? session.getIpAddress() : null, ++ session != null ? session.getIpAddress() : null, + userid, +- (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, +- (aInfo != null) ? aInfo.getMSNString() : null, ++ aInfo != null ? aInfo.getCUIDhexStringPlain() : null, ++ aInfo != null ? aInfo.getMSNString() : null, + status, + getSelectedTokenType(), +- (aInfo != null) ? aInfo.getFinalAppletVersion() : null, ++ aInfo != null ? aInfo.getFinalAppletVersion() : null, + oldKeyVersion, + newKeyVersion, + info); +- audit(auditMessage); ++ ++ signedAuditLogger.log(event); + } + + /* +-- +1.8.3.1 + + +From 6bf58209dda17ab2e76e6038e7a6209539e37816 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 21 Apr 2017 20:16:16 +0200 +Subject: [PATCH 06/18] Updated default audit events. + +The default audit events and their filters have been updated in +all PKI subsystem configuration files. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: I867a38a366ad7cc23d71f2a0c22996a9ccce8088 +(cherry picked from commit d928a667e6d573ce1d1d936d3c3682945bb0f9fc) +(cherry picked from commit a67cfbaee71e3f2254fb8ee201bd47fbcd60d834) +--- + base/ca/shared/conf/CS.cfg | 8 +++++++- + base/kra/shared/conf/CS.cfg | 16 +++++++++++++++- + base/ocsp/shared/conf/CS.cfg | 3 ++- + base/tks/shared/conf/CS.cfg | 3 ++- + base/tps/shared/conf/CS.cfg | 5 ++++- + 5 files changed, 30 insertions(+), 5 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 908407b..76a7057 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -909,8 +909,14 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION ++log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) ++log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) ++log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) ++log.instance.SignedAudit.filters.FULL_CRL_GENERATION=(Outcome=Failure) ++log.instance.SignedAudit.filters.OCSP_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) ++log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index a5ddab6..06bd0fe 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -304,8 +304,22 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED ++log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) ++log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) ++log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) ++log.instance.SignedAudit.filters.KEY_RECOVERY_AGENT_LOGIN=(Outcome=Failure) + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) ++log.instance.SignedAudit.filters.SECURITY_DATA_ARCHIVAL_REQUEST=(Outcome=Failure) ++log.instance.SignedAudit.filters.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=(Outcome=Failure) ++log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST=(Outcome=Failure) ++log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=(Outcome=Failure) ++log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=(Outcome=Failure) ++log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) ++log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=(Outcome=Failure) ++log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=PROCESSED (Outcome=Failure) ++log.instance.SignedAudit.filters.SYMKEY_GENERATION_REQUEST=(Outcome=Failure) ++log.instance.SignedAudit.filters.SYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg +index 13c9bcf..dc993b0 100644 +--- a/base/ocsp/shared/conf/CS.cfg ++++ b/base/ocsp/shared/conf/CS.cfg +@@ -220,8 +220,9 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) ++log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ocsp_cert-ocsp_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg +index 751398f..d1da996 100644 +--- a/base/tks/shared/conf/CS.cfg ++++ b/base/tks/shared/conf/CS.cfg +@@ -212,8 +212,9 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) ++log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 + log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tks_cert-tks_audit + log.instance.SignedAudit.flushInterval=5 +diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg +index c244d19..c44bc75 100644 +--- a/base/tps/shared/conf/CS.cfg ++++ b/base/tps/shared/conf/CS.cfg +@@ -229,8 +229,11 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=SELFTESTS_EXECUTION,AUTHZ,AUTH,ROLE_ASSUME,CIMC_CERT_VERIFICATION,CONFIG_SIGNED_AUDIT,CONFIG_ROLE,CONFIG_AUTH,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER_SUCCESS,TOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_GENERAL,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_RECORD,CONFIG_TOKEN_AUTHENTICATOR,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) ++log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) ++log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure) ++log.instance.SignedAudit.filters.TOKEN_KEY_CHANGEOVER=(Outcome=Failure) + log.instance.SignedAudit.unselected.events= + log.instance.SignedAudit.mandatory.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING + log.instance.SignedAudit.expirationTime=0 +-- +1.8.3.1 + + +From 6bf945e96d8c41e21eb22105e46c33f11f2be26c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 26 Jan 2018 20:56:45 +0100 +Subject: [PATCH 07/18] Using case-insensitive audit event filter. + +The code that evaluates audit event filter has been modified to +use case-insensitive attribute value comparison. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: I548dee048b0ed70779fb67a8cdfc39943f2bc9b7 +(cherry picked from commit a1ff57e0b84a4737771511268c5b92a8af975ca3) +(cherry picked from commit 5e4785bf697fc2844255c3499b2944c84899aa3e) +--- + base/server/cms/src/com/netscape/cms/logging/LogFile.java | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index 738eabf..510e796 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -1202,7 +1202,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + + String stringAttr = (String)attr; + +- return value.equals(stringAttr); ++ return value.equalsIgnoreCase(stringAttr); + } + + public boolean eval(SignedAuditEvent event, JDAPFilterSubString filter) { +@@ -1215,18 +1215,18 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + if (attr == null) return false; + if (!(attr instanceof String)) return false; + +- String stringAttr = (String)attr; ++ String stringAttr = ((String)attr).toLowerCase(); + + // check initial substring + String initialSubstring = filter.getInitialSubstring(); + if (initialSubstring != null) { +- if (!stringAttr.startsWith(initialSubstring)) return false; ++ if (!stringAttr.startsWith(initialSubstring.toLowerCase())) return false; + stringAttr = stringAttr.substring(initialSubstring.length()); + } + + // check any substrings + for (String anySubstring : filter.getAnySubstrings()) { +- int p = stringAttr.indexOf(anySubstring); ++ int p = stringAttr.indexOf(anySubstring.toLowerCase()); + if (p < 0) return false; + stringAttr = stringAttr.substring(p + anySubstring.length()); + } +@@ -1234,7 +1234,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + // check final substring + String finalSubstring = filter.getFinalSubstring(); + if (finalSubstring != null) { +- if (!stringAttr.endsWith(finalSubstring)) return false; ++ if (!stringAttr.endsWith(finalSubstring.toLowerCase())) return false; + } + + return true; +-- +1.8.3.1 + + +From 37a29eeb71a0e9adb81eb0e4c00fa36afcb17598 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 12 Dec 2017 01:59:53 +0100 +Subject: [PATCH 08/18] Fixed pylint warnings. + +Some Python files have been modified to avoid pylint warnings due +to subsequent changes. + +https://pagure.io/dogtagpki/issue/167 + +Change-Id: If16e5d7f60cef776c6b65ad9f803b178ba52bc85 +(cherry picked from commit c2f4157973880d7c0744718b0887ac184f085bcb) +(cherry picked from commit 75542c58f88f204c2f80d029946e65df7c26a54f) +--- + .../python/pki/server/deployment/pkihelper.py | 2 +- + .../server/deployment/scriptlets/configuration.py | 44 +++++++++++----------- + base/server/sbin/pkidestroy | 1 + + base/server/sbin/pkispawn | 1 + + 4 files changed, 25 insertions(+), 23 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 7f88873..8195e28 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -4109,7 +4109,7 @@ class ConfigClient: + if not nickname: + nickname = cert.nickname + +- config.pki_log.info("loading %s certificate" % nickname, ++ config.pki_log.info("loading %s certificate", nickname, + extra=config.PKI_INDENTATION_LEVEL_2) + + cert.cert = nssdb.get_cert(nickname) +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 43e9d83..2cda5e0 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -94,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + cert_id = self.get_cert_id(subsystem, tag) + + config.pki_log.info( +- "generating %s CSR in %s" % (cert_id, csr_path), ++ "generating %s CSR in %s", cert_id, csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + + subject_dn = deployer.mdict['pki_%s_subject_dn' % cert_id] +@@ -361,7 +361,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + return + + config.pki_log.info( +- "importing %s CSR from %s" % (tag, csr_path), ++ "importing %s CSR from %s", tag, csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + + with open(csr_path) as f: +@@ -377,7 +377,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + return + + config.pki_log.info( +- "importing ca_signing CSR from %s" % csr_path, ++ "importing ca_signing CSR from %s", csr_path, + extra=config.PKI_INDENTATION_LEVEL_2) + + with open(csr_path) as f: +@@ -404,7 +404,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_ca_signing_nickname'] + + config.pki_log.info( +- "importing ca_signing certificate from %s" % cert_file, ++ "importing ca_signing certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -421,7 +421,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_ocsp_signing_nickname'] + + config.pki_log.info( +- "importing ca_ocsp_signing certificate from %s" % cert_file, ++ "importing ca_ocsp_signing certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -438,7 +438,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_sslserver_nickname'] + + config.pki_log.info( +- "importing sslserver certificate from %s" % cert_file, ++ "importing sslserver certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -455,7 +455,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_subsystem_nickname'] + + config.pki_log.info( +- "importing subsystem certificate from %s" % cert_file, ++ "importing subsystem certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -472,7 +472,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_audit_signing_nickname'] + + config.pki_log.info( +- "importing audit_signing certificate from %s" % cert_file, ++ "importing audit_signing certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -494,7 +494,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + try: + config.pki_log.info( +- "importing admin certificate from %s" % cert_file, ++ "importing admin certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + client_nssdb.import_cert_chain( +@@ -514,7 +514,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_storage_nickname'] + + config.pki_log.info( +- "importing kra_storage certificate from %s" % cert_file, ++ "importing kra_storage certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -531,7 +531,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_transport_nickname'] + + config.pki_log.info( +- "importing kra_transport certificate from %s" % cert_file, ++ "importing kra_transport certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -548,7 +548,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_ocsp_signing_nickname'] + + config.pki_log.info( +- "importing ocsp_signing certificate from %s" % cert_file, ++ "importing ocsp_signing certificate from %s", cert_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -563,7 +563,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + return + + config.pki_log.info( +- "importing certificates and keys from %s" % pkcs12_file, ++ "importing certificates and keys from %s", pkcs12_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] +@@ -578,7 +578,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_cert_chain_nickname'] + + config.pki_log.info( +- "importing certificate chain from %s" % chain_file, ++ "importing certificate chain from %s", chain_file, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.import_cert_chain( +@@ -787,7 +787,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + return + + config.pki_log.info( +- "validating %s certificate" % tag, ++ "validating %s certificate", tag, + extra=config.PKI_INDENTATION_LEVEL_2) + + subsystem.validate_system_cert(tag) +@@ -820,7 +820,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname = deployer.mdict['pki_self_signed_nickname'] + + config.pki_log.info( +- "checking existing SSL server cert: %s" % nickname, ++ "checking existing SSL server cert: %s", nickname, + extra=config.PKI_INDENTATION_LEVEL_2) + + pem_cert = nssdb.get_cert(nickname) +@@ -831,7 +831,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + hostname = cn.value + + config.pki_log.info( +- "existing SSL server cert is for %s" % hostname, ++ "existing SSL server cert is for %s", hostname, + extra=config.PKI_INDENTATION_LEVEL_2) + + # if hostname is correct, don't create temp cert +@@ -839,13 +839,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + return False + + config.pki_log.info( +- "removing SSL server cert for %s" % hostname, ++ "removing SSL server cert for %s", hostname, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb.remove_cert(nickname, remove_key=True) + + config.pki_log.info( +- "creating temp SSL server cert for %s" % deployer.mdict['pki_hostname'], ++ "creating temp SSL server cert for %s", deployer.mdict['pki_hostname'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # TODO: replace with pki-server create-cert sslserver --temp +@@ -911,7 +911,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + token = deployer.mdict['pki_token_name'] + + config.pki_log.info( +- "removing temp SSL server cert from internal token: %s" % nickname, ++ "removing temp SSL server cert from internal token: %s", nickname, + extra=config.PKI_INDENTATION_LEVEL_2) + + nssdb = instance.open_nssdb() +@@ -934,7 +934,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + token = deployer.mdict['pki_token_name'] + + config.pki_log.info( +- "importing permanent SSL server cert into %s token: %s" % (token, nickname), ++ "importing permanent SSL server cert into %s token: %s", token, nickname, + extra=config.PKI_INDENTATION_LEVEL_2) + + tmpdir = tempfile.mkdtemp() +@@ -1121,7 +1121,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + restart_server = os.path.join(instance.conf_dir, 'restart_server_after_configuration') + config.pki_log.debug( +- 'creating %s' % restart_server, ++ 'creating %s', restart_server, + extra=config.PKI_INDENTATION_LEVEL_2) + + open(restart_server, 'a').close() +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 0b6ef6b..23feba1 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -265,6 +265,7 @@ def log_error_details(): + config.pki_log.debug(e_stacktrace, extra=config.PKI_INDENTATION_LEVEL_2) + del e_type, e_value, e_stacktrace + ++ + # PKI Deployment Entry Point + if __name__ == "__main__": + signal.signal(signal.SIGINT, interrupt_handler) +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index d671ba7..052edb4 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -874,6 +874,7 @@ def log_error_details(): + config.pki_log.debug(e_stacktrace, extra=config.PKI_INDENTATION_LEVEL_2) + del e_type, e_value, e_stacktrace + ++ + # PKI Deployment Entry Point + if __name__ == "__main__": + signal.signal(signal.SIGINT, interrupt_handler) +-- +1.8.3.1 + + +From 66c0aeb997f840c3253a78f30d90273834833f7e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 30 Jan 2018 03:19:21 +0100 +Subject: [PATCH 09/18] Refactored pkispawn and pkidestroy logger configuration + +The method that configures the loggers for pkispawn and pkidestroy +has been modified to configure the global pki logger as well. + +https://pagure.io/dogtagpki/issue/2916 + +Change-Id: I66b532a87c1e728ad2adc673e35dfc6bcb568570 +(cherry picked from commit 5dcab6c7ef62d08c51bca90ece03198b82c54aef) +(cherry picked from commit 094d238a75f0335f9c374f65f0bc1d913ea49444) +--- + .../python/pki/server/deployment/pkilogging.py | 26 +++++++++++++--------- + base/server/sbin/pkidestroy | 15 +++++-------- + base/server/sbin/pkispawn | 16 +++++-------- + 3 files changed, 26 insertions(+), 31 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py +index 7a7afd7..2634189 100644 +--- a/base/server/python/pki/server/deployment/pkilogging.py ++++ b/base/server/python/pki/server/deployment/pkilogging.py +@@ -24,6 +24,8 @@ import logging + import os + import pprint + ++from pki.server.deployment import pkiconfig as config ++ + sensitive_parameters = [] + + # Initialize 'pretty print' for objects +@@ -46,15 +48,9 @@ def log_format(given_dict): + + # PKI Deployment Logging Functions + def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): +- if not os.path.isdir(log_dir): +- try: +- os.makedirs(log_dir) +- except OSError: +- return OSError + +- # Configure logger +- logger = logging.getLogger(name) +- logger.setLevel(log_level) ++ if not os.path.isdir(log_dir): ++ os.makedirs(log_dir) + + # Configure console handler + console = logging.StreamHandler() +@@ -63,7 +59,6 @@ def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): + '%(levelname)-8s ' + + '%(indent)s%(message)s') + console.setFormatter(console_format) +- logger.addHandler(console) + + # Configure file handler + log_file = logging.FileHandler(log_dir + "/" + log_name, 'w') +@@ -73,6 +68,15 @@ def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): + '%(indent)s%(message)s', + '%Y-%m-%d %H:%M:%S') + log_file.setFormatter(file_format) +- logger.addHandler(log_file) + +- return logger ++ # Configure pkispawn/pkidestroy logger ++ config.pki_log = logging.getLogger(name) ++ config.pki_log.setLevel(log_level) ++ config.pki_log.addHandler(console) ++ config.pki_log.addHandler(log_file) ++ ++ # Configure pki logger ++ logger = logging.getLogger('pki') ++ logger.setLevel(log_level) ++ logger.addHandler(console) ++ logger.addHandler(log_file) +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 23feba1..4df74a4 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -195,16 +195,11 @@ def main(argv): + deployer.log_timestamp + "." + "log" + print('Log file: %s/%s' % (config.pki_log_dir, config.pki_log_name)) + +- rv = pkilogging.enable_pki_logger(config.pki_log_dir, +- config.pki_log_name, +- config.pki_log_level, +- config.pki_console_log_level, +- "pkidestroy") +- if rv != OSError: +- config.pki_log = rv +- else: +- print(log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir) +- sys.exit(1) ++ pkilogging.enable_pki_logger(config.pki_log_dir, ++ config.pki_log_name, ++ config.pki_log_level, ++ config.pki_console_log_level, ++ "pkidestroy") + + # Read the specified PKI configuration file. + rv = parser.read_pki_configuration_file() +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 052edb4..b2ac8b4 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -651,16 +651,12 @@ def start_logging(): + "-" + "spawn" + "." + \ + deployer.log_timestamp + "." + "log" + print('Log file: %s/%s' % (config.pki_log_dir, config.pki_log_name)) +- rv = pkilogging.enable_pki_logger(config.pki_log_dir, +- config.pki_log_name, +- config.pki_log_level, +- config.pki_console_log_level, +- "pkispawn") +- if rv != OSError: +- config.pki_log = rv +- else: +- print(log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir) +- sys.exit(1) ++ ++ pkilogging.enable_pki_logger(config.pki_log_dir, ++ config.pki_log_name, ++ config.pki_log_level, ++ config.pki_console_log_level, ++ "pkispawn") + + + def create_master_dictionary(parser): +-- +1.8.3.1 + + +From e5278b1633c9fd2df170291349fc0c07d91fd1d5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 30 Jan 2018 03:25:11 +0100 +Subject: [PATCH 10/18] Added pki.nssdb logger. + +To help troubleshooting, the pki.nssdb module has been modified to +generate debug logs using the standard Python logger. + +https://pagure.io/dogtagpki/issue/2916 + +Change-Id: Iba74df01fd796fa9fe5fa48f117721d790b7337c +(cherry picked from commit 2660c8cae34451d6525a481d60075b1749f344c2) +(cherry picked from commit 9431707fb93c000dcdd0eb89516dfc09bd5e55ac) +--- + base/common/python/pki/nssdb.py | 35 +++++++++++++++++++++++++++++++---- + 1 file changed, 31 insertions(+), 4 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index b2339aa..60f57c7 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -22,6 +22,7 @@ + + from __future__ import absolute_import + import base64 ++import logging + import os + import shutil + import subprocess +@@ -42,6 +43,10 @@ CERT_FOOTER = '-----END CERTIFICATE-----' + PKCS7_HEADER = '-----BEGIN PKCS7-----' + PKCS7_FOOTER = '-----END PKCS7-----' + ++logger = logging.LoggerAdapter( ++ logging.getLogger(__name__), ++ extra={'indent': ''}) ++ + + def convert_data(data, input_format, output_format, header=None, footer=None): + if input_format == output_format: +@@ -173,8 +178,11 @@ class NSSDatabase(object): + '-t', '' + ] + +- # Ignore return code due to bug #1393668. +- subprocess.call(cmd) ++ logger.debug('Command: %s', ' '.join(cmd)) ++ rc = subprocess.call(cmd) ++ ++ if rc: ++ logger.warning('certutil returned non-zero exit code (bug #1393668)') + + # If HSM is not used, or cert has trust attributes, + # import cert into internal token. +@@ -189,6 +197,7 @@ class NSSDatabase(object): + '-t', trust_attributes + ] + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + def add_ca_cert(self, cert_file, trust_attributes=None): +@@ -209,6 +218,7 @@ class NSSDatabase(object): + if trust_attributes: + cmd.extend(['--trust', trust_attributes]) + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + def modify_cert(self, nickname, trust_attributes): +@@ -227,15 +237,19 @@ class NSSDatabase(object): + '-t', trust_attributes + ]) + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + def create_noise(self, noise_file, size=2048): +- subprocess.check_call([ ++ cmd = [ + 'openssl', + 'rand', + '-out', noise_file, + str(size) +- ]) ++ ] ++ ++ logger.debug('Command: %s', ' '.join(cmd)) ++ subprocess.check_call(cmd) + + def create_request(self, subject_dn, request_file, noise_file=None, + key_type=None, key_size=None, curve=None, +@@ -359,6 +373,8 @@ class NSSDatabase(object): + + cmd.append(','.join(exts)) + ++ logger.debug('Command: %s', ' '.join(cmd)) ++ + # generate binary request + p = subprocess.Popen(cmd, + stdin=subprocess.PIPE, +@@ -553,6 +569,8 @@ class NSSDatabase(object): + + keystroke += '\n' + ++ logger.debug('Command: %s', ' '.join(cmd)) ++ + p = subprocess.Popen(cmd, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, +@@ -625,6 +643,7 @@ class NSSDatabase(object): + '-d', self.directory + ] + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + def get_cert(self, nickname, output_format='pem'): +@@ -656,6 +675,8 @@ class NSSDatabase(object): + output_format_option + ]) + ++ logger.debug('Command: %s', ' '.join(cmd)) ++ + pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + cert_data, std_err = pipes.communicate() +@@ -693,6 +714,8 @@ class NSSDatabase(object): + '-n', fullname + ]) + ++ logger.debug('Command: %s', ' '.join(cmd)) ++ + cert_details = subprocess.check_output( + cmd, stderr=subprocess.STDOUT) + cert_pem = subprocess.check_output( +@@ -743,6 +766,7 @@ class NSSDatabase(object): + '-n', nickname + ]) + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + def import_cert_chain(self, nickname, cert_chain_file, +@@ -816,6 +840,7 @@ class NSSDatabase(object): + '--output-suffix', suffix + ] + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + # Count the number of certs in the chain. +@@ -889,6 +914,7 @@ class NSSDatabase(object): + if overwrite: + cmd.extend(['--overwrite']) + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + finally: +@@ -952,6 +978,7 @@ class NSSDatabase(object): + if nicknames: + cmd.extend(nicknames) + ++ logger.debug('Command: %s', ' '.join(cmd)) + subprocess.check_call(cmd) + + finally: +-- +1.8.3.1 + + +From f5781c6df5a35c23512dff6e538a5dc3811a7e2f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 30 Jan 2018 03:27:38 +0100 +Subject: [PATCH 11/18] Fixed NSSDatabase.get_cert(). + +The NSSDatabase.get_cert() method has been modified to ignore the +certutil exit code due to bug #1539996. + +https://pagure.io/dogtagpki/issue/2916 + +Change-Id: I10e489d14bdaaace9f917b797a7da14ac64a9a67 +(cherry picked from commit bde116f2ce0482a1597486010e68fb7706ddd97c) +(cherry picked from commit 6cc361d6c5776b96037910d6bc0811d145f725db) +--- + base/common/python/pki/nssdb.py | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 60f57c7..f32121e 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -33,7 +33,6 @@ import datetime + from cryptography import x509 + from cryptography.hazmat.backends import default_backend + +- + CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' + CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' + +@@ -677,17 +676,26 @@ class NSSDatabase(object): + + logger.debug('Command: %s', ' '.join(cmd)) + +- pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE, +- stderr=subprocess.PIPE) +- cert_data, std_err = pipes.communicate() ++ p = subprocess.Popen(cmd, ++ stdout=subprocess.PIPE, ++ stderr=subprocess.PIPE) ++ ++ cert_data, std_err = p.communicate() + +- if pipes.returncode != 0: ++ if std_err: + # certutil returned an error + # raise exception unless its not cert not found + if std_err.startswith('certutil: Could not find cert: '): + return None + +- raise Exception(std_err.strip()) ++ raise Exception('Could not find cert: %s: %s' % (fullname, std_err.strip())) ++ ++ if not cert_data: ++ # certutil did not return data ++ return None ++ ++ if p.returncode != 0: ++ logger.warning('certutil returned non-zero exit code (bug #1539996)') + + if output_format == 'base64': + cert_data = base64.b64encode(cert_data) +-- +1.8.3.1 + + +From 4498d77e9b6b220d364094ea8222b70453f9ca9a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 30 Jan 2018 16:56:21 +0100 +Subject: [PATCH 12/18] Fixed NSSDatabase.get_cert_info(). + +The NSSDatabase.get_cert_info() has been modified to use get_cert() +to retrieve the cert since it has the workaround for bug #1539996. +Then it will use Python Cryptography to get the cert info. + +A new method has been added into pki module to convert X.509 Name +into NSS-style DN string. + +https://pagure.io/dogtagpki/issue/2916 + +Change-Id: I726e2c442e5b7f351dac2d9515e9f13965d7de3f +(cherry picked from commit d6a70005e314ba3d53e32886262c45a9d4544b5d) +(cherry picked from commit 9ad1d47bee65a76b878d6c2298e7bcbc345df31f) +--- + base/common/python/pki/__init__.py | 59 ++++++++++++++++++++++++++++++++++++++ + base/common/python/pki/nssdb.py | 44 ++++++---------------------- + 2 files changed, 67 insertions(+), 36 deletions(-) + +diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py +index dbe5629..f3aff51 100644 +--- a/base/common/python/pki/__init__.py ++++ b/base/common/python/pki/__init__.py +@@ -26,6 +26,7 @@ from __future__ import print_function + + from functools import wraps + import os ++import cryptography.x509 + import random + import re + import string +@@ -51,6 +52,64 @@ CERT_FOOTER = "-----END CERTIFICATE-----" + # - backslash since it's causing SSL handshake failure + PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[]^_`{|}~' + ++# Map from X.509 attribute OID to short name. ++# Source: https://github.com/freeipa/freeipa/blob/master/ipapython/dn.py ++ATTR_NAME_BY_OID = { ++ cryptography.x509.oid.NameOID.COMMON_NAME: 'CN', ++ cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C', ++ cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L', ++ cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST', ++ cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O', ++ cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU', ++ cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber', ++ cryptography.x509.oid.NameOID.SURNAME: 'SN', ++ cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName', ++ cryptography.x509.oid.NameOID.TITLE: 'title', ++ cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier', ++ cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier', ++ cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym', ++ cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC', ++ cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E', ++ cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME: ++ 'incorporationCountry', ++ cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME: ++ 'incorporationLocality', ++ cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: ++ 'incorporationState', ++ cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory', ++ cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET', ++ cryptography.x509.ObjectIdentifier('2.5.4.17'): 'postalCode', ++ cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID', ++} ++ ++ ++def convert_x509_name_to_dn(name): ++ """ ++ Convert X.509 Name into NSS-style DN string. ++ ++ See also: ++ - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Name ++ - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.NameAttribute ++ - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.ObjectIdentifier ++ ++ :param name: X.509 Name ++ :type name: cryptography.x509.Name ++ :returns: str -- DN string. ++ """ ++ dn = None ++ ++ for attr in name: ++ oid = attr.oid ++ attr_name = ATTR_NAME_BY_OID.get(oid, oid.dotted_string) ++ rdn = '%s=%s' % (attr_name, attr.value) ++ ++ if dn: ++ dn = rdn + ',' + dn ++ else: ++ dn = rdn ++ ++ return dn ++ + + def read_text(message, + options=None, default=None, delimiter=':', +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index f32121e..7c2602e 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -27,12 +27,13 @@ import os + import shutil + import subprocess + import tempfile +-import re + import datetime + + from cryptography import x509 + from cryptography.hazmat.backends import default_backend + ++import pki ++ + CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' + CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' + +@@ -705,55 +706,26 @@ class NSSDatabase(object): + def get_cert_info(self, nickname): + + cert = dict() +- cmd = [ +- 'certutil', +- '-L', +- '-d', self.directory +- ] + +- fullname = nickname +- +- if self.token: +- cmd.extend(['-h', self.token]) +- fullname = self.token + ':' + fullname +- +- cmd.extend([ +- '-f', self.password_file, +- '-n', fullname +- ]) +- +- logger.debug('Command: %s', ' '.join(cmd)) +- +- cert_details = subprocess.check_output( +- cmd, stderr=subprocess.STDOUT) +- cert_pem = subprocess.check_output( +- cmd + ['-a'], stderr=subprocess.STDOUT) ++ cert_pem = self.get_cert(nickname) + + cert_obj = x509.load_pem_x509_certificate( + cert_pem, backend=default_backend()) + + cert["serial_number"] = cert_obj.serial_number + +- cert["issuer"] = re.search( +- r'Issuer:(.*)', cert_details).group(1).strip().replace('"', '') +- cert["subject"] = re.search( +- r'Subject:(.*)', cert_details).group(1).strip().replace('"', '') +- +- str_not_before = re.search( +- r'Not Before.?:(.*)', cert_details).group(1).strip() +- cert["not_before"] = self.convert_time_to_millis(str_not_before) ++ cert["issuer"] = pki.convert_x509_name_to_dn(cert_obj.issuer) ++ cert["subject"] = pki.convert_x509_name_to_dn(cert_obj.subject) + +- str_not_after = re.search( +- r'Not After.?:(.*)', cert_details).group(1).strip() +- cert["not_after"] = self.convert_time_to_millis(str_not_after) ++ cert["not_before"] = self.convert_time_to_millis(cert_obj.not_valid_before) ++ cert["not_after"] = self.convert_time_to_millis(cert_obj.not_valid_after) + + return cert + + @staticmethod + def convert_time_to_millis(date): + epoch = datetime.datetime.utcfromtimestamp(0) +- stripped_date = datetime.datetime.strptime(date, "%a %b %d %H:%M:%S %Y") +- return (stripped_date - epoch).total_seconds() * 1000 ++ return (date - epoch).total_seconds() * 1000 + + def remove_cert(self, nickname, remove_key=False): + +-- +1.8.3.1 + + +From 6829dde05fd27555a0e8f1de278c7013e5d22073 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Wed, 31 Jan 2018 17:01:55 -0700 +Subject: [PATCH 13/18] Enable FIPS ciphers as the new default cipher suites + +https://pagure.io/dogtagpki/issue/2855 + +Change-Id: I968cd0e08f69401cb30ecdbdc86eb1f5049a5f37 +(cherry picked from commit 8f3700681ea2cbcc3dbe0c768dca177051e9a243) +(cherry picked from commit 427edd6d16d7d74bb98bb0cda7c0bf67a4463bb9) +--- + .../python/pki/server/deployment/pkiparser.py | 16 ++-- + base/server/share/conf/ciphers.info | 105 ++++++++++++++++----- + 2 files changed, 87 insertions(+), 34 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index b91c674..b64e99b 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -1111,7 +1111,7 @@ class PKIConfigParser: + self.mdict['TOMCAT_SERVER_PORT_SLOT'] = \ + self.mdict['pki_tomcat_server_port'] + self.mdict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \ +- "tls1_0:tls1_2" ++ "tls1_1:tls1_2" + self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ + "tls1_1:tls1_2" + ## +@@ -1171,18 +1171,18 @@ class PKIConfigParser: + "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ + "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ + "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ +- "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ +- "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ +- "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ +- "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ +- "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ +diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info +index 70d704c..b3e74d3 100644 +--- a/base/server/share/conf/ciphers.info ++++ b/base/server/share/conf/ciphers.info +@@ -6,67 +6,120 @@ + # + # This file contains the default sslRangeCiphers that come with this version of + # the PKI software in its /conf/server.xml file. ++# + # Depending on which kind of SSL server you have, you want to reference the +-# corresponding cipher suite for making adjustments to your instance server.xml. ++# corresponding cipher suite for making adjustments to your instance ++# server.xml. + # + # + # About the TLS range related parameters: ++# + # 'sslVersionRangeStream' + # 'sslVersionRangeDatagram' + # 'sslRangeCiphers' +-# The sslVersionRangeStream and sslVersionRangeDatagram by default +-# contains values that are supported by the native NSS. Changes can +-# be made to restrict or relax the support. +-# The sslRangeCiphers by default conatins a list of ciphers best +-# for the type of the server installed. Changes can be made to suit +-# each site's needs. +-# Although TLS1.2 ciphers (SHA256) are preferred, many older clients +-# do not support them. For example, +-# the following "preferred modern" ciphers are on by default, and by +-# simply limiting the sslVersionRange* parameters, they can be turned off. ++# ++# The default sslVersionRangeStream and sslVersionRangeDatagram ++# parameters contain values that are supported by the native NSS. ++# Changes can be made to restrict or relax the support. ++# ++# The default sslRangeCiphers parameter contains a list of ciphers best ++# suited for the type of the server installed. Changes can be made to ++# suit each site's needs. ++# ++# Although TLS1.2 ciphers (SHA256) are preferred, many older clients ++# do not support them. For example, the following "preferred modern" ++# ciphers are on by default, and by simply limiting the ++# sslVersionRange* parameters, they can be turned off. ++# + # TLS_RSA_WITH_AES_128_CBC_SHA256, + # TLS_RSA_WITH_AES_256_CBC_SHA256, + # TLS_RSA_WITH_AES_128_GCM_SHA256, + # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + # TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ++# + # The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy, + # which, while provide added security to the already secure and adequate +-# TLS_RSA_* ciphers, requries 3 times longer to establish SSL sessions. ++# TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions. + # In our testing environment, some HSM might also have issues providing + # subsystem->subsystem SSL handshake. We are therefore turning them + # off by default. One can enable them manually by turning the "-" to + # "+" under sslRangeCiphers and restart the subsystem. ++# + # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + # TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +-# The following ciphers are supported in rhel7.2 or greater, and they +-# are off by default, and can be turned on by sites running rhel7.2 or +-# greater: ++# ++# The following ciphers are supported in RHEL 7.2 or greater, and ++# are turned on by default. They can be turned off by sites running ++# older versions of RHEL: ++# + # TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + # TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + # TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + # TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + # TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + # TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 +-# Although the following (somewhat weaker ciphers, in CBC mode), though +-# adaquate for the CS operations, they can be turned off if needed: ++# ++# The following somewhat weaker ciphers (in CBC mode), though ++# adequate for the CS operations, can be turned off if so desired: ++# + # TLS_RSA_WITH_AES_128_CBC_SHA, + # TLS_RSA_WITH_AES_256_CBC_SHA, ++# + # Note: In an EC CS server setup, you will see by default that the +-# following RSA ciphers are left on. Those are used for installation +-# where the actual systems certs have not yet been crated, and a +-# temporary RSA ssl server cert is at play. +-# Those can be turned off manually by sites. +-# TLS_RSA_WITH_AES_256_CBC_SHA256, +-# TLS_RSA_WITH_AES_128_GCM_SHA256 +-# These ciphers might be removed by the installation script in some +-# future release. ++# following RSA ciphers are left on. Those are used for ++# installation where the actual systems certs have not yet been ++# created, and a temporary RSA ssl server cert is at play. ++# ++# Those can be turned off manually by sites. ++# ++# TLS_RSA_WITH_AES_256_CBC_SHA256, ++# TLS_RSA_WITH_AES_128_GCM_SHA256 ++# ++# These ciphers might be removed by the installation script in ++# some future release. ++# ++# For RHEL 7.5 or greater: ++# ++# * all '3DES' ciphers have been disabled, ++# * the default sslVersionRangeStream and ++# sslVersionRangeDatagram ranges have been upgraded to ++# only allow ciphers in the TLS1.1 to TLS1.2 range, and ++# * the default sslRangeCiphers values have been altered to ++# include all recommended 'FIPS' ciphers for both RSA and ECC ++# servers regardless of whether 'FIPS' is enabled or disabled ++# ++# Default ciphers enabled for RSA servers: ++# ++# +TLS_DHE_RSA_WITH_AES_128_CBC_SHA, ++# +TLS_DHE_RSA_WITH_AES_256_CBC_SHA, ++# +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, ++# +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ++# +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ++# +TLS_RSA_WITH_AES_128_CBC_SHA256, ++# +TLS_RSA_WITH_AES_256_CBC_SHA256, ++# +TLS_RSA_WITH_AES_128_CBC_SHA, ++# +TLS_RSA_WITH_AES_256_CBC_SHA ++# ++# NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA, ++# and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain ++# enabled in order to talk to the LDAP server ++# during pkispawn installation/configuration. ++# ++# Default ciphers enabled for ECC servers: ++# ++# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, ++# +TLS_RSA_WITH_AES_256_CBC_SHA, ++# +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, ++# +TLS_RSA_WITH_AES_256_CBC_SHA256, ++# +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ++# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + # + ## + # For RSA servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" + # + # + # For ECC servers: +-- +1.8.3.1 + + +From 8b5528c04e949be96641222e4f87b125fa4c2ca1 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Feb 2018 01:24:15 +0100 +Subject: [PATCH 14/18] Fixed inconsistent CERT_REQUEST_PROCESSED outcomes. + +Some CERT_REQUEST_PROCESSED events in ProcessCertReq have been +modified to generate a FAILURE outcome since there is no cert +issued for the request. + +https://pagure.io/dogtagpki/issue/2838 + +Change-Id: I38656f950599f06bd9969c278137fdd192e26ae8 +(cherry picked from commit 8319105ba04976494e05030ee5340b5879ad6a48) +(cherry picked from commit 5af21f519b7bbc6106ede549ed81974520e21e5d) +--- + .../cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +index bfa83b7..bb1a2a9 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java +@@ -966,7 +966,7 @@ public class ProcessCertReq extends CMSServlet { + // store a message in the signed audit log file + // (manual "agent" cert request processed + // - "accepted") +- audit(CertRequestProcessedEvent.createSuccessEvent( ++ audit(CertRequestProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + auditInfoName, +@@ -1087,7 +1087,7 @@ public class ProcessCertReq extends CMSServlet { + + // store a message in the signed audit log file + // (manual "agent" cert request processed - "rejected") +- audit(CertRequestProcessedEvent.createSuccessEvent( ++ audit(CertRequestProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + auditInfoName, +@@ -1145,7 +1145,7 @@ public class ProcessCertReq extends CMSServlet { + + // store a message in the signed audit log file + // (manual "agent" cert request processed - "cancelled") +- audit(CertRequestProcessedEvent.createSuccessEvent( ++ audit(CertRequestProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + auditInfoName, +-- +1.8.3.1 + + +From 6a049ee93e1311c32482289092f765bac09e09a4 Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Thu, 1 Feb 2018 13:02:03 -0500 +Subject: [PATCH 15/18] More fixes for non-standard users + +Needed to fix some python code that was added that works only on Python 3. +The top level directories for the registry should be owned by +root and be world readable/executable so that different users +can read the registry. + +Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282 +cherry-pick from 79e8a8e99a3c9c6d16b63bb5d4b2b18a4b828b11 + +(cherry picked from commit e37ddfbc8b54e17dbe081221f6c849732a30ebe2) +--- + base/common/CMakeLists.txt | 12 ++++++++++++ + base/server/python/pki/server/deployment/pkihelper.py | 8 ++------ + .../server/deployment/scriptlets/infrastructure_layout.py | 14 ++++++++++---- + .../pki/server/deployment/scriptlets/instance_layout.py | 5 +++-- + 4 files changed, 27 insertions(+), 12 deletions(-) + +diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt +index d7856e1..3e8659d 100644 +--- a/base/common/CMakeLists.txt ++++ b/base/common/CMakeLists.txt +@@ -135,6 +135,18 @@ install( + + install( + DIRECTORY ++ DESTINATION ++ /etc/sysconfig/pki ++) ++ ++install( ++ DIRECTORY ++ DESTINATION ++ /etc/sysconfig/pki/tomcat ++) ++ ++install( ++ DIRECTORY + man/ + DESTINATION + ${MAN_INSTALL_DIR} +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 8195e28..79f1e57 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -1019,8 +1019,6 @@ class Instance: + raise + + def get_instance_status(self, secure_connection=True): +- pki_protocol = None +- pki_port = None + if secure_connection: + pki_protocol = "https" + pki_port = self.mdict['pki_https_port'] +@@ -2956,7 +2954,6 @@ class ServerCertNickConf: + try: + # overwrite value inside 'serverCertNick.conf' + with open(self.servercertnick_conf, "w") as fd: +- sslserver_nickname = None + if self.step_two: + # use final HSM name + sslserver_nickname = (self.token_name + ":" + +@@ -3581,7 +3578,7 @@ class Systemd(object): + if not parser.has_section(section): + parser.add_section(section) + +- parser[section][param] = value ++ parser.set(section, param, value) + + def write_overrides(self): + for fname, parser in self.overrides.items(): +@@ -3589,7 +3586,7 @@ class Systemd(object): + if not os.path.exists(override_file): + self.create_override_file(override_file) + with open(override_file, 'w') as fp: +- parser.write(fp, space_around_delimiters=False) ++ parser.write(fp) + + def daemon_reload(self, critical_failure=True): + """PKI Deployment execution management lifecycle function. +@@ -4067,7 +4064,6 @@ class ConfigClient: + os.path.dirname(self.mdict['pki_admin_csr_path'])) + with open(self.mdict['pki_admin_csr_path'], "w") as f: + f.write("-----BEGIN CERTIFICATE REQUEST-----\n") +- admin_certreq = None + with open(os.path.join( + self.mdict['pki_client_database_dir'], + "admin_pkcs10.bin.asc"), "r") as f: +diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py +index 2573e4e..bfcca60 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py +@@ -53,9 +53,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # registry directories for storage of a copy of the original + # deployment configuration file used to spawn this instance, + # and save a copy of this file +- deployer.directory.create(deployer.mdict['pki_registry_path']) +- deployer.directory.create( +- deployer.mdict['pki_instance_type_registry_path']) ++ # ++ # Unless a prefix is used, the top level directories should exist ++ # and be owned by the rpm ++ if deployer.mdict['pki_root_prefix'] != "": ++ deployer.directory.create(deployer.mdict['pki_registry_path']) ++ deployer.directory.create( ++ deployer.mdict['pki_instance_type_registry_path']) ++ + deployer.directory.create(deployer.mdict['pki_instance_registry_path']) + deployer.directory.create( + deployer.mdict['pki_subsystem_registry_path']) +@@ -129,4 +134,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.directory.delete( + deployer.mdict['pki_configuration_path']) + # remove top-level infrastructure registry +- deployer.directory.delete(deployer.mdict['pki_registry_path']) ++ if deployer.mdict['pki_root_prefix'] != "": ++ deployer.directory.delete(deployer.mdict['pki_registry_path']) +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index 4eb5496..2095212 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -214,8 +214,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_instance_registry_path']) + # remove Tomcat PKI registry (if empty) + if deployer.instance.tomcat_instances() == 0: +- deployer.directory.delete( +- deployer.mdict['pki_instance_type_registry_path']) ++ if deployer.mdict['pki_root_prefix'] != "": ++ deployer.directory.delete( ++ deployer.mdict['pki_instance_type_registry_path']) + + + # Callback only when the /usr/share/pki/server/conf directory +-- +1.8.3.1 + + +From 63aca0e86b21de2673180d7d1e6c2a2750b2dc86 Mon Sep 17 00:00:00 2001 +From: Amol Kahat +Date: Fri, 28 Apr 2017 01:31:10 +0530 +Subject: [PATCH 17/18] Added man page for PKCS10Client + +(cherry picked from commit 774fbef5a913227c1764f6a29842771c3dc545ee) +--- + base/java-tools/man/man1/PKCS10Client.1 | 95 +++++++++++++++++++++++++++++++++ + 1 file changed, 95 insertions(+) + create mode 100644 base/java-tools/man/man1/PKCS10Client.1 + +diff --git a/base/java-tools/man/man1/PKCS10Client.1 b/base/java-tools/man/man1/PKCS10Client.1 +new file mode 100644 +index 0000000..e85c833 +--- /dev/null ++++ b/base/java-tools/man/man1/PKCS10Client.1 +@@ -0,0 +1,95 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH PKCS10Client 1 "April 28, 2017" "version 10.4" "PKI PKCS10Client certificate request tool" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++PKCS10Client \- Used to generate 1024-bit RSA key pair in the security database. ++ ++.SH SYNOPSIS ++.PP ++\fBUsage: PKCS10Client -d -h -p -a -l -c -o -n \fP ++ ++Available ECC curve names (if provided by the crypto module): nistp256 (secp256r1), nistp384 (secp384r1), nistp521 (secp521r1), nistk163 (sect163k1), sect163r1,nistb163 (sect163r2), sect193r1, sect193r2, nistk233 (sect233k1), nistb233 (sect233r1), sect239k1, nistk283 (sect283k1), nistb283 (sect283r1), nistk409 (sect409k1), nistb409 (sect409r1), nistk571 (sect571k1), nistb571 (sect571r1), secp160k1, secp160r1, secp160r2, secp192k1, nistp192 (secp192r1, prime192v1), secp224k1, nistp224 (secp224r1), secp256k1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2 ++ ++To get a certificate from the CA, the certificate request needs to be submitted to and approved by a CA agent. Once approved, a certificate is created for the request, and certificate attributes, such as extensions, are populated according to certificate profiles. ++ ++Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator. ++ ++.SH DESCRIPTION ++.PP ++The PKCS #10 utility, \fBPKCS10Client\fP, generates a 1024-bit RSA key pair in the security database, constructs a PKCS#10 certificate request with the public key, and outputs the request to a file. ++.PP ++\fBPKCS #10\fP is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests. The Certificate System CA supports KEYGEN, PKCS#10, CRMF, and CMC. ++.PP ++ ++.SH OPTIONS ++.PP ++\fBPKCS10Client\fP parameters: ++.PP ++.TP ++.B -d ++The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files. This is usually the client's personal directory. ++ ++.TP ++.B -h ++Name of the token. By default it takes 'internal'. ++ ++.TP ++.B -p ++The password to the token. ++ ++.TP ++.B -l ++The algorithm type either 'rsa' or 'ec'. By default it takes 'rsa'. ++ ++.TP ++.B -c ++Eleptic Curve cryptography curve name. ++.TP ++.B -o ++Sets the path and filename to output the new PKCS #10 certificate in base64 format. ++ ++.TP ++.B -n ++Gives the subject DN of the certificate. ++ ++.TP ++.B -k ++ ++.TP ++.B -t ++ ++.TP ++.B -s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1> ++ ++.TP ++.B -e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1> ++ ++ ++.TP Also optional for ECC key generation: ++ ++.TP ++.B -x ++ ++.TP ++.B -y ++ ++.SH AUTHORS ++Amol Kahat . ++ ++.SH COPYRIGHT ++Copyright (c) 2017 Red Hat, Inc. This is licensed under the GNU General Public ++License, version 2 (GPLv2). A copy of this license is available at ++http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-snapshot-3.patch b/SOURCES/pki-core-10.5.1-snapshot-3.patch new file mode 100644 index 0000000..9ad4c45 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-snapshot-3.patch @@ -0,0 +1,1955 @@ +From 73fe8961f585f2948c796fe0cf94aac25982b75a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Feb 2018 22:31:42 +0100 +Subject: [PATCH 1/9] Refactored SecurityDataArchivalProcessedEvent. + +The SecurityDataArchivalProcessedEvent has been modified to provide +separate factory methods for SUCCESS and FAILURE events. + +https://pagure.io/dogtagpki/issue/2848 + +Change-Id: Ie102aabaa81553ac1ea6963841a0568f1b6e04a5 +(cherry picked from commit c1f607dc515f1b37a848a8b013d02f9d366e5402) +(cherry picked from commit f2d828681d8b40e4d801af8d3bd5a6d6aaf71391) +--- + .../event/SecurityDataArchivalProcessedEvent.java | 49 +++++++--- + .../src/com/netscape/kra/EnrollmentService.java | 4 +- + .../src/com/netscape/kra/KeyRecoveryAuthority.java | 11 +-- + .../src/com/netscape/kra/NetkeyKeygenService.java | 6 +- + .../com/netscape/kra/SecurityDataProcessor.java | 102 +++++++++++++-------- + 5 files changed, 112 insertions(+), 60 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +index dd88b45..2d87ece 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +@@ -18,6 +18,7 @@ + package com.netscape.certsrv.logging.event; + + import com.netscape.certsrv.dbs.keydb.KeyId; ++import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.SignedAuditEvent; + import com.netscape.certsrv.request.RequestId; + +@@ -28,9 +29,33 @@ public class SecurityDataArchivalProcessedEvent extends SignedAuditEvent { + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED"; + +- public SecurityDataArchivalProcessedEvent( ++ public SecurityDataArchivalProcessedEvent() { ++ super(LOGGING_PROPERTY); ++ } ++ ++ public static SecurityDataArchivalProcessedEvent createSuccessEvent( ++ String subjectID, ++ String archivalRequestId, ++ RequestId requestID, ++ String clientKeyID, ++ KeyId keyID, ++ String pubkey) { ++ ++ SecurityDataArchivalProcessedEvent event = new SecurityDataArchivalProcessedEvent(); ++ ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.SUCCESS); ++ event.setAttribute("ArchivalRequestID", archivalRequestId); ++ event.setAttribute("RequestId", requestID); ++ event.setAttribute("ClientKeyID", clientKeyID); ++ event.setAttribute("KeyID", keyID); ++ event.setAttribute("PubKey", pubkey); ++ ++ return event; ++ } ++ ++ public static SecurityDataArchivalProcessedEvent createFailureEvent( + String subjectID, +- String outcome, + String archivalRequestId, + RequestId requestID, + String clientKeyID, +@@ -38,15 +63,17 @@ public class SecurityDataArchivalProcessedEvent extends SignedAuditEvent { + String failureReason, + String pubkey) { + +- super(LOGGING_PROPERTY); ++ SecurityDataArchivalProcessedEvent event = new SecurityDataArchivalProcessedEvent(); ++ ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.FAILURE); ++ event.setAttribute("ArchivalRequestID", archivalRequestId); ++ event.setAttribute("RequestId", requestID); ++ event.setAttribute("ClientKeyID", clientKeyID); ++ event.setAttribute("KeyID", keyID); ++ event.setAttribute("FailureReason", failureReason); ++ event.setAttribute("PubKey", pubkey); + +- setAttribute("SubjectID", subjectID); +- setAttribute("Outcome", outcome); +- setAttribute("ArchivalRequestID", archivalRequestId); +- setAttribute("RequestId", requestID); +- setAttribute("ClientKeyID", clientKeyID); +- setAttribute("KeyID", keyID); +- setAttribute("FailureReason", failureReason); +- setAttribute("PubKey", pubkey); ++ return event; + } + } +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index 93493fe..ee8a754 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -602,14 +602,12 @@ public class EnrollmentService implements IService { + + // store a message in the signed audit log file + auditPublicKey = auditPublicKey(rec); +- signedAuditLogger.log(new SecurityDataArchivalProcessedEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent( + auditSubjectID, +- ILogger.SUCCESS, + auditRequesterID, + requestId, + null, + new KeyId(rec.getSerialNumber()), +- null, + auditPublicKey)); + + // Xxx - should sign this proof of archival +diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +index 964a73c..05c7e71 100644 +--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java ++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +@@ -59,8 +59,8 @@ import com.netscape.certsrv.kra.IKeyService; + import com.netscape.certsrv.listeners.EListenersException; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.LogEvent; +-import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; + import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; + import com.netscape.certsrv.request.ARequestNotifier; +@@ -783,19 +783,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove + queue.processRequest(r); + } + +- audit(new SecurityDataArchivalProcessedEvent( ++ audit(SecurityDataArchivalProcessedEvent.createSuccessEvent( + auditSubjectID, +- ILogger.SUCCESS, + auditRequesterID, + r.getRequestId(), + null, + new KeyId(rec.getSerialNumber()), +- null, + auditPublicKey)); ++ + } catch (EBaseException eAudit1) { +- audit(new SecurityDataArchivalProcessedEvent( ++ ++ audit(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, +- ILogger.FAILURE, + auditRequesterID, + r.getRequestId(), + null, +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 1cd827f..052c289 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -50,8 +50,8 @@ import com.netscape.certsrv.dbs.keydb.KeyId; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.LogEvent; +-import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; ++import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; + import com.netscape.certsrv.logging.event.SecurityDataExportEvent; + import com.netscape.certsrv.logging.event.ServerSideKeyGenEvent; + import com.netscape.certsrv.logging.event.ServerSideKeyGenProcessedEvent; +@@ -495,14 +495,12 @@ public class NetkeyKeygenService implements IService { + storage.addKeyRecord(rec); + CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); + +- audit(new SecurityDataArchivalProcessedEvent( ++ audit(SecurityDataArchivalProcessedEvent.createSuccessEvent( + agentId, +- ILogger.SUCCESS, + auditSubjectID, + request.getRequestId(), + null, + new KeyId(serialNo), +- null, + PubKey)); + } //if archive + +diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +index 8de1311..5a64530 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +@@ -40,7 +40,6 @@ import com.netscape.certsrv.key.KeyRequestResource; + import com.netscape.certsrv.kra.EKRAException; + import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + import com.netscape.certsrv.logging.ILogger; +-import com.netscape.certsrv.logging.LogEvent; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; +@@ -121,8 +120,16 @@ public class SecurityDataProcessor { + + //Check here even though restful layer checks for this. + if (clientKeyId == null || dataType == null) { +- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, +- clientKeyId, null, "Bad data in request"); ++ ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ null, ++ requestId, ++ clientKeyId, ++ null, ++ "Bad data in request", ++ null)); ++ + throw new EBaseException("Bad data in SecurityDataService.serviceRequest"); + } + +@@ -237,14 +244,29 @@ public class SecurityDataProcessor { + privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params); + doEncrypt = true; + } else { // We have no data. +- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, +- clientKeyId, null, "Failed to create security data to archive"); ++ ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ null, ++ requestId, ++ clientKeyId, ++ null, ++ "Failed to create security data to archive", ++ null)); ++ + throw new EBaseException("Failed to create security data to archive!"); + } + } catch (Exception e) { + CMS.debug("Failed to create security data to archive: " + e.getMessage()); +- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, +- clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); ++ ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ null, ++ requestId, ++ clientKeyId, ++ null, ++ CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), ++ null)); + + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } finally { +@@ -269,8 +291,16 @@ public class SecurityDataProcessor { + //Now we need a serial number for our new key. + + if (rec.getSerialNumber() != null) { +- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, +- clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE")); ++ ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ null, ++ requestId, ++ clientKeyId, ++ null, ++ CMS.getUserMessage("CMS_KRA_INVALID_STATE"), ++ null)); ++ + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + +@@ -279,8 +309,16 @@ public class SecurityDataProcessor { + if (serialNo == null) { + kra.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); +- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, +- clientKeyId, null, "Failed to get next Key ID"); ++ ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ null, ++ requestId, ++ clientKeyId, ++ null, ++ "Failed to get next Key ID", ++ null)); ++ + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + +@@ -302,8 +340,16 @@ public class SecurityDataProcessor { + } catch (Exception e) { + kra.log(ILogger.LL_FAILURE, + "Failed to store wrapping parameters: " + e); +- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, +- clientKeyId, null, "Failed to store wrapping parameters"); ++ ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ null, ++ requestId, ++ clientKeyId, ++ null, ++ "Failed to store wrapping parameters", ++ null)); ++ + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"), e); + } + +@@ -311,8 +357,13 @@ public class SecurityDataProcessor { + + keyRepository.addKeyRecord(rec); + +- auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestId, +- clientKeyId, new KeyId(serialNo), "None"); ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent( ++ auditSubjectID, ++ null, ++ requestId, ++ clientKeyId, ++ new KeyId(serialNo), ++ null)); + + request.setExtData(ATTR_KEY_RECORD, serialNo); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); +@@ -852,25 +903,4 @@ public class SecurityDataProcessor { + + return retData; + } +- +- private void audit(String msg) { +- signedAuditLogger.log(msg); +- } +- +- protected void audit(LogEvent event) { +- signedAuditLogger.log(event); +- } +- +- private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, +- KeyId keyID, String reason) { +- audit(new SecurityDataArchivalProcessedEvent( +- subjectID, +- status, +- null, +- requestID, +- clientKeyID, +- keyID, +- reason, +- null)); +- } + } +-- +1.8.3.1 + + +From 0347843054e0a977826c4d7b50260e9f711190a9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Feb 2018 22:48:29 +0100 +Subject: [PATCH 2/9] Changed audit event types in EnrollmentService. + +The EnrollmentService has been modified to generate +SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED instead of. +SECURITY_DATA_ARCHIVAL_REQUEST. + +https://pagure.io/dogtagpki/issue/2848 + +Change-Id: I63017c4d9c058daac92fe606f0096402ca78b6ec +(cherry picked from commit 3c4770d520d6dab967bdba1b67b638c81a959e48) +(cherry picked from commit a30eee31512022a1a419bb949f912b08419ddf8d) +--- + .../src/com/netscape/kra/EnrollmentService.java | 74 +++++++++++++--------- + 1 file changed, 44 insertions(+), 30 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java +index ee8a754..20d68ff 100644 +--- a/base/kra/src/com/netscape/kra/EnrollmentService.java ++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java +@@ -51,7 +51,6 @@ import com.netscape.certsrv.kra.ProofOfArchival; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; +-import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; + import com.netscape.certsrv.profile.IEnrollProfile; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.IService; +@@ -203,12 +202,14 @@ public class EnrollmentService implements IService { + + } catch (IOException e) { + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- e)); ++ null, ++ e.toString(), ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); +@@ -250,12 +251,14 @@ public class EnrollmentService implements IService { + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- e)); ++ null, ++ e.toString(), ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); +@@ -288,12 +291,14 @@ public class EnrollmentService implements IService { + String message = CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"); + mKRA.log(ILogger.LL_FAILURE, message); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- message)); ++ null, ++ message, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY") + ": " + message); +@@ -329,12 +334,14 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_DEBUG, e.getMessage()); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- e)); ++ null, ++ e.toString(), ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); +@@ -357,12 +364,14 @@ public class EnrollmentService implements IService { + jssSubsystem.obscureBytes(unwrapped); + mKRA.log(ILogger.LL_FAILURE, e.toString()); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- e)); ++ null, ++ e.toString(), ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY") + ": " + e, e); +@@ -383,12 +392,14 @@ public class EnrollmentService implements IService { + String message = CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"); + mKRA.log(ILogger.LL_FAILURE, message); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- message)); ++ null, ++ message, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD") + ": " + message); +@@ -419,12 +430,14 @@ public class EnrollmentService implements IService { + mKRA.log(ILogger.LL_DEBUG, e.getMessage()); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- e)); ++ null, ++ e.toString(), ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); +@@ -450,12 +463,14 @@ public class EnrollmentService implements IService { + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- e)); ++ null, ++ e.toString(), ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD") + ": " + e, e); +@@ -499,12 +514,14 @@ public class EnrollmentService implements IService { + String message = CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", rec.getSerialNumber().toString()); + mKRA.log(ILogger.LL_FAILURE, message); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- message)); ++ null, ++ message, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + message); +@@ -521,12 +538,14 @@ public class EnrollmentService implements IService { + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); + // TODO(alee) Set correct audit message here +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- e)); ++ null, ++ e.toString(), ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + e, e); +@@ -539,12 +558,14 @@ public class EnrollmentService implements IService { + String message = CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"); + mKRA.log(ILogger.LL_FAILURE, message); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( ++ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( + auditSubjectID, + auditRequesterID, + requestId, + null, +- message)); ++ null, ++ message, ++ null)); + + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + message); +@@ -594,13 +615,6 @@ public class EnrollmentService implements IService { + "serial number: 0x" + serialNo.toString(16) } + ); + +- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createSuccessEvent( +- auditSubjectID, +- auditRequesterID, +- requestId, +- null)); +- +- // store a message in the signed audit log file + auditPublicKey = auditPublicKey(rec); + signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent( + auditSubjectID, +-- +1.8.3.1 + + +From 138f1464d072690f9efb6f55c6c3ac297fb098d8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 2 Feb 2018 21:54:01 +0100 +Subject: [PATCH 3/9] Fixed try-catch block in + NetkeyKeygenService.serviceRequest(). + +The try-catch block in NetkeyKeygenService.serviceRequest() has +been fixed to return false on exception. It also has been split +into two blocks. + +https://pagure.io/dogtagpki/issue/2848 + +Change-Id: Ia78bd5371720dc551c2470898d83597d554183b7 +(cherry picked from commit 4d54490f7fec01a6c5bc113f5f48f1d08e8b47a5) +(cherry picked from commit 70dff0d5d4b68f17058d30338bfebf81bbf96fa6) +--- + .../kra/src/com/netscape/kra/NetkeyKeygenService.java | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 052c289..17ac66d 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -65,7 +65,6 @@ import com.netscape.cms.logging.SignedAuditLogger; + import com.netscape.cms.servlet.key.KeyRecordParser; + import com.netscape.cmscore.dbs.KeyRecord; + import com.netscape.cmscore.security.JssSubsystem; +-import com.netscape.cmscore.util.Debug; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Utils; + +@@ -279,8 +278,10 @@ public class NetkeyKeygenService implements IService { + + return false; + } ++ + CMS.debug("NetkeyKeygenService: finished generate key pair for " + rCUID + ":" + rUserid); + ++ java.security.PrivateKey privKey; + try { + publicKeyData = keypair.getPublic().getEncoded(); + if (publicKeyData == null) { +@@ -309,8 +310,7 @@ public class NetkeyKeygenService implements IService { + PubKey)); + + //...extract the private key handle (not privatekeydata) +- java.security.PrivateKey privKey = +- keypair.getPrivate(); ++ privKey = keypair.getPrivate(); + + if (privKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); +@@ -386,6 +386,13 @@ public class NetkeyKeygenService implements IService { + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + ++ } catch (Exception e) { ++ CMS.debug(e); ++ request.setExtData(IRequest.RESULT, Integer.valueOf(4)); ++ return false; ++ } ++ ++ try { + /* + * archival - option flag "archive" controllable by the caller - TPS + */ +@@ -505,11 +512,13 @@ public class NetkeyKeygenService implements IService { + } //if archive + + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); ++ + } catch (Exception e) { +- CMS.debug("NetKeyKeygenService: " + e.toString()); +- Debug.printStackTrace(e); ++ CMS.debug(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); ++ return false; + } ++ + } else + request.setExtData(IRequest.RESULT, Integer.valueOf(2)); + +-- +1.8.3.1 + + +From 625ac01b2f13ef469a3fc05a91b96522db802991 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 2 Feb 2018 16:39:30 -0800 +Subject: [PATCH 4/9] Ticket #2920 CMC: Audit Events needed for failures in + SharedToken scenarios + +This patch adds the missing CERT_STATUS_CHANGE_REQUEST_PROCESSED event in case of shared token failure at revocation; +In addition, a missing validate() call is made for decrypted POP request as well as the failure audit event. + +fixes: https://pagure.io/dogtagpki/issue/2920 +Change-Id: I45b53f579794c3a5f32cc475a6293240025922c2 +(cherry picked from commit e7ec7d3004354f4a4a98d696833e531fb7a0e41c) +(cherry picked from commit 4b0816d706ac4c70bd03633a34b07c2ff12f9690) +--- + .../CertStatusChangeRequestProcessedEvent.java | 22 ++++++++ + .../cms/servlet/common/CMCOutputTemplate.java | 66 ++++++++++++++++++---- + .../servlet/profile/ProfileSubmitCMCServlet.java | 6 ++ + 3 files changed, 82 insertions(+), 12 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java +index 259a395..8c7f9c9 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java +@@ -51,6 +51,28 @@ public class CertStatusChangeRequestProcessedEvent extends SignedAuditEvent { + public CertStatusChangeRequestProcessedEvent( + String subjectID, + String outcome, ++ String requesterID, ++ String serialNumber, ++ String requestType, ++ String reasonNum, ++ RequestStatus approvalStatus, ++ String info) { ++ ++ super(LOGGING_PROPERTY); ++ ++ setAttribute("SubjectID", subjectID); ++ setAttribute("Outcome", outcome); ++ setAttribute("ReqID", requesterID); ++ setAttribute("CertSerialNum", serialNumber); ++ setAttribute("RequestType", requestType); ++ setAttribute("RevokeReasonNum", reasonNum); ++ setAttribute("Approval", approvalStatus); ++ setAttribute("Info", info); ++ } ++ ++ public CertStatusChangeRequestProcessedEvent( ++ String subjectID, ++ String outcome, + IRequest request, + String serialNumber, + String requestType, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index 6c40d2d..814a9c2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -1094,10 +1094,26 @@ public class CMCOutputTemplate { + } + ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; + +- char[] sharedSecret = tokenClass.getSharedToken(revokeSerial); ++ char[] sharedSecret = null; ++ try { ++ sharedSecret = tokenClass.getSharedToken(revokeSerial); ++ } catch (Exception eShrTok) { ++ CMS.debug("CMCOutputTemplate: " + eShrTok.toString()); ++ } + + if (sharedSecret == null) { +- CMS.debug("CMCOutputTemplate: shared secret not found."); ++ msg = " shared secret not found"; ++ CMS.debug(method + msg); ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus, ++ msg)); ++ + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), + null, null); + SEQUENCE failed_bpids = new SEQUENCE(); +@@ -1127,8 +1143,8 @@ public class CMCOutputTemplate { + secret1.clear(); + secret2.clear(); + } else { +- CMS.debug(method +- + " Client and server shared secret are not the same, cannot revoke certificate."); ++ msg = " Client and server shared secret are not the same, cannot revoke certificate."; ++ CMS.debug(method + msg); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), + null, null); + SEQUENCE failed_bpids = new SEQUENCE(); +@@ -1146,7 +1162,8 @@ public class CMCOutputTemplate { + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus)); ++ auditApprovalStatus, ++ msg)); + + secret1.clear(); + secret2.clear(); +@@ -1165,7 +1182,18 @@ public class CMCOutputTemplate { + } + + if (record == null) { +- CMS.debug(method + " The certificate is not found"); ++ msg = " The certificate is not found"; ++ CMS.debug(method + msg); ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus, ++ msg)); ++ + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null, null); + SEQUENCE failed_bpids = new SEQUENCE(); + failed_bpids.addElement(attrbpid); +@@ -1178,7 +1206,18 @@ public class CMCOutputTemplate { + } + + if (record.getStatus().equals(ICertRecord.STATUS_REVOKED)) { +- CMS.debug("CMCOutputTemplate: The certificate is already revoked:" + auditSerialNumber); ++ msg = " The certificate is already revoked:" + auditSerialNumber; ++ CMS.debug( method + msg); ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus, ++ msg)); ++ + SEQUENCE success_bpids = new SEQUENCE(); + success_bpids.addElement(attrbpid); + cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, +@@ -1198,7 +1237,7 @@ public class CMCOutputTemplate { + // principal matches that of the revoking cert + if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) { + if (!certPrincipal.equals(signerPrincipal)) { +- msg = "certificate principal and signer do not match"; ++ msg = " certificate principal and signer do not match"; + CMS.debug(method + msg); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), + null, null); +@@ -1218,7 +1257,8 @@ public class CMCOutputTemplate { + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus)); ++ auditApprovalStatus, ++ msg)); + + return bpid; + } else { +@@ -1260,8 +1300,9 @@ public class CMCOutputTemplate { + Integer result = revReq.getExtDataInInteger(IRequest.RESULT); + CMS.debug(method + " revReq result = " + result); + if (result.equals(IRequest.RES_ERROR)) { +- CMS.debug("CMCOutputTemplate: revReq exception: " + +- revReq.getExtDataInString(IRequest.ERROR)); ++ msg = " revReq exception: " + ++ revReq.getExtDataInString(IRequest.ERROR); ++ CMS.debug(method + msg); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), + null, null); + SEQUENCE failed_bpids = new SEQUENCE(); +@@ -1280,7 +1321,8 @@ public class CMCOutputTemplate { + auditSerialNumber, + auditRequestType, + auditReasonNum, +- auditApprovalStatus)); ++ auditApprovalStatus, ++ msg)); + + return bpid; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index c702624..5509080 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -909,6 +909,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + + auditRequesterID = auditRequesterID(provedReq); + try { ++ profile.validate(provedReq); + profile.execute(provedReq); + reqs = new IRequest[1]; + reqs[0] = provedReq; +@@ -950,6 +951,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + error_codes[0] = Integer.parseInt(errorCode); + profile.getRequestQueue().updateRequest(provedReq); + CMS.debug("ProfileSubmitCMCServlet: provedReq updateRequest"); ++ audit(CertRequestProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_REJECTION, ++ errorReason)); + } + } + +-- +1.8.3.1 + + +From 5781a5d47809fb1361a668e29e8fce07ce947303 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 2 Feb 2018 22:32:18 +0100 +Subject: [PATCH 5/9] Added SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED events in + NetkeyKeygenService. + +The NetkeyKeygenService.serviceRequest() has been modified to catch +all exceptions and generate SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED +with FAILURE outcome. + +https://pagure.io/dogtagpki/issue/2848 + +Change-Id: I08608fbb21ef14fddc2076d2e993766c30fd3cf0 +(cherry picked from commit 74d72d9b5798d16e68054c0859d79288a38eee36) +(cherry picked from commit a33c542fd4c8b2b7db259f092c2875fdbc842e95) +--- + .../src/com/netscape/kra/NetkeyKeygenService.java | 42 +++++++++++----------- + 1 file changed, 22 insertions(+), 20 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +index 17ac66d..55fd9a0 100644 +--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java ++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +@@ -424,10 +424,10 @@ public class NetkeyKeygenService implements IService { + params.setPayloadEncryptionIV(params.getPayloadWrappingIV()); + + privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); ++ + } catch (Exception e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); +- CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); +- return false; ++ throw new Exception("Unable to wrap private key with storage key", e); + } + + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); +@@ -443,13 +443,13 @@ public class NetkeyKeygenService implements IService { + if (rKeytype.equals("RSA")) { + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); +- + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); ++ + } catch (InvalidKeyException e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); +- CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); +- return false; ++ throw new Exception("Invalid RSA public key", e); + } ++ + } else if (rKeytype.equals("EC")) { + CMS.debug("NetkeyKeygenService: alg is EC"); + String oidDescription = "UNDETERMINED"; +@@ -490,8 +490,7 @@ public class NetkeyKeygenService implements IService { + + if (serialNo == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); +- CMS.debug("NetkeyKeygenService: serialNo null"); +- return false; ++ throw new Exception("Unable to generate next serial number"); + } + + rec.setWrappingParams(params, allowEncDecrypt_archival); +@@ -515,7 +514,22 @@ public class NetkeyKeygenService implements IService { + + } catch (Exception e) { + CMS.debug(e); +- request.setExtData(IRequest.RESULT, Integer.valueOf(4)); ++ ++ audit(SecurityDataArchivalProcessedEvent.createFailureEvent( ++ agentId, ++ auditSubjectID, ++ request.getRequestId(), ++ null, ++ null, ++ e.toString(), ++ PubKey)); ++ ++ Integer result = request.getExtDataInInteger(IRequest.RESULT); ++ if (result == null) { ++ // set default RESULT code ++ request.setExtData(IRequest.RESULT, Integer.valueOf(4)); ++ } ++ + return false; + } + +@@ -525,18 +539,6 @@ public class NetkeyKeygenService implements IService { + return true; + } //serviceRequest + +- /** +- * Signed Audit Log +- * y +- * This method is called to store messages to the signed audit log. +- *

+- * +- * @param msg signed audit log message +- */ +- private void audit(String msg) { +- signedAuditLogger.log(msg); +- } +- + protected void audit(LogEvent event) { + signedAuditLogger.log(event); + } +-- +1.8.3.1 + + +From d80696789edf427fe0b05c208da0270249af44e0 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Thu, 1 Feb 2018 14:58:30 -0800 +Subject: [PATCH 6/9] Fix Bug 1522938 - CC: Missing failure resumption + detection and audit event logging at startup + +This patch addressed two cases listed in the bug: + +1. Signing Failure due to bad HSM connection. +2. Audit log failure of some kind. + +I felt the best and safest way to handle these conditions was to simply write to the +error console, which results in a simple System.err.println being sent to the former +catalina.out file now covered with the journalctl command. + +I considered using some other dogtag log file, but if we are in some sort of emergency +or resource constrained situation, it is best to write the log out mostly simply. + +Quick testing instructions: + +1. To see signing failure put this in the CS.cfg for ONLY testing purposes. + +ca.signing.testSignatureFailure=true , This will force an error when trying to sign and log it. + + Approve a certificate request, which will trigger a signing operation. +2. Check the journalctl for a log message. + +3. Remove the config value to resume normal operation. + +4. To see an audit log failure do the following: + +[root@localhost signedAudit]# ps -fe | grep pki +pkiuser 8456 1 2 14:39 ? 00:00:32 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java + +lsof /var/lib/pki/pki-tomcat/ca/logs/signedAudit/ca_audit +java 9905 pkiuser 124u REG 253,0 17298 3016784 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit + +gdb /usr/lib/jvm/jre-1.8.0-openjdk/bin/java 8456 , Use the pid from above + +Inside gdb do this: + +call close(124) + +This will close the file descriptor for the running server. + +5. Now just try to do anything with the CS UI and observe errors written to the journalctl log, +having to do with not being able to write to the ca_adit file. If signed audid logging is configured, +many of these conditions will result in the the shutdown of the server. + +Change-Id: I21c62a5ad6bedfe8678144a764bff2e2a4716dce +(cherry picked from commit 268cc70782b517c17439a17a5036f9f51182b650) +(cherry picked from commit cdfe6f3e5a29fa061a0e6b6fb599dcddc19984c3) +--- + base/ca/src/com/netscape/ca/SigningUnit.java | 16 +++++++ + .../cms/src/com/netscape/cms/logging/LogFile.java | 23 ++++++++++ + .../cms/src/com/netscape/cms/logging/LogQueue.java | 22 ++++++--- + .../netscape/cms/logging/SignedAuditLogger.java | 53 ++++++++++++++-------- + base/server/cmsbundle/src/UserMessages.properties | 2 + + .../src/com/netscape/cmscore/apps/CMSEngine.java | 9 ++++ + 6 files changed, 99 insertions(+), 26 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java +index 3194380..7cd0dd4 100644 +--- a/base/ca/src/com/netscape/ca/SigningUnit.java ++++ b/base/ca/src/com/netscape/ca/SigningUnit.java +@@ -41,7 +41,9 @@ import com.netscape.certsrv.base.ISubsystem; + import com.netscape.certsrv.ca.CAMissingCertException; + import com.netscape.certsrv.ca.CAMissingKeyException; + import com.netscape.certsrv.ca.ECAException; ++import com.netscape.certsrv.logging.ConsoleError; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.SystemEvent; + import com.netscape.certsrv.security.ISigningUnit; + import com.netscape.cms.logging.Logger; + import com.netscape.cmscore.security.JssSubsystem; +@@ -274,6 +276,7 @@ public final class SigningUnit implements ISigningUnit { + if (!mInited) { + throw new EBaseException("CASigningUnit not initialized!"); + } ++ boolean testSignatureFailure = false; + try { + // XXX for now do this mapping until James changes the names + // to match JCA names and provide a getAlgorithm method. +@@ -303,6 +306,13 @@ public final class SigningUnit implements ISigningUnit { + + // XXX add something more descriptive. + CMS.debug("Signing Certificate"); ++ ++ testSignatureFailure = mConfig.getBoolean("testSignatureFailure",false); ++ ++ if(testSignatureFailure == true) { ++ throw new SignatureException("Signature Exception forced for testing purposes."); ++ } ++ + return signer.sign(); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); +@@ -319,6 +329,12 @@ public final class SigningUnit implements ISigningUnit { + } catch (SignatureException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + CMS.debug("SigningUnit.sign: " + e.toString()); ++ ++ //For this one case, show the eventual erorr message that will be written to the system error ++ //log in case of a Signature failure. ++ if (testSignatureFailure == true) { ++ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_CA_SIGNING_OPERATION_FAILED", e.toString()))); ++ } + CMS.checkForAndAutoShutdown(); + // XXX fix this exception later. + throw new EBaseException(e); +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index 510e796..74a8ada 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -824,6 +824,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + mFileName))); + } catch (GeneralSecurityException gse) { + // error with signed audit log, shutdown CMS ++ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_OPEN_FAILED", mFileName, gse.toString()))); + gse.printStackTrace(); + shutdownCMS(); + } +@@ -843,6 +844,8 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + } catch (ELogException le) { + ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, + le.toString()))); ++ le.printStackTrace(); ++ shutdownCMS(); + } + } + +@@ -858,8 +861,15 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + } + } catch (GeneralSecurityException gse) { + // error with signed audit log, shutdown CMS ++ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, gse.toString()))); + gse.printStackTrace(); + shutdownCMS(); ++ } catch (Exception ee) { ++ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, ee.toString()))); ++ if(mLogSigning) { ++ ee.printStackTrace(); ++ shutdownCMS(); ++ } + } + + mBytesUnflushed = 0; +@@ -995,6 +1005,11 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + if (mLogWriter == null) { + String[] params = { mFileName, entry }; + ++ if (mLogSigning) { ++ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_LOGFILE_CLOSED", params))); ++ // Failed to write to audit log, shut down CMS ++ shutdownCMS(); ++ } + throw new ELogException(CMS.getUserMessage("CMS_LOG_LOGFILE_CLOSED", params)); + } else { + try { +@@ -1066,6 +1081,14 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + gse.printStackTrace(); + ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage( + LOG_SIGNED_AUDIT_EXCEPTION, gse.toString()))); ++ } catch (Exception ee) { // Make darn sure we got everything ++ ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage(LOG_SIGNED_AUDIT_EXCEPTION, ee.toString()))); ++ if (mLogSigning) { ++ // Failed to write to audit log, shut down CMS ++ ee.printStackTrace(); ++ shutdownCMS(); ++ } ++ + } + + // XXX +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogQueue.java b/base/server/cms/src/com/netscape/cms/logging/LogQueue.java +index 1b40676..5eb96d7 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogQueue.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogQueue.java +@@ -19,10 +19,13 @@ package com.netscape.cms.logging; + + import java.util.Vector; + +-import com.netscape.certsrv.logging.ELogException; ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.logging.ConsoleError; + import com.netscape.certsrv.logging.ILogEvent; + import com.netscape.certsrv.logging.ILogEventListener; + import com.netscape.certsrv.logging.ILogQueue; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.certsrv.logging.SystemEvent; + + /** + * A class represents a log queue. +@@ -95,13 +98,20 @@ public class LogQueue implements ILogQueue { + */ + public void log(ILogEvent event) { + for (int i = 0; i < mListeners.size(); i++) { ++ ++ boolean isAudit = false; ++ ++ if( event instanceof SignedAuditEvent) { ++ isAudit = true; ++ } + try { + mListeners.elementAt(i).log(event); +- } catch (ELogException e) { +- // Raidzilla Bug #57592: Don't display potentially +- // incorrect log message. +- // ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_EVENT_FAILED", +- // event.getEventType(), e.toString()))); ++ } catch (Exception e) {//Try to catch ELogException or possible RuntimeExceptions if thrown ++ //Last resort log to the system for failed audit log attempt ++ if(isAudit == true) { ++ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_WRITE_FAILED", event.getEventType(), e.toString(), ++ "Audit Event Failure!"))); ++ } + } + } + } +diff --git a/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java b/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java +index 183f93c..90b5d5d 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java ++++ b/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java +@@ -18,11 +18,13 @@ + package com.netscape.cms.logging; + + import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.logging.ConsoleError; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.LogCategory; + import com.netscape.certsrv.logging.LogEvent; + import com.netscape.certsrv.logging.LogSource; + import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.certsrv.logging.SystemEvent; + + /** + * A class represents certificate server logger +@@ -53,37 +55,48 @@ public class SignedAuditLogger extends Logger { + Object params[], boolean multiline) { + + // create event +- SignedAuditEvent event = (SignedAuditEvent)create( ++ SignedAuditEvent event = (SignedAuditEvent) create( + category, source, level, message, params, multiline); + + // parse attributes in message + int start = 0; +- while (start < message.length()) { + +- // find [name=value] +- int i = message.indexOf("[", start); +- if (i < 0) break; ++ try { ++ while (start < message.length()) { + +- int j = message.indexOf("=", i + 1); +- if (j < 0) { +- throw new RuntimeException("Missing equal sign: " + message); +- } ++ // find [name=value] ++ int i = message.indexOf("[", start); ++ if (i < 0) ++ break; + +- // get attribute name +- String name = message.substring(i + 1, j); ++ int j = message.indexOf("=", i + 1); ++ if (j < 0) { ++ throw new RuntimeException("Missing equal sign: " + message); ++ } + +- int k = message.indexOf("]", j + 1); +- if (k < 0) { +- throw new RuntimeException("Missing closing bracket: " + message); +- } ++ // get attribute name ++ String name = message.substring(i + 1, j); ++ ++ int k = message.indexOf("]", j + 1); ++ if (k < 0) { ++ throw new RuntimeException("Missing closing bracket: " + message); ++ } + +- // get attribute value +- String value = message.substring(j + 1, k); ++ // get attribute value ++ String value = message.substring(j + 1, k); ++ ++ // store attribute in event ++ event.setAttribute(name, value); ++ ++ start = k + 1; ++ } + +- // store attribute in event +- event.setAttribute(name, value); ++ } catch (Exception e) { //Catch any of our RunTime exceptions just so we can log it to the console ++ ConsoleError ++ .send(new SystemEvent(CMS.getUserMessage("CMS_LOG_WRITE_FAILED", event.getEventType(), e.toString(), ++ "Audit Event Failure!"))); + +- start = k + 1; ++ throw e; + } + + mLogQueue.log(event); +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index 8007ce1..9c324f5 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -387,6 +387,7 @@ CMS_CA_SET_SERIALNO_FAILED=Request {0} was completed with errors.\nError setting + CMS_CA_NOSERIALNO=Request {0} was completed with errors.\nCA has exausted all available serial numbers + CMS_CA_SIGNING_CRL_FAILED=Failed signing CRL. Error {0} + CMS_CA_SIGNING_CERT_FAILED=Failed signing certificate. Error {0} ++CMS_CA_SIGNING_OPERATION_FAILED=Signing Unit signing operation failed. Error {0} + CMS_CA_MISSING_INFO_IN_ISSUEREQ=Missing certificate info in issuing request + CMS_CA_MISSING_INFO_IN_REVREQ=Missing revocation info in revocation request + CMS_CA_MISSING_INFO_IN_CLAREQ=Missing CLA certificate info in cert4crl request +@@ -506,6 +507,7 @@ CMS_LOG_INVALID_FILE_NAME=Attempt to initialize log with an invalid filename: \" + CMS_LOG_UNEXPECTED_EXCEPTION=Caught unexpected exception: {0} + CMS_LOG_ILLEGALARGUMENT=Illegal argument when opening: {0} + CMS_LOG_CLOSE_FAILED=Failed to close file \"{0}\", error: {1} ++CMS_LOG_OPEN_FAILED=Failed to open file \"{0}\", error: {1} + CMS_LOG_INVALID_LOG_TYPE=Invalid log type in \"{0}\" property: {1} + CMS_LOG_SRVLT_ILL_PLUGIN_ID=Another plugin ID already exists {0} + CMS_LOG_SRVLT_NULL_CLASS=Plugin classname is null +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index be79607..b1df429 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -100,12 +100,14 @@ import com.netscape.certsrv.ldap.ELdapException; + import com.netscape.certsrv.ldap.ILdapAuthInfo; + import com.netscape.certsrv.ldap.ILdapConnFactory; + import com.netscape.certsrv.ldap.ILdapConnInfo; ++import com.netscape.certsrv.logging.ConsoleError; + import com.netscape.certsrv.logging.ELogException; + import com.netscape.certsrv.logging.IAuditor; + import com.netscape.certsrv.logging.ILogEvent; + import com.netscape.certsrv.logging.ILogEventListener; + import com.netscape.certsrv.logging.ILogQueue; + import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.SystemEvent; + import com.netscape.certsrv.notification.IEmailFormProcessor; + import com.netscape.certsrv.notification.IEmailResolver; + import com.netscape.certsrv.notification.IEmailResolverKeys; +@@ -1318,6 +1320,7 @@ public class CMSEngine implements ICMSEngine { + public void checkForAndAutoShutdown() { + String method= "CMSEngine: checkForAndAutoShutdown: "; + CMS.debug(method + "begins"); ++ + try { + boolean allowShutdown = mConfig.getBoolean("autoShutdown.allowed", false); + if ((!allowShutdown) || (mSigningKey == null) || +@@ -1336,7 +1339,13 @@ public class CMSEngine implements ICMSEngine { + byte[] result = signer.sign(); + CMS.debug(method + " signining successful: " + new String(result)); + } catch (SignatureException e) { ++ ++ //Let's write to the error console in case we are in a bad memory situation ++ //This will be the most likely to work, giving us a record of the signing failure ++ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_CA_SIGNING_OPERATION_FAILED", e.toString()))); ++ + CMS.debug(method + "autoShutdown for " + e.toString()); ++ + CMS.autoShutdown(); + } catch (Exception e) { + CMS.debug(method + "continue for " + e.toString()); +-- +1.8.3.1 + + +From 54a52b8cfffdb3d39408d3e765e45f5751715700 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 1 Feb 2018 18:37:10 -0800 +Subject: [PATCH 7/9] Ticket #2880 missing CMC request and response record + +This patch adds audit events to record received CMC requests and signed CMC responses: +CMC_REQUEST_RECEIVED +CMC_RESPONSE_SENT + +This patch fixes https://pagure.io/dogtagpki/issue/2880 + +Change-Id: Id093225b22a2c434e680726442c49b410fa738a3 +(cherry picked from commit 55a6fa09d24b1c30bfd9d80357d69a8905ee4090) +(cherry picked from commit d9ae15065d96bf5b634bae6dfa4b6d0e4780d4ae) +--- + base/ca/shared/conf/CS.cfg | 4 ++-- + .../com/netscape/certsrv/logging/AuditEvent.java | 4 ++++ + .../cms/servlet/common/CMCOutputTemplate.java | 15 ++++++++++++++ + .../servlet/profile/ProfileSubmitCMCServlet.java | 23 ++++++++++++++++++---- + base/server/cmsbundle/src/LogMessages.properties | 19 ++++++++++++++++-- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 10 +--------- + base/util/src/com/netscape/cmsutil/util/Utils.java | 23 ++++++++++++++++++++++ + 7 files changed, 81 insertions(+), 17 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 76a7057..59de904 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION + log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) +diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +index 131b2a9..db58f34 100644 +--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +@@ -67,6 +67,10 @@ public class AuditEvent extends LogEvent { + "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; + public final static String PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; ++ public final static String CMC_REQUEST_RECEIVED = ++ "LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3"; ++ public final static String CMC_RESPONSE_SENT = ++ "LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3"; + public final static String INTER_BOUNDARY = + "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; + public final static String CERT_PROFILE_APPROVAL = +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index 814a9c2..e89c9a0 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -79,6 +79,7 @@ import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.ICertificateRepository; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.AuditFormat; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.LogEvent; +@@ -150,6 +151,7 @@ public class CMCOutputTemplate { + OutputStream os = resp.getOutputStream(); + os.write(contentBytes); + os.flush(); ++ auditCMCResponseSent(Utils.base64encode(contentBytes, false)); + } catch (Exception e) { + CMS.debug("CMCOutputTemplate createFullResponseWithFailedStatus Exception: " + e.toString()); + return; +@@ -480,6 +482,7 @@ public class CMCOutputTemplate { + OutputStream os = resp.getOutputStream(); + os.write(contentBytes); + os.flush(); ++ auditCMCResponseSent(Utils.base64encode(contentBytes, false)); + CMS.debug(method + "ends"); + } catch (java.security.cert.CertificateEncodingException e) { + CMS.debug(method + e.toString()); +@@ -722,6 +725,7 @@ public class CMCOutputTemplate { + OutputStream os = resp.getOutputStream(); + os.write(contentBytes); + os.flush(); ++ auditCMCResponseSent(Utils.base64encode(contentBytes, false)); + } catch (java.security.cert.CertificateEncodingException e) { + CMS.debug("CMCOutputTemplate exception: " + e.toString()); + } catch (InvalidBERException e) { +@@ -1391,6 +1395,17 @@ public class CMCOutputTemplate { + signedAuditLogger.log(msg); + } + ++ protected void auditCMCResponseSent(String response) { ++ SessionContext context = SessionContext.getContext(); ++ ++ String auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_RESPONSE_SENT, ++ (String) context.get(SessionContext.USER_ID), ++ ILogger.SUCCESS, ++ Utils.normalizeString(response)); ++ audit(auditMessage); ++ } ++ + private RevocationReason toRevocationReason(ENUMERATED n) { + long code = n.getValue(); + if (code == RevokeRequest.aACompromise.getValue()) +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 5509080..91a26b1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -46,9 +46,10 @@ import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.SessionContext; +-import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.AuditEvent; + import com.netscape.certsrv.logging.event.AuthEvent; + import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; ++import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.ECMCBadIdentityException; + import com.netscape.certsrv.profile.ECMCBadMessageCheckException; + import com.netscape.certsrv.profile.ECMCBadRequestException; +@@ -67,6 +68,8 @@ import com.netscape.certsrv.request.INotify; + import com.netscape.certsrv.request.IRequest; + import com.netscape.certsrv.request.RequestId; + import com.netscape.certsrv.request.RequestStatus; ++import com.netscape.cms.logging.Logger; ++import com.netscape.cms.logging.SignedAuditLogger; + import com.netscape.cms.servlet.common.AuthCredentials; + import com.netscape.cms.servlet.common.CMCOutputTemplate; + import com.netscape.cms.servlet.common.CMSRequest; +@@ -85,6 +88,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + /** + * + */ ++ private static Logger signedAuditLogger = SignedAuditLogger.getLogger(); + private static final long serialVersionUID = -8017841111435988197L; + private static final String PROP_PROFILE_ID = "profileId"; + +@@ -112,7 +116,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + + private void setInputsIntoContext(HttpServletRequest request, IProfile profile, IProfileContext ctx) { +- ++ String method = "ProfileSubmitCMCServlet.setInputsIntoContext: "; + // passing inputs into context + Enumeration inputIds = profile.getProfileInputIds(); + +@@ -126,6 +130,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + String inputName = inputNames.nextElement(); + + if (request.getParameter(inputName) != null) { ++ CMS.debug(method + "setting: " + inputName); + ctx.set(inputName, request.getParameter(inputName)); + } + } +@@ -399,7 +404,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + IProfileContext ctx = profile.createContext(); + if (requestB64 != null) { + ctx.set("cert_request_type", cert_request_type); +- ctx.set("cert_request", requestB64); ++ ctx.set("cert_request", Utils.normalizeString(requestB64)); + } + // passing auths into context + IProfileAuthenticator authenticator = null; +@@ -481,6 +486,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + } + ++ String auditSubjectID = auditSubjectID(); ++ if (authToken != null) { ++ auditSubjectID = authToken.getInString(IAuthToken.USER_ID); ++ } ++ String auditMessage = CMS.getLogMessage( ++ AuditEvent.CMC_REQUEST_RECEIVED, ++ auditSubjectID, ++ ILogger.SUCCESS, ++ Utils.normalizeString(requestB64)); ++ signedAuditLogger.log(auditMessage); ++ + IRequest reqs[] = null; + + /////////////////////////////////////////////// +@@ -777,7 +793,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + } //for + +- String auditSubjectID = auditSubjectID(); + String auditRequesterID = ILogger.UNIDENTIFIED; + + try { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 9ca508a..7963f6f 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2008,6 +2008,21 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=:[AuditEvent=CRL_SI + # + LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles + # ++# LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED ++# - used when a CMC request is received. ++# SubjectID must be the UID of user that triggered this event ++# (if CMC requests is signed by an agent, SubjectID should ++# be that of the agent) ++# In case of an unsigned request, it would bear $Unidentified$ ++# ++LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received ++# ++# LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT ++# - used when a CMC response is sent ++# SubjectID must be the UID of user that triggered this event ++# ++LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent ++# + # LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST + # - used when a profile certificate request is made (before approval process) + # SubjectID must be the UID of user that triggered this event +@@ -2220,13 +2235,13 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GEN + LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation + # + # LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY +-# - used when CMC (agent-pre-signed) certificate requests or revocation requests ++# - used when agent signed CMC certificate requests or revocation requests + # are submitted and signature is verified + # ReqType must be the request type (enrollment, or revocation) + # CertSubject must be the certificate subject name of the certificate request + # SignerInfo must be a unique String representation for the signer + # +-LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent pre-approved CMC request signature verification ++LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification + # + # LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY + # - used when CMC (user-signed or self-signed) certificate requests or revocation requests +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index f527967..27ae0de 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -1198,15 +1198,7 @@ public class CryptoUtil { + // grammar defined at https://tools.ietf.org/html/rfc7468#section-3 + s = s.replaceAll("-----(BEGIN|END) [\\p{Print}&&[^- ]]([- ]?[\\p{Print}&&[^- ]])*-----", ""); + +- StringBuffer sb = new StringBuffer(); +- StringTokenizer st = new StringTokenizer(s, "\r\n "); +- +- while (st.hasMoreTokens()) { +- String nextLine = st.nextToken(); +- nextLine = nextLine.trim(); +- sb.append(nextLine); +- } +- return sb.toString(); ++ return Utils.normalizeString(s); + } + + public static String normalizeCertStr(String s) { +diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java +index a9ee974..5ff78ad 100644 +--- a/base/util/src/com/netscape/cmsutil/util/Utils.java ++++ b/base/util/src/com/netscape/cmsutil/util/Utils.java +@@ -32,6 +32,7 @@ import java.net.InetAddress; + import java.net.UnknownHostException; + import java.text.SimpleDateFormat; + import java.util.Date; ++import java.util.StringTokenizer; + import java.util.Vector; + + import org.apache.commons.codec.binary.Base64; +@@ -330,4 +331,26 @@ public class Utils { + public static byte[] base64decode(String string) { + return Base64.decodeBase64(string); + } ++ ++ /** ++ * Normalize B64 input String ++ * ++ * @pram string base-64 string ++ * @return normalized string ++ */ ++ public static String normalizeString(String string) { ++ if (string == null) { ++ return string; ++ } ++ ++ StringBuffer sb = new StringBuffer(); ++ StringTokenizer st = new StringTokenizer(string, "\r\n "); ++ ++ while (st.hasMoreTokens()) { ++ String nextLine = st.nextToken(); ++ nextLine = nextLine.trim(); ++ sb.append(nextLine); ++ } ++ return sb.toString(); ++ } + } +-- +1.8.3.1 + + +From 5d46447f9c680fff61bbb72b36dee13e53f549af Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Sat, 3 Feb 2018 15:50:24 -0800 +Subject: [PATCH 8/9] Ticket #2921 CMC: Revocation works with an unknown + revRequest.issuer + +This patche adds check between the issuer value of the RevokeRequest against the issuer of the certificate to be revoked. + +fixes: https://pagure.io/dogtagpki/issue/2921 +Change-Id: Ib2bb2debeb7d1c7ffea1799b5c32630062ddca6a +(cherry picked from commit c2c5bdad088fabbb89a8d3634530c74dae78c875) +(cherry picked from commit d3fa14e61d76de48631a209f95ae6f91d9da4484) +--- + .../com/netscape/certsrv/base/SessionContext.java | 1 + + .../src/com/netscape/cmstools/CMCRequest.java | 1 + + .../cms/authentication/CMCUserSignedAuth.java | 18 ++++++++ + .../cms/servlet/common/CMCOutputTemplate.java | 52 +++++++++++++++++++--- + 4 files changed, 65 insertions(+), 7 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java +index 9323e6e..691173b 100644 +--- a/base/common/src/com/netscape/certsrv/base/SessionContext.java ++++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java +@@ -56,6 +56,7 @@ public class SessionContext extends Hashtable { + * Principal name object of the signed CMC request + */ + public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal"; ++ public static final String CMC_ISSUER_PRINCIPAL = "cmcISSUERPrincipal"; + public static final String CMC_SIGNER_INFO = "cmcSignerInfo"; + public static final String CMC_REQUEST_CERT_SUBJECT = "cmcRequestCertSubject"; + +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index fc58f4e..8146cee 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -1180,6 +1180,7 @@ public class CMCRequest { + System.out.println(method + "issuer name must be supplied when shared secret is used"); + System.exit(1); + } ++ System.out.println(method + "adding revRequestIssuer: " + revRequestIssuer); + issuerName = new X500Name(revRequestIssuer); + } else { // signing case; revokeSignCert is required + if (revokeSignCert == null) { +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index 9dbf787..527b7e5 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -40,6 +40,7 @@ import java.util.Locale; + import java.util.Vector; + + import org.mozilla.jss.CryptoManager; ++import org.mozilla.jss.asn1.ANY; + import org.mozilla.jss.asn1.ASN1Util; + import org.mozilla.jss.asn1.BIT_STRING; + import org.mozilla.jss.asn1.INTEGER; +@@ -491,6 +492,23 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + Integer IntObject = Integer.valueOf((int) reasonCode); + authToken.set(REASON_CODE, IntObject); + ++ ANY issuerANY = revRequest.getIssuerName(); ++ // handling of faillures with issuer is deferred ++ // to CMCOutputTemplate so that we can ++ // have a chance to capture user identification info ++ if (issuerANY != null) { ++ try { ++ byte[] issuerBytes = issuerANY.getEncoded(); ++ X500Name issuerName = new X500Name(issuerBytes); ++ CMS.debug(method + "revRequest issuer name = " + issuerName.toString()); ++ // capture issuer principal to be checked against ++ // cert issuer principal later in CMCOutputTemplate ++ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName); ++ } catch (Exception e) { ++ CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString()); ++ } ++ } ++ + //authToken.set("uid", uid); + //authToken.set("userid", userid); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index e89c9a0..a0a946d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -971,10 +971,6 @@ public class CMCOutputTemplate { + CMS.debug(method + "authManagerId =" + authManagerId); + } + +- // in case of CMCUserSignedAuth, +- // for matching signer and revoked cert principal +- X500Name signerPrincipal = null; +- + // for auditing + String auditRequesterID = null; + auditRequesterID = (String) context.get(SessionContext.USER_ID); +@@ -984,7 +980,14 @@ public class CMCOutputTemplate { + } else { + auditRequesterID = ILogger.NONROLEUSER; + } +- signerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL); ++ ++ // in case of CMCUserSignedAuth, ++ // for matching signer and revoked cert principal ++ X500Name reqSignerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL); ++ ++ // in case of shared secret revocation, for matching issuer ++ X500Name reqIssuerPrincipal = (X500Name) context.get(SessionContext.CMC_ISSUER_PRINCIPAL); ++ + String auditSubjectID = null; + String auditRequestType = "revoke"; + String auditSerialNumber = null; +@@ -1019,7 +1022,7 @@ public class CMCOutputTemplate { + + if (needVerify) { + if (authManagerId.equals("CMCUserSignedAuth")) { +- if (signerPrincipal == null) { ++ if (reqSignerPrincipal == null) { + CMS.debug(method + "missing CMC signer principal"); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, + new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), +@@ -1235,12 +1238,47 @@ public class CMCOutputTemplate { + X509CertImpl impl = record.getCertificate(); + + X500Name certPrincipal = (X500Name) impl.getSubjectDN(); ++ X500Name certIssuerPrincipal = (X500Name) impl.getIssuerDN(); + auditSubjectID = certPrincipal.toString(); + ++ // for Shared Secret case, check if issuer DN matches ++ if (reqSecret != null) { ++ CMS.debug(method + "shared secret revocation: checking issuer DN"); ++ if ((reqIssuerPrincipal == null) || ++ ! reqIssuerPrincipal.equals(certIssuerPrincipal)) { ++ msg = " certificate issuer DN and revocation request issuer DN do not match"; ++ CMS.debug(method + msg); ++ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), ++ null, null); ++ SEQUENCE failed_bpids = new SEQUENCE(); ++ failed_bpids.addElement(attrbpid); ++ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, msg, ++ otherInfo); ++ tagattr = new TaggedAttribute( ++ new INTEGER(bpid++), ++ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); ++ controlSeq.addElement(tagattr); ++ ++ audit(new CertStatusChangeRequestProcessedEvent( ++ auditSubjectID, ++ ILogger.FAILURE, ++ auditReqID, ++ auditSerialNumber, ++ auditRequestType, ++ auditReasonNum, ++ auditApprovalStatus, ++ msg)); ++ ++ return bpid; ++ } else { ++ CMS.debug( method + "certificate issuer DN and revocation request issuer DN match"); ++ } ++ } ++ + // in case of user-signed request, check if signer + // principal matches that of the revoking cert + if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) { +- if (!certPrincipal.equals(signerPrincipal)) { ++ if (!certPrincipal.equals(reqSignerPrincipal)) { + msg = " certificate principal and signer do not match"; + CMS.debug(method + msg); + OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), +-- +1.8.3.1 + + +From 8f94902f7837fa3f9338e461e706f7ca85cdf7fd Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 19 Jan 2018 17:01:12 +1100 +Subject: [PATCH 9/9] Fix profile import dropping backslash characters + +When writing (importing, updating) RAW profile data, config values +that have backslashes in them have the backslashes dropped, leading +to issuance failures or issuance of incorrect certificates. For +example: + + policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat\, Inc. + +becomes: + + policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat, Inc. + +which causes issuance failures due to parse failure of the resulting +DN. + +This occurs because java.util.Properties is opinionated about what +does or doesn't need to be escaped. The ProfileSubsystem "raw" +methods originally used Properties to avoid more use of our "custom" +SimpleProperties class. That turned out to be a mistake, due to +Properties' incompatible treatment of backslashes. Switch over to +SimpleProperties for handling raw profile data. + +Fixes: https://pagure.io/dogtagpki/issue/2909 +Change-Id: I5cd738651cbfba0cad607d2b02edea04fe6be561 +(cherry picked from commit e634316eb7f2aedc65fe528fb572b15e1bdc1eb2) +(cherry picked from commit 10498f9c1db06ff31712a5543a9a0a76cb2523e2) +--- + .../dogtagpki/server/ca/rest/ProfileService.java | 27 ++++------------------ + 1 file changed, 4 insertions(+), 23 deletions(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +index 3a68a1c..2884704 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +@@ -29,7 +29,6 @@ import java.util.LinkedHashMap; + import java.util.List; + import java.util.Locale; + import java.util.Map; +-import java.util.Properties; + import java.util.Vector; + + import javax.ws.rs.PathParam; +@@ -523,9 +522,7 @@ public class ProfileService extends SubsystemService implements ProfileResource + Map auditParams = new LinkedHashMap(); + String profileId = null; + String classId = null; +- // First read the data into a Properties to process escaped +- // separator characters (':', '=') in values +- Properties properties = new Properties(); ++ SimpleProperties properties = new SimpleProperties(); + try { + // load data and read profileId and classId + properties.load(new ByteArrayInputStream(data)); +@@ -543,16 +540,9 @@ public class ProfileService extends SubsystemService implements ProfileResource + properties.remove("profileId"); + properties.remove("classId"); + +- // Now copy into SimpleProperties to avoid unwanted escapes +- // of separator characters in output +- SimpleProperties simpleProperties = new SimpleProperties(); +- for (String k : properties.stringPropertyNames()) { +- simpleProperties.setProperty(k, properties.getProperty(k)); +- } +- + try { + ByteArrayOutputStream out = new ByteArrayOutputStream(); +- simpleProperties.store(out, null); ++ properties.store(out, null); + data = out.toByteArray(); // original data sans profileId, classId + + IProfile profile = ps.getProfile(profileId); +@@ -669,9 +659,7 @@ public class ProfileService extends SubsystemService implements ProfileResource + throw new ConflictingOperationException("Cannot change profile data. Profile must be disabled"); + } + +- // First read the data into a Properties to process escaped +- // separator characters (':', '=') in values +- Properties properties = new Properties(); ++ SimpleProperties properties = new SimpleProperties(); + try { + properties.load(new ByteArrayInputStream(data)); + } catch (IOException e) { +@@ -680,13 +668,6 @@ public class ProfileService extends SubsystemService implements ProfileResource + properties.remove("profileId"); + properties.remove("classId"); + +- // Now copy into SimpleProperties to avoid unwanted escapes +- // of separator characters in output +- SimpleProperties simpleProperties = new SimpleProperties(); +- for (String k : properties.stringPropertyNames()) { +- simpleProperties.setProperty(k, properties.getProperty(k)); +- } +- + try { + IProfile profile = ps.getProfile(profileId); + if (profile == null) { +@@ -694,7 +675,7 @@ public class ProfileService extends SubsystemService implements ProfileResource + } + + ByteArrayOutputStream out = new ByteArrayOutputStream(); +- simpleProperties.store(out, null); ++ properties.store(out, null); + data = out.toByteArray(); // original data sans profileId, classId + + // create temporary profile to verify profile configuration +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-snapshot-4.patch b/SOURCES/pki-core-10.5.1-snapshot-4.patch new file mode 100644 index 0000000..4a326e4 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-snapshot-4.patch @@ -0,0 +1,91 @@ +From 8fd3bae32bb540a850b64479c56d60f5557bc100 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Wed, 7 Feb 2018 14:05:13 -0800 +Subject: [PATCH 1/2] Fix Bug 1542210 - pki console configurations that + involves ldap passwords leave the plain text password in debug logs + +Simple sensitive data debug log prevention here. + +Change-Id: Ic409aaf7e392403c6a4c5afb255a421e1d351c46 +(cherry picked from commit ff70df12dd7fc4f801b281233f64bca3c674173b) +(cherry picked from commit e86691f5a5aba9c2d783ccddf79eb7226c36672c) +--- + .../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index d983e6c..769e8e4 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -216,12 +216,13 @@ public class AdminServlet extends HttpServlet { + pn.equalsIgnoreCase("pin") || + pn.equalsIgnoreCase("pwd") || + pn.equalsIgnoreCase("pwdagain") || +- pn.equalsIgnoreCase("uPasswd")) { ++ pn.equalsIgnoreCase("uPasswd") || ++ pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) { + CMS.debug("AdminServlet::service() param name='" + pn + +- "' value='(sensitive)'"); ++ "' value='(sensitive)'"); + } else { + CMS.debug("AdminServlet::service() param name='" + pn + +- "' value='" + httpReq.getParameter(pn) + "'"); ++ "' value='" + httpReq.getParameter(pn) + "'"); + } + } + } +-- +1.8.3.1 + + +From 511001c4aaa8e48de3932b4508846729b2e4ab6b Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 8 Feb 2018 15:06:53 +1100 +Subject: [PATCH 2/2] Fix lightweight CA key replication + +The resolution for issue https://pagure.io/dogtagpki/issue/2654 +caused a regression in lightweight CA key replication. When the +authorityMonitor encounters a CA whose keys are not present, +signingUnit initialisation fails (as expected). The signing info +event logging behaviour introduced in commit +4551eb1ce6b14e4a37f9c70b3bfd6c9050e13f10 then results in a +NullPointerException, crashing the authorityMonitor thread. + +Fix the issue by extracting the signing info event logging behaviour +to a separate method, and invoke that method as the final step of +signingUnit initialisation. + +Fixes: https://pagure.io/dogtagpki/issue/2929 +Change-Id: Ic6663c09c30754f4fb914dcaf0bc2d902aa91473 +(cherry picked from commit 2251f78c22b2e3b23450cdb274207893932cbd0b) +--- + base/ca/src/com/netscape/ca/CertificateAuthority.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index e5d21eb..9aaa9cb 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -662,7 +662,10 @@ public class CertificateAuthority + } + throw e; + } ++ } + ++ private void generateSigningInfoAuditEvents() ++ throws EBaseException { + try { + + if (isHostAuthority()) { +@@ -1852,6 +1855,8 @@ public class CertificateAuthority + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } ++ ++ generateSigningInfoAuditEvents(); + } + + /** +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.1-snapshot-5.patch b/SOURCES/pki-core-10.5.1-snapshot-5.patch new file mode 100644 index 0000000..7fe60d6 --- /dev/null +++ b/SOURCES/pki-core-10.5.1-snapshot-5.patch @@ -0,0 +1,702 @@ +From b56da71239b10f42a7c0c017eda2f0d63d43031d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 9 Feb 2018 01:53:37 +0100 +Subject: [PATCH 1/7] Disabled failing unit tests. + +Some unit tests have been disabled since they are currently +failing. This allows other tests to be enabled later. These +failures need to be investigated further. + +https://pagure.io/dogtagpki/issue/2908 + +Change-Id: If5aa31c10f89fb8388085b59377347338ae729a1 +(cherry picked from commit 17fcac5f807cbbf1ee6709a6613d9baa80f1115d) +(cherry picked from commit 431ad0ec9f6f8188c1d240ed60966d53a4c6982b) +--- + base/server/test/CMakeLists.txt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/server/test/CMakeLists.txt b/base/server/test/CMakeLists.txt +index 6534a6c..707493f 100644 +--- a/base/server/test/CMakeLists.txt ++++ b/base/server/test/CMakeLists.txt +@@ -61,7 +61,7 @@ add_junit_test(test-pki-server + ${HAMCREST_JAR} ${JUNIT_JAR} + ${CMAKE_BINARY_DIR}/test/classes + TESTS +- com.netscape.cmscore.authentication.AuthTokenTest ++ # com.netscape.cmscore.authentication.AuthTokenTest + com.netscape.cmscore.dbs.CertRecordListTest + com.netscape.cmscore.dbs.DBRegistryTest + # com.netscape.cmscore.request.AgentApprovalsTest +@@ -69,7 +69,7 @@ add_junit_test(test-pki-server + com.netscape.cmscore.request.ExtDataHashtableTest + com.netscape.cmscore.request.RequestQueueTest + com.netscape.cmscore.request.RequestRecordTest +- com.netscape.cmscore.request.RequestTest ++ # com.netscape.cmscore.request.RequestTest + REPORTS_DIR + reports + ) +-- +1.8.3.1 + + +From 38c6e86e434caf80635b88c2265bb5b6d036bef7 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 10 Feb 2018 05:16:41 +0100 +Subject: [PATCH 4/7] Added Key ID encoder and decoder. + +The following methods have been added to encode and decode NSS key +ID properly: + - CryptoUtil.encodeKeyID() + - CryptoUtil.decodeKeyID() + +A unit test has been added to verify the functionality. + +https://pagure.io/dogtagpki/issue/2884 + +Change-Id: Ib295bc1cb449f544cd0220bfaea1ed0d71136365 +(cherry picked from commit c46f53ff6f2fb398600c59410b2afe14fed9dbfa) +--- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 63 +++++- + base/util/test/CMakeLists.txt | 2 + + .../netscape/cmsutil/crypto/KeyIDCodecTest.java | 239 +++++++++++++++++++++ + 3 files changed, 303 insertions(+), 1 deletion(-) + create mode 100644 base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java + +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 27ae0de..0742f8e 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -54,6 +54,7 @@ import java.util.Map; + import java.util.StringTokenizer; + import java.util.Vector; + ++import org.apache.commons.codec.binary.Hex; + import org.apache.commons.lang.ArrayUtils; + import org.apache.commons.lang.StringUtils; + import org.mozilla.jss.CryptoManager; +@@ -179,6 +180,8 @@ public class CryptoUtil { + } + } + ++ public final static int KEY_ID_LENGTH = 20; ++ + public final static String INTERNAL_TOKEN_NAME = "internal"; + public final static String INTERNAL_TOKEN_FULL_NAME = "Internal Key Storage Token"; + +@@ -2046,12 +2049,70 @@ public class CryptoUtil { + return false; + } + ++ /** ++ * Converts any length byte array into a signed, variable-length ++ * hexadecimal number. ++ */ + public static String byte2string(byte id[]) { + return new BigInteger(id).toString(16); + } + ++ /** ++ * Converts a signed, variable-length hexadecimal number into a byte ++ * array, which may not be identical to the original byte array. ++ */ + public static byte[] string2byte(String id) { +- return (new BigInteger(id, 16)).toByteArray(); ++ return new BigInteger(id, 16).toByteArray(); ++ } ++ ++ /** ++ * Converts NSS key ID from a 20 byte array into a signed, variable-length ++ * hexadecimal number (to maintain compatibility with byte2string()). ++ */ ++ public static String encodeKeyID(byte[] keyID) { ++ ++ if (keyID.length != KEY_ID_LENGTH) { ++ throw new IllegalArgumentException( ++ "Unable to encode Key ID: " + Hex.encodeHexString(keyID)); ++ } ++ ++ return new BigInteger(keyID).toString(16); ++ } ++ ++ /** ++ * Converts NSS key ID from a signed, variable-length hexadecimal number ++ * into a 20 byte array, which will be identical to the original byte array. ++ */ ++ public static byte[] decodeKeyID(String id) { ++ ++ BigInteger value = new BigInteger(id, 16); ++ byte[] array = value.toByteArray(); ++ ++ if (array.length > KEY_ID_LENGTH) { ++ throw new IllegalArgumentException( ++ "Unable to decode Key ID: " + id); ++ } ++ ++ if (array.length < KEY_ID_LENGTH) { ++ ++ // extend the array with most significant bit ++ byte[] tmp = array; ++ array = new byte[KEY_ID_LENGTH]; ++ ++ // calculate the extension ++ int p = KEY_ID_LENGTH - tmp.length; ++ ++ // create filler byte based op the most significant bit ++ byte b = (byte)(value.signum() >= 0 ? 0x00 : 0xff); ++ ++ // fill the extension with the filler byte ++ Arrays.fill(array, 0, p, b); ++ ++ // copy the original array ++ System.arraycopy(tmp, 0, array, p, tmp.length); ++ } ++ ++ return array; + } + + /** +diff --git a/base/util/test/CMakeLists.txt b/base/util/test/CMakeLists.txt +index eabda2f..cc5c07a 100644 +--- a/base/util/test/CMakeLists.txt ++++ b/base/util/test/CMakeLists.txt +@@ -20,11 +20,13 @@ javac(pki-util-test-classes + # TODO: create CMake function to find all JUnit test classes + add_junit_test(test-pki-util + CLASSPATH ++ ${SLF4J_API_JAR} ${SLF4J_JDK14_JAR} + ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} + ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR} + ${HAMCREST_JAR} ${JUNIT_JAR} + ${CMAKE_BINARY_DIR}/test/classes + TESTS ++ com.netscape.cmsutil.crypto.KeyIDCodecTest + com.netscape.security.util.BMPStringTest + com.netscape.security.util.IA5StringTest + com.netscape.security.util.PrintableStringTest +diff --git a/base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java b/base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java +new file mode 100644 +index 0000000..e25a431 +--- /dev/null ++++ b/base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java +@@ -0,0 +1,239 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2018 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.cmsutil.crypto; ++ ++import org.junit.Assert; ++import org.junit.Test; ++ ++/** ++ * Key ID encoder and decoder validation. ++ * ++ * Key ID in NSS database is a 20 byte array. The key ID is ++ * stored in CS.cfg as a signed, variable-length, hexadecimal ++ * number. ++ * ++ * This test verifies that Key ID can be encoded and ++ * decoded correctly using the following methods: ++ * - CryptoUtil.encodeKeyID() ++ * - CryptoUtil.decodeKeyID() ++ * ++ * The test is performed against a set of valid data that ++ * covers the entire range of 20 byte array, and some invalid ++ * data as well. ++ */ ++public class KeyIDCodecTest { ++ ++ // data #1: zero ++ String DATA1_HEX = "0"; ++ ++ // 0000000000000000000000000000000000000000 ++ byte[] DATA1_BYTES = new byte[] { ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00 ++ }; ++ ++ // data #2: small positive number (with leading 0x00) ++ String DATA2_HEX = "18604db6c7a073ff08338650"; ++ ++ // 000000000000000018604db6c7a073ff08338650 ++ byte[] DATA2_BYTES = new byte[] { ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x18, (byte)0x60, (byte)0x4d, (byte)0xb6, ++ (byte)0xc7, (byte)0xa0, (byte)0x73, (byte)0xff, ++ (byte)0x08, (byte)0x33, (byte)0x86, (byte)0x50 ++ }; ++ ++ // data #3: large positive number ++ String DATA3_HEX = "446ed35d7e811e7f73d0d1f220afc60083deba74"; ++ ++ // 446ed35d7e811e7f73d0d1f220afc60083deba74 ++ byte[] DATA3_BYTES = new byte[] { ++ (byte)0x44, (byte)0x6e, (byte)0xd3, (byte)0x5d, ++ (byte)0x7e, (byte)0x81, (byte)0x1e, (byte)0x7f, ++ (byte)0x73, (byte)0xd0, (byte)0xd1, (byte)0xf2, ++ (byte)0x20, (byte)0xaf, (byte)0xc6, (byte)0x00, ++ (byte)0x83, (byte)0xde, (byte)0xba, (byte)0x74 ++ }; ++ ++ // data #4: highest 20-byte number ++ String DATA4_HEX = "7fffffffffffffffffffffffffffffffffffffff"; ++ ++ // 7fffffffffffffffffffffffffffffffffffffff ++ byte[] DATA4_BYTES = new byte[] { ++ (byte)0x7f, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff ++ }; ++ ++ // data #5: negative one ++ String DATA5_HEX = "-1"; ++ ++ // ffffffffffffffffffffffffffffffffffffffff ++ byte[] DATA5_BYTES = new byte[] { ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff ++ }; ++ ++ // data 6: small negative number (with leading 0xff) ++ String DATA6_HEX = "-314bd3fd90753fe3687d358d"; ++ ++ // ffffffffffffffffffffceb42c026f8ac01c9782ca73 ++ byte[] DATA6_BYTES = new byte[] { ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, ++ (byte)0xce, (byte)0xb4, (byte)0x2c, (byte)0x02, ++ (byte)0x6f, (byte)0x8a, (byte)0xc0, (byte)0x1c, ++ (byte)0x97, (byte)0x82, (byte)0xca, (byte)0x73 ++ }; ++ ++ // data #7: large negative number ++ String DATA7_HEX = "-16e096b561838ac32855acc30a09e6a2d9adc120"; ++ ++ // e91f694a9e7c753cd7aa533cf5f6195d26523ee0 ++ byte[] DATA7_BYTES = new byte[] { ++ (byte)0xe9, (byte)0x1f, (byte)0x69, (byte)0x4a, ++ (byte)0x9e, (byte)0x7c, (byte)0x75, (byte)0x3c, ++ (byte)0xd7, (byte)0xaa, (byte)0x53, (byte)0x3c, ++ (byte)0xf5, (byte)0xf6, (byte)0x19, (byte)0x5d, ++ (byte)0x26, (byte)0x52, (byte)0x3e, (byte)0xe0 ++ }; ++ ++ // data #8: lowest 20-byte number ++ String DATA8_HEX = "-8000000000000000000000000000000000000000"; ++ ++ // 8000000000000000000000000000000000000000 ++ byte[] DATA8_BYTES = new byte[] { ++ (byte)0x80, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, ++ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00 ++ }; ++ ++ Object[][] TEST_DATA = { ++ new Object[] { DATA1_BYTES, DATA1_HEX }, ++ new Object[] { DATA2_BYTES, DATA2_HEX }, ++ new Object[] { DATA3_BYTES, DATA3_HEX }, ++ new Object[] { DATA4_BYTES, DATA4_HEX }, ++ new Object[] { DATA5_BYTES, DATA5_HEX }, ++ new Object[] { DATA6_BYTES, DATA6_HEX }, ++ new Object[] { DATA7_BYTES, DATA7_HEX }, ++ new Object[] { DATA8_BYTES, DATA8_HEX } ++ }; ++ ++ @Test ++ public void testEncoder() throws Exception { ++ ++ System.out.println("Testing Key ID encoder with valid data:"); ++ ++ for (int i = 0; i < TEST_DATA.length; i++) { ++ System.out.println(" - data #" + (i + 1)); ++ ++ byte[] bytes = (byte[])TEST_DATA[i][0]; ++ String hex = (String)TEST_DATA[i][1]; ++ ++ String result = CryptoUtil.encodeKeyID(bytes); ++ Assert.assertEquals(hex, result); ++ } ++ ++ System.out.println("Testing Key ID encoder with invalid data:"); ++ ++ try { ++ System.out.println(" - null data"); ++ CryptoUtil.encodeKeyID(null); ++ Assert.fail("should throw NullPointerException"); ++ } catch (Exception e) { ++ Assert.assertTrue(e instanceof NullPointerException); ++ } ++ ++ try { ++ System.out.println(" - empty data"); ++ CryptoUtil.encodeKeyID(new byte[] {}); ++ Assert.fail("should throw IllegalArgumentException"); ++ } catch (Exception e) { ++ Assert.assertTrue(e instanceof IllegalArgumentException); ++ } ++ ++ try { ++ System.out.println(" - incorrect length data"); ++ CryptoUtil.encodeKeyID(new byte[] { (byte)0x24, (byte)0xac }); ++ Assert.fail("should throw IllegalArgumentException"); ++ } catch (Exception e) { ++ Assert.assertTrue(e instanceof IllegalArgumentException); ++ } ++ } ++ ++ @Test ++ public void testDecoder() throws Exception { ++ ++ System.out.println("Testing Key ID decoder with valid data:"); ++ ++ for (int i = 0; i < TEST_DATA.length; i++) { ++ System.out.println(" - data #" + (i + 1)); ++ ++ byte[] bytes = (byte[])TEST_DATA[i][0]; ++ String hex = (String)TEST_DATA[i][1]; ++ ++ byte[] result = CryptoUtil.decodeKeyID(hex); ++ Assert.assertArrayEquals(bytes, result); ++ } ++ ++ System.out.println("Testing Key ID decoder with invalid data:"); ++ ++ try { ++ System.out.println(" - null data"); ++ CryptoUtil.decodeKeyID(null); ++ Assert.fail("should throw NullPointerException"); ++ } catch (Exception e) { ++ Assert.assertTrue(e instanceof NullPointerException); ++ } ++ ++ try { ++ System.out.println(" - empty data"); ++ CryptoUtil.decodeKeyID(""); ++ Assert.fail("should throw IllegalArgumentException"); ++ } catch (Exception e) { ++ Assert.assertTrue(e instanceof IllegalArgumentException); ++ } ++ ++ try { ++ System.out.println(" - incorrect length data"); ++ CryptoUtil.decodeKeyID("ffffffffffffffffffffffffffffffffffffffffff"); ++ Assert.fail("should throw IllegalArgumentException"); ++ } catch (Exception e) { ++ Assert.assertTrue(e instanceof IllegalArgumentException); ++ } ++ ++ try { ++ System.out.println(" - garbage data"); ++ CryptoUtil.decodeKeyID("garbage"); ++ Assert.fail("should throw NumberFormatException"); ++ } catch (Exception e) { ++ Assert.assertTrue(e instanceof NumberFormatException); ++ } ++ } ++} +-- +1.8.3.1 + + +From 13b98e81cfc2c92fe435f0d3b0fa4017cb44c608 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 12 Feb 2018 18:20:57 +0100 +Subject: [PATCH 5/7] Fixed Key ID encoding and decoding. + +The code that encodes and decodes NSS key ID has been changed to +use CryptoUtil.encodeKeyID() and decodeKeyID(), respectively. + +https://pagure.io/dogtagpki/issue/2884 + +Change-Id: Ic97a9f8ea1ad7819c8f6ff0faf732ee04a2174e8 +(cherry picked from commit 275b706f0e38288db6c4c900b7116c9816ba82a7) +(cherry picked from commit d9969e2c2c5895056d4ecdb04718d5a4473c297d) +--- + base/ca/src/com/netscape/ca/SigningUnit.java | 2 +- + base/java-tools/src/com/netscape/cmstools/CMCRequest.java | 2 +- + base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 2 +- + base/java-tools/src/com/netscape/cmstools/PKCS10Client.java | 2 +- + base/ocsp/src/com/netscape/ocsp/SigningUnit.java | 2 +- + .../cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 6 +++--- + .../com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 12 ++++++------ + .../src/org/dogtagpki/server/rest/SystemConfigService.java | 2 +- + 8 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java +index 7cd0dd4..ecd2a81 100644 +--- a/base/ca/src/com/netscape/ca/SigningUnit.java ++++ b/base/ca/src/com/netscape/ca/SigningUnit.java +@@ -190,7 +190,7 @@ public final class SigningUnit implements ISigningUnit { + throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e); + } + +- String privateKeyID = CryptoUtil.byte2string(mPrivk.getUniqueID()); ++ String privateKeyID = CryptoUtil.encodeKeyID(mPrivk.getUniqueID()); + CMS.debug("SigningUnit: private key ID: " + privateKeyID); + + mPubk = mCert.getPublicKey(); +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 8146cee..4e40143 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -2163,7 +2163,7 @@ public class CMCRequest { + } else { + System.out.println("got request privKeyId: " + privKeyId); + +- byte[] keyIDb = CryptoUtil.string2byte(privKeyId); ++ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyId); + + privk = CryptoUtil.findPrivateKeyFromID(keyIDb); + +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index eadf3a8..bc95983 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -475,7 +475,7 @@ public class CRMFPopClient { + PrivateKey privateKey = (PrivateKey) keyPair.getPrivate(); + @SuppressWarnings("deprecation") + byte id[] = privateKey.getUniqueID(); +- String kid = CryptoUtil.byte2string(id); ++ String kid = CryptoUtil.encodeKeyID(id); + System.out.println("Keypair private key id: " + kid); + + if (hostPort != null) { +diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +index d2278b8..9f39430 100644 +--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java ++++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +@@ -303,7 +303,7 @@ public class PKCS10Client { + PrivateKey privateKey = (PrivateKey) pair.getPrivate(); + @SuppressWarnings("deprecation") + byte id[] = privateKey.getUniqueID(); +- String kid = CryptoUtil.byte2string(id); ++ String kid = CryptoUtil.encodeKeyID(id); + System.out.println("Keypair private key id: " + kid); + System.out.println(""); + +diff --git a/base/ocsp/src/com/netscape/ocsp/SigningUnit.java b/base/ocsp/src/com/netscape/ocsp/SigningUnit.java +index 686f1ed..4ed1625 100644 +--- a/base/ocsp/src/com/netscape/ocsp/SigningUnit.java ++++ b/base/ocsp/src/com/netscape/ocsp/SigningUnit.java +@@ -159,7 +159,7 @@ public final class SigningUnit implements ISigningUnit { + CMS.debug("SigningUnit: Loading private key"); + mPrivk = mManager.findPrivKeyByCert(mCert); + +- String privateKeyID = CryptoUtil.byte2string(mPrivk.getUniqueID()); ++ String privateKeyID = CryptoUtil.encodeKeyID(mPrivk.getUniqueID()); + CMS.debug("SigningUnit: private key ID: " + privateKeyID); + + mPubk = mCert.getPublicKey(); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +index da4f17f..12d4ac1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +@@ -154,7 +154,7 @@ public class CertUtil { + } + // get private key + String privKeyID = config.getString(prefix + certTag + ".privkey.id"); +- byte[] keyIDb = CryptoUtil.string2byte(privKeyID); ++ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyID); + + PrivateKey privk = CryptoUtil.findPrivateKeyFromID(keyIDb); + +@@ -546,7 +546,7 @@ public class CertUtil { + PrivateKey caPrik = (PrivateKey) pk; + */ + String caPriKeyID = config.getString(prefix + "signing" + ".privkey.id"); +- byte[] keyIDb = CryptoUtil.string2byte(caPriKeyID); ++ byte[] keyIDb = CryptoUtil.decodeKeyID(caPriKeyID); + PrivateKey caPrik = CryptoUtil.findPrivateKeyFromID(keyIDb); + + if (caPrik == null) { +@@ -761,7 +761,7 @@ public class CertUtil { + } else { + String str = ""; + try { +- str = CryptoUtil.byte2string(privKey.getUniqueID()); ++ str = CryptoUtil.encodeKeyID(privKey.getUniqueID()); + } catch (Exception e) { + CMS.debug("CertUtil privateKeyExistsOnToken: encode string Exception: " + e.toString()); + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 1d37d73..0a5cd2e 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -2379,7 +2379,7 @@ public class ConfigurationUtils { + + PrivateKey privateKey = (PrivateKey) pair.getPrivate(); + byte id[] = privateKey.getUniqueID(); +- String kid = CryptoUtil.byte2string(id); ++ String kid = CryptoUtil.encodeKeyID(id); + config.putString(PCERT_PREFIX + tag + ".privkey.id", kid); + + String keyAlgo = config.getString(PCERT_PREFIX + tag + ".signingalgorithm"); +@@ -2439,10 +2439,10 @@ public class ConfigurationUtils { + + // XXX - store curve , w + byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); +- String kid = CryptoUtil.byte2string(id); ++ String kid = CryptoUtil.encodeKeyID(id); + + // try to locate the private key +- org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); ++ org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.decodeKeyID(kid)); + if (privk == null) { + CMS.debug("Found bad ECC key id " + kid); + pair = null; +@@ -2461,11 +2461,11 @@ public class ConfigurationUtils { + do { + pair = CryptoUtil.generateRSAKeyPair(token, keysize); + byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); +- String kid = CryptoUtil.byte2string(id); ++ String kid = CryptoUtil.encodeKeyID(id); + + // try to locate the private key + org.mozilla.jss.crypto.PrivateKey privk = +- CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); ++ CryptoUtil.findPrivateKeyFromID(CryptoUtil.decodeKeyID(kid)); + + if (privk == null) { + CMS.debug("Found bad RSA key id " + kid); +@@ -3009,7 +3009,7 @@ public class ConfigurationUtils { + String privKeyID = config.getString(PCERT_PREFIX + certTag + ".privkey.id"); + + CMS.debug("generateCertRequest: private key ID: " + privKeyID); +- byte[] keyIDb = CryptoUtil.string2byte(privKeyID); ++ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyID); + + PrivateKey privk = CryptoUtil.findPrivateKeyFromID(keyIDb); + if (privk == null) { +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 575f97c..5130a1a 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -532,7 +532,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + + cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); + cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); +- cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.byte2string(privk.getUniqueID())); ++ cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.encodeKeyID(privk.getUniqueID())); + cs.putString("preop.cert." + tag + ".keyalgorithm", cdata.getKeyAlgorithm()); + cs.putString("preop.cert." + tag + ".keytype", cdata.getKeyType()); + } +-- +1.8.3.1 + + +From cb17add9f01bb418f567c156c8bcf01113700b83 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 15 Feb 2018 20:06:26 +0100 +Subject: [PATCH 6/7] Fixed SERVER_SIDE_KEYGEN_REQUEST_PROCESSED filter in KRA. + +The filter definition for SERVER_SIDE_KEYGEN_REQUEST_PROCESSED +event in KRA's CS.cfg has been updated to fix a typo. + +https://pagure.io/dogtagpki/issue/2656 + +Change-Id: I6f2e3d38597355e04b1899aeb324db43caefd4df +(cherry picked from commit d7db5fa81f9cda0997779e0ce57a309263669f1f) +(cherry picked from commit 6af503a10b95077780c15126e7af8336364854dc) +--- + base/kra/shared/conf/CS.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 06bd0fe..f314234 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -317,7 +317,7 @@ log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=(Outco + log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=(Outcome=Failure) +-log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=PROCESSED (Outcome=Failure) ++log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=(Outcome=Failure) + log.instance.SignedAudit.filters.SYMKEY_GENERATION_REQUEST=(Outcome=Failure) + log.instance.SignedAudit.filters.SYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 +-- +1.8.3.1 + + +From eda0b35693530a8ad796ac9012f5bee7db6dd9ac Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 16 Feb 2018 18:00:09 +0100 +Subject: [PATCH 7/7] Fixed NSSDatabase.add_ca_cert(). + +The NSSDatabase.add_ca_cert() has been modified to import CA +certificates into internal token instead of HSM since trust +validation is done by NSS using internal token. + +https://pagure.io/dogtagpki/issue/2944 + +Change-Id: I460cd752d741f3f91306c510ce469a023828343b +(cherry picked from commit 2f8fa5bb2d33bf80e8a19f1e30697be3bb5de915) +(cherry picked from commit cefae7941c0894a35dbebaf8f076a1941b910d93) +--- + base/common/python/pki/nssdb.py | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 7c2602e..934fe8b 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -201,15 +201,25 @@ class NSSDatabase(object): + subprocess.check_call(cmd) + + def add_ca_cert(self, cert_file, trust_attributes=None): ++ ++ # Import CA certificate into internal token with automatically ++ # assigned nickname. ++ ++ # If the certificate has previously been imported, it will keep ++ # the existing nickname. If the certificate has not been imported, ++ # JSS will generate a nickname based on root CA's subject DN. ++ ++ # For example, if the root CA's subject DN is "CN=CA Signing ++ # Certificate, O=EXAMPLE", the root CA cert's nickname will be ++ # "CA Signing Certificate - EXAMPLE". The subordinate CA cert's ++ # nickname will be "CA Signing Certificate - EXAMPLE #2". ++ + cmd = [ + 'pki', + '-d', self.directory, +- '-C', self.password_file ++ '-C', self.internal_password_file + ] + +- if self.token: +- cmd.extend(['--token', self.token]) +- + cmd.extend([ + 'client-cert-import', + '--ca-cert', cert_file +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch b/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch deleted file mode 100644 index 5be0f9c..0000000 --- a/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch +++ /dev/null @@ -1,28 +0,0 @@ -From ad8c47aaf675bbda7b2ab50e6fc20b22862f83c3 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Tue, 23 May 2017 11:46:41 -0600 -Subject: [PATCH] Always check FIPS mode at installation time - -- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error - -(cherry picked from commit 3249ddc2c19f6f5ded11823b345c9c58bae4750b) ---- - base/server/python/pki/server/deployment/scriptlets/initialization.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py -index 0e31543..4dc4e9a 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/initialization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py -@@ -42,6 +42,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # ALWAYS establish 'uid' and 'gid' - deployer.identity.set_uid(deployer.mdict['pki_user']) - deployer.identity.set_gid(deployer.mdict['pki_group']) -+ # ALWAYS check FIPS mode -+ deployer.fips.is_fips_enabled() - # ALWAYS initialize HSMs (when and if present) - deployer.hsm.initialize() - if config.str2bool(deployer.mdict['pki_skip_installation']): --- -1.8.3.1 - diff --git a/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch b/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch deleted file mode 100644 index 2783a45..0000000 --- a/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch +++ /dev/null @@ -1,615 +0,0 @@ -From 32cf3850935590f7f4cd457b824cc296b6af44b9 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 14 Jun 2017 14:57:10 -0700 -Subject: [PATCH 2/4] Ticket#2737 CMC: check HTTPS client authentication cert - against CMC signer - -This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert. -Some auditing adjustments are also done. - -(cherry picked from commit 63c9582009b3858a6878863b9658d04c9aad45c1) ---- - base/ca/shared/conf/CS.cfg | 3 +- - .../com/netscape/certsrv/base/SessionContext.java | 7 + - .../cms/authentication/CMCUserSignedAuth.java | 220 ++++++++++++++------- - .../profile/constraint/UniqueKeyConstraint.java | 8 +- - .../com/netscape/cms/servlet/base/CMSServlet.java | 10 +- - .../servlet/profile/ProfileSubmitCMCServlet.java | 7 + - base/server/cmsbundle/src/LogMessages.properties | 4 +- - 7 files changed, 175 insertions(+), 84 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index d1bf7db..4da7429 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -734,11 +734,10 @@ ca.publish.rule.instance.LdapXCertRule.pluginName=Rule - ca.publish.rule.instance.LdapXCertRule.predicate= - ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher - ca.publish.rule.instance.LdapXCertRule.type=xcert --cmc.cert.confirmRequired=false - cmc.popLinkWitnessRequired=false --cmc.revokeCert.verify=true - cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret - cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -+cmc.token=internal - cms.passwordlist=internaldb,replicationdb - cms.password.ignore.publishing.failure=true - cms.version=@APPLICATION_VERSION_MAJOR@.@APPLICATION_VERSION_MINOR@ -diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java -index 8bcb3c1..9323e6e 100644 ---- a/base/common/src/com/netscape/certsrv/base/SessionContext.java -+++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java -@@ -56,6 +56,13 @@ public class SessionContext extends Hashtable { - * Principal name object of the signed CMC request - */ - public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal"; -+ public static final String CMC_SIGNER_INFO = "cmcSignerInfo"; -+ public static final String CMC_REQUEST_CERT_SUBJECT = "cmcRequestCertSubject"; -+ -+ /** -+ * authenticated SSL client certificate -+ */ -+ public static final String SSL_CLIENT_CERT = "sslClientCert"; - - /** - * User object of the authenticated user in the current thread. -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index 2e4d6dc..6c3ee8f 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -28,6 +28,7 @@ package com.netscape.cms.authentication; - import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; -+import java.security.cert.X509Certificate; - import java.math.BigInteger; - import java.security.MessageDigest; - import java.security.PublicKey; -@@ -260,11 +261,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - CMS.debug(method + "begins"); - - String auditMessage = null; -- String auditSubjectID = auditSubjectID(); -+ String auditSubjectID = getAuditSubjectID(); - String auditReqType = ILogger.UNIDENTIFIED; -- String auditCertSubject = ILogger.UNIDENTIFIED; -+ String requestCertSubject = ILogger.UNIDENTIFIED; - String auditSignerInfo = ILogger.UNIDENTIFIED; - -+ SessionContext auditContext = SessionContext.getExistingContext(); -+ -+ // create audit context if clientCert exists -+ X509Certificate clientCert = -+ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); -+ // null is okay, as it is not required in case of self-sign; -+ // will be checked later -+ if (clientCert != null) { -+ try { -+ createAuditSubjectFromCert(auditContext, clientCert); -+ } catch (IOException e) { -+ //unlikely, and not necessarily required at this point -+ CMS.debug("CMSUserSignedAuth: authenticate: after createAuditSubjectFromCert call; " + e); -+ } -+ } -+ - // ensure that any low-level exceptions are reported - // to the signed audit log and stored as failures - try { -@@ -296,8 +313,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - throw new EInvalidCredentials(msg); - } - -- SessionContext auditContext = SessionContext.getExistingContext(); -- - // authenticate by checking CMC. - - // everything OK. -@@ -364,13 +379,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } - // reset value of auditSignerInfo - if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { -- CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); -- auditSignerInfo = uid.trim(); -+ //CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); -+ //auditSignerInfo = uid.trim(); - auditSubjectID = uid.trim(); - authToken.set(IAuthToken.USER_ID, auditSubjectID); - } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { -- CMS.debug(method + "setting auditSignerInfo to userid:" + userid); -- auditSignerInfo = userid.trim(); -+ //CMS.debug(method + "setting auditSignerInfo to userid:" + userid); -+ //auditSignerInfo = userid.trim(); - auditSubjectID = userid.trim(); - authToken.set(IAuthToken.USER_ID, auditSubjectID); - } -@@ -538,16 +553,17 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } - - PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); -- // reset value of auditCertSubject -+ // reset value of requestCertSubject - X500Name tempName = pkcs10.getSubjectName(); - CMS.debug(method + "request subject name=" + tempName.toString()); - if (tempName != null) { -- auditCertSubject = tempName.toString().trim(); -- if (auditCertSubject.equals("")) { -- auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ requestCertSubject = tempName.toString().trim(); -+ if (requestCertSubject.equals("")) { -+ requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, -- auditCertSubject/*tempName.toString()*/); -+ requestCertSubject/*tempName.toString()*/); -+ auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); - } - - if (selfSigned) { -@@ -632,17 +648,18 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // xxx do we need to do anything else? - X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); - -- // reset value of auditCertSubject -+ // reset value of requestCertSubject - if (name != null) { - String ss = name.getRFC1485(); - -- CMS.debug(method + "setting auditCertSubject to: " + ss); -- auditCertSubject = ss; -- if (auditCertSubject.equals("")) { -- auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ CMS.debug(method + "setting requestCertSubject to: " + ss); -+ requestCertSubject = ss; -+ if (requestCertSubject.equals("")) { -+ requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); -+ auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); - //authToken.set("uid", uid); - //authToken.set("userid", userid); - } -@@ -696,10 +713,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - authToken.set("uid", uid); - authToken.set("userid", userid); -+ } catch (EMissingCredential e) { -+ throw e; -+ } catch (EInvalidCredentials e) { -+ throw e; - } catch (Exception e) { -- CMS.debug(method + e); -+ //CMS.debug(method + e); - //Debug.printStackTrace(e); -- throw new EInvalidCredentials(e.toString()); -+ //throw new EInvalidCredentials(e.toString()); -+ throw e; - } - - // For accuracy, make sure revocation by shared secret doesn't -@@ -709,11 +731,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, -- auditSubjectID, -+ getAuditSubjectID(), - ILogger.SUCCESS, - auditReqType, -- auditCertSubject, -- auditSignerInfo); -+ getRequestCertSubject(auditContext), -+ getAuditSignerInfo(auditContext)); - - audit(auditMessage); - } else { -@@ -725,17 +747,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - return authToken; - } catch (EMissingCredential eAudit1) { - CMS.debug(method + eAudit1); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo, -- eAudit1.toString()); -- -- audit(auditMessage); - - // rethrow the specific exception to be handled later - throw eAudit1; -@@ -744,11 +755,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -- auditSubjectID, -+ getAuditSubjectID(), - ILogger.FAILURE, - auditReqType, -- auditCertSubject, -- auditSignerInfo, -+ getRequestCertSubject(auditContext), -+ getAuditSignerInfo(auditContext), - eAudit2.toString()); - - audit(auditMessage); -@@ -760,11 +771,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -- auditSubjectID, -+ getAuditSubjectID(), - ILogger.FAILURE, - auditReqType, -- auditCertSubject, -- auditSignerInfo, -+ getRequestCertSubject(auditContext), -+ getAuditSignerInfo(auditContext), - eAudit3.toString()); - - audit(auditMessage); -@@ -776,17 +787,17 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -- auditSubjectID, -+ getAuditSubjectID(), - ILogger.FAILURE, - auditReqType, -- auditCertSubject, -- auditSignerInfo, -+ getRequestCertSubject(auditContext), -+ getAuditSignerInfo(auditContext), - eAudit4.toString()); - - audit(auditMessage); - -- // rethrow the specific exception to be handled later -- throw eAudit4; -+ // rethrow the exception to be handled later -+ throw new EBaseException(eAudit4); - } - } - -@@ -935,8 +946,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - SessionContext auditContext, // to capture info in case of failure - AuthToken authToken, - SignedData cmcFullReq) -- throws EBaseException { -+ throws EBaseException, EInvalidCredentials, EMissingCredential { - String method = "CMCUserSignedAuth: verifySignerInfo: "; -+ String msg = ""; - CMS.debug(method + "begins"); - EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - OBJECT_IDENTIFIER id = ci.getContentType(); -@@ -1001,7 +1013,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - if (cmcFullReq.hasCertificates()) { - SET certs = cmcFullReq.getCertificates(); - int numCerts = certs.size(); -- java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; -+ X509Certificate[] x509Certs = new X509Certificate[1]; - byte[] certByteArray = new byte[0]; - for (int j = 0; j < numCerts; j++) { - Certificate certJss = (Certificate) certs.elementAt(j); -@@ -1029,25 +1041,44 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } - - CMS.debug(method + "start checking signature"); -- String CN = null; - if (cert == null) { - // find from certDB - CMS.debug(method + "verifying signature"); - si.verify(digest, id); - } else { -- CMS.debug(method + "found signing cert... verifying"); -+ CMS.debug(method + "found CMC signing cert... verifying"); -+ -+ X509Certificate clientCert = -+ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); -+ // user-signed case requires ssl client authentication -+ if (clientCert == null) { -+ createAuditSubjectFromCert(auditContext, x509Certs[0]); -+ msg = "missing SSL client authentication certificate;"; -+ CMS.debug(method + msg); -+ s.close(); -+ throw new EMissingCredential( -+ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); -+ } -+ netscape.security.x509.X500Name clientPrincipal = -+ (X500Name) clientCert.getSubjectDN(); - -- // capture auditSubjectID first in case of failure -- netscape.security.x509.X500Name principal = -+ netscape.security.x509.X500Name cmcPrincipal = - (X500Name) x509Certs[0].getSubjectDN(); - - // capture signer principal to be checked against - // cert subject principal later in CMCOutputTemplate - // in case of user signed revocation -- auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, principal); -- CN = principal.getCommonName(); //tempToken.get("userid"); -- CMS.debug(method + " Principal name = " + CN); -- auditContext.put(SessionContext.USER_ID, CN); -+ auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, cmcPrincipal); -+ auditContext.put(SessionContext.CMC_SIGNER_INFO, cmcPrincipal.getCommonName()); -+ -+ // check ssl client cert against cmc signer -+ if (!clientPrincipal.equals(cmcPrincipal)) { -+ msg = "SSL client authentication certificate and CMC signer do not match"; -+ CMS.debug(method + msg); -+ s.close(); -+ throw new EInvalidCredentials( -+ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); -+ } - - PublicKey signKey = cert.getPublicKey(); - PrivateKey.Type keyType = null; -@@ -1064,10 +1095,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - byte publicKeyData[] = ((X509Key) signKey).getEncoded(); - pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); - } else { -- CMS.debug(method + "unsupported signature algorithm: " + alg); -+ msg = "unsupported signature algorithm: " + alg; -+ CMS.debug(method + msg); - s.close(); - throw new EInvalidCredentials( -- CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); - } - - String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", -@@ -1095,9 +1127,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // ...or not; I think it just checks usage and - // validity, but not revocation status - if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { -- CMS.debug(method + "CMC signature failed to be verified"); -+ msg = "CMC signing cert is invalid"; -+ CMS.debug(method + msg); - s.close(); -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); - } else { - CMS.debug(method + "CMC signature verified; but signer not yet;"); - } -@@ -1105,28 +1138,28 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - // now check revocation status of the cert - if (CMS.isRevoked(x509Certs)) { -- CMS.debug(method + "CMC signing cert is a revoked certificate"); -+ msg = "CMC signing cert is a revoked certificate"; -+ CMS.debug(method + msg); - s.close(); -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); - } - try { //do this again anyways - cert.checkValidity(); - } catch (CertificateExpiredException e) { -- CMS.debug(method + "CMC signing cert is an expired certificate"); -+ msg = "CMC signing cert is an expired certificate"; -+ CMS.debug(method + msg); - s.close(); -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); - } catch (Exception e) { - CMS.debug(method + e.toString()); - s.close(); -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + e.toString()); - } - - IAuthToken tempToken = new AuthToken(null); --/* - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); - String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); - CMS.debug(method + " Principal name = " + CN); --*/ - - BigInteger certSerial = x509Certs[0].getSerialNumber(); - CMS.debug(method + " verified cert serial=" + certSerial.toString()); -@@ -1137,7 +1170,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - return tempToken; - - } else { -- CMS.debug(method + "no certificate found in cmcFullReq"); -+ msg = "no certificate found in cmcFullReq"; -+ CMS.debug(method + msg); -+ throw new EMissingCredential(msg); - } - } else if (sid.getType().equals(SignerIdentifier.SUBJECT_KEY_IDENTIFIER)) { - CMS.debug(method + "SignerIdentifier type: SUBJECT_KEY_IDENTIFIER"); -@@ -1150,19 +1185,20 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - s.close(); - return tempToken; - } else { -- CMS.debug(method + "unsupported SignerIdentifier type"); -+ msg = "unsupported SignerIdentifier type"; -+ CMS.debug(method + msg); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); - } - } //for - -+ } catch (EMissingCredential e) { -+ throw e; -+ } catch (EInvalidCredentials e) { -+ throw e; - } catch (InvalidBERException e) { -- CMS.debug(method + e.toString()); -- } catch (IOException e) { -- CMS.debug(method + e.toString()); -- } catch (NotInitializedException e) { -- CMS.debug(method + e.toString()); -+ CMS.debug(method + e); - } catch (Exception e) { -- CMS.debug(method + e.toString()); -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ CMS.debug(method + e); - } finally { - if ((tokenSwitched == true) && (savedToken != null)) { - cm.setThreadToken(savedToken); -@@ -1173,6 +1209,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - } - -+ private void createAuditSubjectFromCert ( -+ SessionContext auditContext, -+ X509Certificate cert) -+ throws IOException { -+ String method = "CMCUserSignedAuth:createAuditSubjectFromCert: "; -+ -+ // capture auditSubjectID first in case of failure -+ netscape.security.x509.X500Name principal = -+ (X500Name) cert.getSubjectDN(); -+ -+ String CN = principal.getCommonName(); -+ CMS.debug(method + " Principal name = " + CN); -+ auditContext.put(SessionContext.USER_ID, CN); -+ } -+ - public String[] getExtendedPluginInfo(Locale locale) { - return null; - } -@@ -1274,7 +1325,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - * - * @return id string containing the signed audit log message SubjectID - */ -- private String auditSubjectID() { -+ private String getAuditSubjectID() { - // if no signed audit object exists, bail - if (mSignedAuditLogger == null) { - return null; -@@ -1299,4 +1350,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - return subjectID; - } -+ -+ private String getAuditSignerInfo(SessionContext auditContext) { -+ String signerSubject = (String)auditContext.get(SessionContext.CMC_SIGNER_INFO); -+ if (signerSubject == null) -+ signerSubject = "$Unidentified$"; -+ -+ return signerSubject; -+ } -+ -+ private String getRequestCertSubject(SessionContext auditContext) { -+ String certSubject = (String)auditContext.get(SessionContext.CMC_REQUEST_CERT_SUBJECT); -+ if (certSubject == null) -+ certSubject = "$Unidentified$"; -+ -+ return certSubject; -+ } -+ - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -index 33cc7a9..030995a 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -@@ -219,12 +219,14 @@ public class UniqueKeyConstraint extends EnrollConstraint { - Date origNotAfter = null; - boolean first = true; - while (e != null && e.hasMoreElements()) { -+ CMS.debug(method + msg); - ICertRecord rec = e.nextElement(); - BigInteger serial = rec.getSerialNumber(); -+ msg = msg + "existing cert with same key found: " + serial.toString() + ";"; - - if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED) - || rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { -- msg = msg + "revoked cert cannot be renewed: serial=" + serial.toString() + ";"; -+ msg = msg + "revoked cert cannot be renewed;"; - CMS.debug(method + msg); - rejected = true; - // this has to break -@@ -232,7 +234,7 @@ public class UniqueKeyConstraint extends EnrollConstraint { - } - if (!rec.getStatus().equals(ICertRecord.STATUS_VALID) - && !rec.getStatus().equals(ICertRecord.STATUS_EXPIRED)) { -- CMS.debug(method + "invalid cert cannot be renewed; continue:" + serial.toString()); -+ CMS.debug(method + "invalid cert cannot be renewed; continue;" + serial.toString()); - // can still find another one to renew - continue; - } -@@ -297,7 +299,7 @@ public class UniqueKeyConstraint extends EnrollConstraint { - } // (size > 0) - - if (rejected == true) { -- CMS.debug(method + " rejected"); -+ CMS.debug(method + " rejected: " + msg); - throw new ERejectException(msg); - } else { - CMS.debug(method + " approved"); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index 9dc7470..65dc06a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -843,6 +843,10 @@ public abstract class CMSServlet extends HttpServlet { - * get ssl client authenticated certificate - */ - protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq) throws EBaseException { -+ return getSSLClientCertificate(httpReq, true); -+ } -+ -+ protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq, boolean clientCertRequired) throws EBaseException { - - X509Certificate cert = null; - -@@ -855,7 +859,11 @@ public abstract class CMSServlet extends HttpServlet { - X509Certificate[] allCerts = (X509Certificate[]) httpReq.getAttribute(CERT_ATTR); - - if (allCerts == null || allCerts.length == 0) { -- throw new EBaseException("You did not provide a valid certificate for this operation"); -+ if (!clientCertRequired) { -+ return null; -+ } else { -+ throw new EBaseException("You did not provide a valid certificate for this operation"); -+ } - } - - cert = allCerts[0]; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 330b5ff..73195e9 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -19,6 +19,7 @@ package com.netscape.cms.servlet.profile; - - import java.io.InputStream; - import java.io.OutputStream; -+import java.security.cert.X509Certificate; - import java.util.Enumeration; - import java.util.Locale; - -@@ -169,6 +170,12 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - String authMgrID = authenticator.getName(); - SessionContext sc = SessionContext.getContext(); - -+ X509Certificate clientCert = -+ getSSLClientCertificate(request, false /*cert may not be required*/); -+ if (clientCert != null) { -+ sc.put(SessionContext.SSL_CLIENT_CERT, clientCert); -+ } -+ - try { - authToken = authenticator.authenticate(credentials); - if (sc != null) { -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 9490098..5e51440 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2208,10 +2208,10 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success --LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}][info={5}] User signed CMC request signature verification failure -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][CMCSignerInfo={4}][info={5}] User signed CMC request signature verification failure - - # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST - # - used for TPS to TKS to get random challenge data --- -1.8.3.1 - diff --git a/SOURCES/pki-core-CMC-id-cmc-statusInfoV2.patch b/SOURCES/pki-core-CMC-id-cmc-statusInfoV2.patch deleted file mode 100644 index 25d8f46..0000000 --- a/SOURCES/pki-core-CMC-id-cmc-statusInfoV2.patch +++ /dev/null @@ -1,1927 +0,0 @@ -From 724b91a4688ca73a07c6c225e0e61e0a79073f42 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 16 Jun 2017 18:20:38 -0700 -Subject: [PATCH] Ticket #2616 CMC: id-cmc-statusInfo ==> id-cmc-statusInfoV2 - -This patch contains the following update: -* Structurely, CMCStatusInfo to CMCStatusInfoV2 update; no extendedFailInfo has been added at this point -* In case of EncryptedPOP, instead of returning with CMCStatus pending where - PendInfo contains the requestID, it now returns CMCStatus failed whith - responseInfo control contains the requestID. On the client side, CMCRequest - now processes the responseInfo and returns the DecryptedPOP with requestID in - the regInfo control. CMCResponse has been updated to handle the new controls - as well. -* A number of fail info codes are now being supported by the server to add - clarity to CMC failed status, including: - badMessageCheck, badRequest, unsuportedExt, badIdentity, popRequired, and popFailed. - -(cherry picked from commit 6273907e0ca36425fa30c106b7fdd28c510b1162) ---- - .../certsrv/profile/ECMCBadIdentityException.java | 54 ++++++ - .../profile/ECMCBadMessageCheckException.java | 54 ++++++ - .../certsrv/profile/ECMCBadRequestException.java | 53 +++++ - .../certsrv/profile/ECMCPopFailedException.java | 53 +++++ - .../certsrv/profile/ECMCPopRequiredException.java | 59 ++++++ - .../profile/ECMCUnsupportedExtException.java | 53 +++++ - .../src/com/netscape/cmstools/CMCRequest.java | 69 +++++-- - .../src/com/netscape/cmstools/CMCResponse.java | 36 +++- - .../netscape/cms/profile/common/EnrollProfile.java | 195 ++++++++++++------- - .../cms/servlet/common/CMCOutputTemplate.java | 216 ++++++++++++--------- - .../servlet/common/GenPendingTemplateFiller.java | 10 +- - .../servlet/profile/ProfileSubmitCMCServlet.java | 96 ++++++++- - .../netscape/cms/servlet/request/CheckRequest.java | 8 +- - base/server/cmsbundle/src/UserMessages.properties | 1 + - 14 files changed, 747 insertions(+), 210 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java - create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java - create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java - create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java - create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java - create mode 100644 base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java - -diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java b/base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java -new file mode 100644 -index 0000000..118a8ee ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/profile/ECMCBadIdentityException.java -@@ -0,0 +1,54 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.profile; -+ -+/** -+ * This represents a profile specific exception for handling -+ * CMC badIdentity condition. -+ * The framework raises this exception when a request fails identity -+ * checks -+ *

-+ * -+ * @version $Revision$, $Date$ -+ */ -+public class ECMCBadIdentityException extends EProfileException { -+ -+ /** -+ * -+ */ -+ private static final long serialVersionUID = -89147145684990870L; -+ -+ /** -+ * Creates an exception. -+ * -+ * @param msg localized message that will be -+ * displayed to end user. -+ */ -+ public ECMCBadIdentityException(String msg) { -+ super(msg); -+ } -+ -+ public ECMCBadIdentityException(Throwable cause) { -+ super(cause.getMessage(), cause); -+ } -+ -+ public ECMCBadIdentityException(String msg, Throwable cause) { -+ super(msg, cause); -+ } -+ -+} -diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java b/base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java -new file mode 100644 -index 0000000..fb56eb4 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/profile/ECMCBadMessageCheckException.java -@@ -0,0 +1,54 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.profile; -+ -+/** -+ * This represents a profile specific exception for handling -+ * CMC badMessageCheck condition. -+ * The framework raises this exception when a request fails various -+ * checks -+ *

-+ * -+ * @version $Revision$, $Date$ -+ */ -+public class ECMCBadMessageCheckException extends EProfileException { -+ -+ /** -+ * -+ */ -+ private static final long serialVersionUID = 1353005739159030604L; -+ -+ /** -+ * Creates an exception. -+ * -+ * @param msg localized message that will be -+ * displayed to end user. -+ */ -+ public ECMCBadMessageCheckException(String msg) { -+ super(msg); -+ } -+ -+ public ECMCBadMessageCheckException(String msg, Throwable cause) { -+ super(msg, cause); -+ } -+ -+ public ECMCBadMessageCheckException(Throwable cause) { -+ super(cause.getMessage(), cause); -+ } -+ -+} -diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java b/base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java -new file mode 100644 -index 0000000..dc4a107 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/profile/ECMCBadRequestException.java -@@ -0,0 +1,53 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.profile; -+ -+/** -+ * This represents a profile specific exception for handling -+ * CMC badRequest condition. -+ * The framework raises this exception when a request fails -+ *

-+ * -+ * @version $Revision$, $Date$ -+ */ -+public class ECMCBadRequestException extends EProfileException { -+ -+ /** -+ * -+ */ -+ private static final long serialVersionUID = -957171725482446695L; -+ -+ /** -+ * Creates an exception. -+ * -+ * @param msg localized message that will be -+ * displayed to end user. -+ */ -+ public ECMCBadRequestException(String msg) { -+ super(msg); -+ } -+ -+ public ECMCBadRequestException(String msg, Throwable cause) { -+ super(msg, cause); -+ } -+ -+ public ECMCBadRequestException(Throwable cause) { -+ super(cause.getMessage(), cause); -+ } -+ -+} -diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java b/base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java -new file mode 100644 -index 0000000..cc87434 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/profile/ECMCPopFailedException.java -@@ -0,0 +1,53 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.profile; -+ -+/** -+ * This represents a profile specific exception for handling -+ * CMC popFailed condition. -+ * The framework raises this exception when a request fails POP -+ * (Proof Of Possession) check -+ *

-+ * -+ * @version $Revision$, $Date$ -+ */ -+public class ECMCPopFailedException extends EProfileException { -+ -+ /** -+ * -+ */ -+ private static final long serialVersionUID = -3098694565652563197L; -+ -+ /** -+ * Creates an exception. -+ * -+ * @param msg localized message that will be -+ * displayed to end user. -+ */ -+ public ECMCPopFailedException(String msg) { -+ super(msg); -+ } -+ -+ public ECMCPopFailedException(String msg, Throwable cause) { -+ super(msg, cause); -+ } -+ -+ public ECMCPopFailedException(Throwable cause) { -+ super(cause.getMessage(), cause); -+ } -+} -diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java b/base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java -new file mode 100644 -index 0000000..25a7bc0 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/profile/ECMCPopRequiredException.java -@@ -0,0 +1,59 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.profile; -+ -+/** -+ * This represents a profile specific exception for handling -+ * CMC popRequired condition. -+ * The framework raises this exception when a request is missing POP -+ * (Proof Of Possession) -+ *

-+ * A CMC request with missing POP will not be processed immediately. -+ * Round trip is required to return with CMC direct POP (DecryptedPOP) -+ * for processing the request again. -+ *

-+ * -+ * @version $Revision$, $Date$ -+ */ -+public class ECMCPopRequiredException extends EProfileException { -+ -+ /** -+ * -+ */ -+ private static final long serialVersionUID = 8328983412028345364L; -+ -+ /** -+ * Creates a defer exception. -+ * -+ * @param msg localized message that will be -+ * displayed to end user. This message -+ * should indicate the reason why a request -+ * is deferred. -+ */ -+ public ECMCPopRequiredException(String msg) { -+ super(msg); -+ } -+ -+ public ECMCPopRequiredException(String msg, Throwable cause) { -+ super(msg, cause); -+ } -+ -+ public ECMCPopRequiredException(Throwable cause) { -+ super(cause.getMessage(), cause); -+ } -+} -diff --git a/base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java b/base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java -new file mode 100644 -index 0000000..b33c58a ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/profile/ECMCUnsupportedExtException.java -@@ -0,0 +1,53 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.profile; -+ -+/** -+ * This represents a profile specific exception for handling -+ * CMC unsupportedExt condition. -+ * The framework raises this exception when a request contains extensions -+ * that's not supported -+ *

-+ * -+ * @version $Revision$, $Date$ -+ */ -+public class ECMCUnsupportedExtException extends EProfileException { -+ -+ /** -+ * -+ */ -+ private static final long serialVersionUID = -2065658791983639446L; -+ -+ /** -+ * Creates an exception. -+ * -+ * @param msg localized message that will be -+ * displayed to end user. -+ */ -+ public ECMCUnsupportedExtException(String msg) { -+ super(msg); -+ } -+ -+ public ECMCUnsupportedExtException(String msg, Throwable cause) { -+ super(msg, cause); -+ } -+ -+ public ECMCUnsupportedExtException(Throwable cause) { -+ super(cause.getMessage(), cause); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 00e03a7..fd59aa1 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -65,7 +65,7 @@ import org.mozilla.jss.crypto.X509Certificate; - import org.mozilla.jss.pkcs10.CertificationRequest; - import org.mozilla.jss.pkcs10.CertificationRequestInfo; - import org.mozilla.jss.pkix.cmc.CMCCertId; --import org.mozilla.jss.pkix.cmc.CMCStatusInfo; -+import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; - import org.mozilla.jss.pkix.cmc.DecryptedPOP; - import org.mozilla.jss.pkix.cmc.EncryptedPOP; - import org.mozilla.jss.pkix.cmc.GetCert; -@@ -1609,14 +1609,15 @@ public class CMCRequest { - * - * @param prevResponse file - * @param privKey -- * @return encryptedPop and reqIdString in Object[] -+ * @return encryptedPop and reqIdOS (requestID in Octet String in Object[] - * @author cfu - */ - private static Object[] processEncryptedPopResponse( - String prevResponse) { - // the values to be returned - EncryptedPOP encryptedPop = null; -- String reqIdString = null; // capture the requestId; -+ String reqIdString = null; -+ OCTET_STRING reqIdOS = null; // capture the requestId; - - String method = "processEncryptedPopResponse: "; - System.out.println(method + " begins."); -@@ -1661,13 +1662,13 @@ public class CMCRequest { - TaggedAttribute taggedAttr = (TaggedAttribute) controlSequence.elementAt(i); - OBJECT_IDENTIFIER type = taggedAttr.getType(); - -- if (type.equals(OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo)) { -- System.out.println(method + "Control #" + i + ": CMCStatusInfo"); -+ if (type.equals(OBJECT_IDENTIFIER.id_cmc_statusInfoV2)) { -+ System.out.println(method + "Control #" + i + ": CMCStatusInfoV2"); - System.out.println(method + " OID: " + type.toString()); - SET sts = taggedAttr.getValues(); - int numSts = sts.size(); - for (int j = 0; j < numSts; j++) { -- CMCStatusInfo cst = (CMCStatusInfo) ASN1Util.decode(CMCStatusInfo.getTemplate(), -+ CMCStatusInfoV2 cst = (CMCStatusInfoV2) ASN1Util.decode(CMCStatusInfoV2.getTemplate(), - ASN1Util.encode(sts.elementAt(j))); - SEQUENCE seq = cst.getBodyList(); - StringBuilder s = new StringBuilder(" BodyList: "); -@@ -1677,7 +1678,7 @@ public class CMCRequest { - } - System.out.println(method + s); - int st = cst.getStatus(); -- if (st != CMCStatusInfo.SUCCESS && st != CMCStatusInfo.CONFIRM_REQUIRED) { -+ if (st != CMCStatusInfoV2.SUCCESS && st != CMCStatusInfoV2.CONFIRM_REQUIRED) { - String stString = cst.getStatusString(); - if (stString != null) - System.out.println(method + " Status String: " + stString); -@@ -1685,9 +1686,22 @@ public class CMCRequest { - OtherInfo.Type t = oi.getType(); - if (t == OtherInfo.FAIL) { - System.out.println(method + " OtherInfo type: FAIL"); -- System.out.println(method -- + " not what we expected, because encryptedPOP.enable is true!!!! exit now"); -- System.exit(1); -+ INTEGER failInfo = oi.getFailInfo(); -+ if (failInfo == null) { -+ System.out.println(method + "failInfo null...skipping"); -+ continue; -+ } -+ -+ if (failInfo.intValue() == OtherInfo.POP_REQUIRED) { -+ System.out.println(method + " failInfo=" + -+ OtherInfo.FAIL_INFO[failInfo.intValue()]); -+ System.out.println(method + " what we expected, as decryptedPOP.enable is true;"); -+ } else { -+ System.out.println(method + "failInfo=" + -+ OtherInfo.FAIL_INFO[failInfo.intValue()]); -+ System.out.println(method + " not what we expected when encryptedPOP.enable is true;"); -+ System.exit(1); -+ } - } else if (t == OtherInfo.PEND) { - System.out.println(method + " OtherInfo type: PEND"); - PendInfo pi = oi.getPendInfo(); -@@ -1711,9 +1725,8 @@ public class CMCRequest { - System.out.println(method + "missing pendToken in response"); - System.exit(1); - } -- System.out.println(method + " what we expected, as encryptedPOP.enable is true;"); - } -- } else if (st == CMCStatusInfo.SUCCESS) { -+ } else if (st == CMCStatusInfoV2.SUCCESS) { - System.out.println(method + " Status: SUCCESS"); - System.out.println( - method + " not what we expected, because encryptedPOP.enable is true!!!! exit now"); -@@ -1728,8 +1741,18 @@ public class CMCRequest { - - encryptedPop = (EncryptedPOP) (ASN1Util.decode(EncryptedPOP.getTemplate(), - ASN1Util.encode(encryptedPOPvals.elementAt(0)))); -- System.out.println(method + "encryptedPOP decoded successfully"); -- -+ System.out.println(method + " encryptedPOP decoded successfully"); -+ -+ } else if (type.equals(OBJECT_IDENTIFIER.id_cmc_responseInfo)) { -+ System.out.println(method + "Control #" + i + ": CMC ResponseInfo"); -+ SET riVals = taggedAttr.getValues(); -+ reqIdOS = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -+ ASN1Util.encode(riVals.elementAt(0)))); -+ byte[] reqIdBA = reqIdOS.toByteArray(); -+ BigInteger reqIdBI = new BigInteger(reqIdBA); -+ -+ System.out.println(method + " requestID: " + reqIdBI.toString()); -+ - } // we don't expect any other controls - } //for - } catch (Exception e) { -@@ -1738,13 +1761,13 @@ public class CMCRequest { - } - - System.out.println(method + "ends"); -- return new Object[] { encryptedPop, reqIdString }; -+ return new Object[] { encryptedPop, reqIdOS }; - } - - /** - * constructDecryptedPopRequest constructs request PKIData for DecryptedPOP - * -- * @param encryptedPopInfo {EncryptedPOP, reqIdString} -+ * @param encryptedPopInfo {EncryptedPOP, reqIdOS} - * @param privKey - * @return request PKIData - * @author cfu -@@ -1764,8 +1787,8 @@ public class CMCRequest { - } - - EncryptedPOP encryptedPop = (EncryptedPOP) encryptedPopInfo[0]; -- String reqIdString = (String) encryptedPopInfo[1]; -- if ((encryptedPop == null) || (reqIdString == null)) { -+ OCTET_STRING reqIdOS = (OCTET_STRING) encryptedPopInfo[1]; -+ if ((encryptedPop == null) || (reqIdOS == null)) { - System.out.println(method + "encryptedPopInfo content encryptedPop and reqIdString cannot be null"); - System.exit(1); - } -@@ -1851,7 +1874,8 @@ public class CMCRequest { - int bpid = 1; - // now construct DecryptedPOP - System.out.println(method + "constructing DecryptedPOP..."); -- decryptedPop = new DecryptedPOP(new INTEGER(reqIdString), thePOPAlgID, new OCTET_STRING(popProofValue)); -+ -+ decryptedPop = new DecryptedPOP(new INTEGER(bpid++), thePOPAlgID, new OCTET_STRING(popProofValue)); - System.out.println(method + "DecryptedPOP constructed successfully"); - System.out.println(method + "adding decryptedPop control"); - TaggedAttribute decPop = new TaggedAttribute(new INTEGER(bpid++), -@@ -1865,6 +1889,13 @@ public class CMCRequest { - controlSeq.addElement(decPop); - System.out.println(method + "decryptedPop control added"); - -+ TaggedAttribute reqIdTA = -+ new TaggedAttribute(new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_regInfo, -+ reqIdOS); -+ controlSeq.addElement(reqIdTA); -+ System.out.println(method + "regInfo control added"); -+ - SEQUENCE otherMsgSeq = new SEQUENCE(); - - pkidata = new PKIData(controlSeq, reqSequence, new SEQUENCE(), otherMsgSeq); -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -index 4c74934..5224de8 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -@@ -19,6 +19,7 @@ package com.netscape.cmstools; - - import java.io.ByteArrayInputStream; - import java.io.FileInputStream; -+import java.math.BigInteger; - import java.text.SimpleDateFormat; - import java.util.Date; - import java.util.Locale; -@@ -33,7 +34,7 @@ import org.mozilla.jss.asn1.OCTET_STRING; - import org.mozilla.jss.asn1.SEQUENCE; - import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.pkix.cert.Certificate; --import org.mozilla.jss.pkix.cmc.CMCStatusInfo; -+import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; - import org.mozilla.jss.pkix.cmc.EncryptedPOP; - import org.mozilla.jss.pkix.cmc.OtherInfo; - import org.mozilla.jss.pkix.cmc.PendInfo; -@@ -113,13 +114,13 @@ public class CMCResponse { - TaggedAttribute taggedAttr = (TaggedAttribute) controlSequence.elementAt(i); - OBJECT_IDENTIFIER type = taggedAttr.getType(); - -- if (type.equals(OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo)) { -- System.out.println("Control #" + i + ": CMCStatusInfo"); -+ if (type.equals(OBJECT_IDENTIFIER.id_cmc_statusInfoV2)) { -+ System.out.println("Control #" + i + ": CMCStatusInfoV2"); - System.out.println(" OID: " + type.toString()); - SET sts = taggedAttr.getValues(); - int numSts = sts.size(); - for (int j = 0; j < numSts; j++) { -- CMCStatusInfo cst = (CMCStatusInfo) ASN1Util.decode(CMCStatusInfo.getTemplate(), -+ CMCStatusInfoV2 cst = (CMCStatusInfoV2) ASN1Util.decode(CMCStatusInfoV2.getTemplate(), - ASN1Util.encode(sts.elementAt(j))); - SEQUENCE seq = cst.getBodyList(); - -@@ -130,15 +131,23 @@ public class CMCResponse { - } - System.out.println(s); - int st = cst.getStatus(); -- if (st != CMCStatusInfo.SUCCESS && st != CMCStatusInfo.CONFIRM_REQUIRED) { -+ if (st != CMCStatusInfoV2.SUCCESS && st != CMCStatusInfoV2.CONFIRM_REQUIRED) { - String stString = cst.getStatusString(); - if (stString != null) - System.out.println(" Status String: " + stString); - OtherInfo oi = cst.getOtherInfo(); - OtherInfo.Type t = oi.getType(); -- if (t == OtherInfo.FAIL) -+ if (t == OtherInfo.FAIL) { - System.out.println(" OtherInfo type: FAIL"); -- else if (t == OtherInfo.PEND) { -+ INTEGER failInfo = oi.getFailInfo(); -+ if (failInfo == null) { -+ System.out.println("failInfo null...skipping"); -+ continue; -+ } -+ -+ System.out.println(" failInfo=" + -+ OtherInfo.FAIL_INFO[failInfo.intValue()]); -+ } else if (t == OtherInfo.PEND) { - System.out.println(" OtherInfo type: PEND"); - PendInfo pi = oi.getPendInfo(); - if (pi == null) { -@@ -163,7 +172,7 @@ public class CMCResponse { - } - - } -- } else if (st == CMCStatusInfo.SUCCESS) { -+ } else if (st == CMCStatusInfoV2.SUCCESS) { - System.out.println(" Status: SUCCESS"); - } - } -@@ -224,8 +233,17 @@ public class CMCResponse { - EncryptedPOP encryptedPOP = - (EncryptedPOP) (ASN1Util.decode(EncryptedPOP.getTemplate(), - ASN1Util.encode(encryptedPOPvals.elementAt(0)))); -- System.out.println("after encryptedPOP encode"); -+ System.out.println(" encryptedPOP decoded"); -+ -+ } else if (type.equals(OBJECT_IDENTIFIER.id_cmc_responseInfo)) { -+ System.out.println("Control #" + i + ": CMC ResponseInfo"); -+ SET riVals = taggedAttr.getValues(); -+ OCTET_STRING reqIdOS = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -+ ASN1Util.encode(riVals.elementAt(0)))); -+ byte[] reqIdBA = reqIdOS.toByteArray(); -+ BigInteger reqIdBI = new BigInteger(reqIdBA); - -+ System.out.println(" requestID: " + reqIdBI.toString()); - } - } - } catch (Exception e) { -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 74da8e7..8f3e986 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -84,6 +84,12 @@ import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.profile.ECMCBadIdentityException; -+import com.netscape.certsrv.profile.ECMCBadMessageCheckException; -+import com.netscape.certsrv.profile.ECMCBadRequestException; -+import com.netscape.certsrv.profile.ECMCPopFailedException; -+import com.netscape.certsrv.profile.ECMCPopRequiredException; -+import com.netscape.certsrv.profile.ECMCUnsupportedExtException; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.ERejectException; -@@ -550,7 +556,7 @@ public abstract class EnrollProfile extends BasicProfile - throw new EProfileException(msg); - } - -- throw new EDeferException("EnrollProfile: submit: encryptedPOP defer request"); -+ throw new ECMCPopRequiredException(" Return with DecryptedPOP to complete"); - - } else { - // this profile executes request that is authenticated -@@ -726,6 +732,8 @@ public abstract class EnrollProfile extends BasicProfile - TaggedAttribute[] attributes = new TaggedAttribute[numcontrols]; - boolean id_cmc_decryptedPOP = false; - SET decPopVals = null; -+ boolean id_cmc_regInfo = false; -+ SET reqIdVals = null; - - boolean id_cmc_identification = false; - SET ident = null; -@@ -756,6 +764,10 @@ public abstract class EnrollProfile extends BasicProfile - CMS.debug(method + " id_cmc_decryptedPOP found"); - id_cmc_decryptedPOP = true; - decPopVals = attributes[i].getValues(); -+ } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_regInfo)) { -+ CMS.debug(method + "id_cmc_regInfo found"); -+ id_cmc_regInfo = true; -+ reqIdVals = attributes[i].getValues(); - } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identification)) { - CMS.debug(method + " id_cmc_identification found"); - id_cmc_identification = true; -@@ -796,11 +808,10 @@ public abstract class EnrollProfile extends BasicProfile - - msg = " id_cmc_identification attribute value not found in"; - CMS.debug(method + msg); --/* -- throw new EProfileException( -- CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + -+ -+ throw new ECMCBadRequestException( -+ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ":" + - msg); --*/ - } else { - ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), - ASN1Util.encode(ident.elementAt(0)))); -@@ -812,11 +823,11 @@ public abstract class EnrollProfile extends BasicProfile - context.put("identification", bpids); - - CMS.debug(method + msg); --/* -- throw new EProfileException( -- CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + -+ -+ throw new ECMCBadRequestException( -+ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ":" + - msg); --*/ -+ - } - } - -@@ -850,8 +861,8 @@ public abstract class EnrollProfile extends BasicProfile - method + msg); - audit(auditMessage); - -- throw new EProfileException( -- CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + -+ throw new ECMCBadIdentityException( -+ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + ":" + - msg); - } - -@@ -863,7 +874,7 @@ public abstract class EnrollProfile extends BasicProfile - - msg = " after verifyIdentityProofV2"; - CMS.debug(method + msg); -- throw new EProfileException(CMS.getUserMessage(locale, -+ throw new ECMCBadIdentityException(CMS.getUserMessage(locale, - "CMS_POI_VERIFICATION_ERROR") + msg); - } else { - CMS.debug(method + "passed verifyIdentityProofV2; Proof of Identity successful;"); -@@ -878,7 +889,7 @@ public abstract class EnrollProfile extends BasicProfile - - msg = " after verifyIdentityProof"; - CMS.debug(method + msg); -- throw new EProfileException(CMS.getUserMessage(locale, -+ throw new ECMCBadIdentityException(CMS.getUserMessage(locale, - "CMS_POI_VERIFICATION_ERROR") + msg); - } else { - CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;"); -@@ -894,20 +905,53 @@ public abstract class EnrollProfile extends BasicProfile - ILogger.FAILURE, - method + msg); - audit(auditMessage); -- throw new EProfileException(CMS.getUserMessage(locale, -- "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg); -+ throw new ECMCBadRequestException(CMS.getUserMessage(locale, -+ "CMS_POI_VERIFICATION_ERROR") + ":" + msg); - } - - if (id_cmc_decryptedPOP) { - if (decPopVals != null) { -+ if (!id_cmc_regInfo) { -+ msg = "id_cmc_decryptedPOP must be accompanied by id_cmc_regInfo for request id per server/client agreement"; -+ CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.PROOF_OF_POSSESSION, -+ auditSubjectID, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); -+ -+ SEQUENCE bpids = getRequestBpids(reqSeq); -+ context.put("decryptedPOP", bpids); -+ throw new ECMCPopFailedException(CMS.getUserMessage(locale, -+ "CMS_POP_VERIFICATION_ERROR") + ":" + msg); -+ } -+ -+ OCTET_STRING reqIdOS = -+ (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -+ ASN1Util.encode(reqIdVals.elementAt(0)))); - - DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(), - ASN1Util.encode(decPopVals.elementAt(0)))); - CMS.debug(method + "DecryptedPOP encoded"); - -- Integer reqId = verifyDecryptedPOP(locale, decPop); -+ BigInteger reqId = verifyDecryptedPOP(locale, decPop, reqIdOS); - if (reqId != null) { - context.put("cmcDecryptedPopReqId", reqId); -+ } else { -+ msg = "DecryptedPOP failed to verify"; -+ CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.PROOF_OF_POSSESSION, -+ auditSubjectID, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); -+ -+ SEQUENCE bpids = getRequestBpids(reqSeq); -+ context.put("decryptedPOP", bpids); -+ throw new ECMCPopFailedException(CMS.getUserMessage(locale, -+ "CMS_POP_VERIFICATION_ERROR") + ":" + msg); - } - } else { //decPopVals == null - msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; -@@ -915,12 +959,14 @@ public abstract class EnrollProfile extends BasicProfile - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.SUCCESS, -+ ILogger.FAILURE, - method + msg); - audit(auditMessage); - - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("decryptedPOP", bpids); -+ throw new ECMCPopFailedException(CMS.getUserMessage(locale, -+ "CMS_POP_VERIFICATION_ERROR") + ":" + msg); - } - - // decryptedPOP is expected to return null; -@@ -967,9 +1013,9 @@ public abstract class EnrollProfile extends BasicProfile - } - } catch (Exception e) { - // unlikely to get here -- msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; -- CMS.debug(msg); -- throw new EProfileException(method + msg); -+ msg = " Failed to retrieve cmc.popLinkWitnessRequired"; -+ CMS.debug(method + msg); -+ throw new EProfileException( msg); - } - - int nummsgs = reqSeq.size(); -@@ -988,7 +1034,7 @@ public abstract class EnrollProfile extends BasicProfile - !context.containsKey("POPLinkWitness")) { - CMS.debug(method + "popLinkWitness(V2) required"); - if (randomSeed == null || ident_s == null) { -- msg = "no randomSeed or identification found needed for popLinkWitness(V2)"; -+ msg = "missing needed randomSeed or identification for popLinkWitness(V2)"; - CMS.debug(method + msg); - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_ID_POP_LINK_WITNESS, -@@ -998,7 +1044,8 @@ public abstract class EnrollProfile extends BasicProfile - audit(auditMessage); - - context.put("POPLinkWitnessV2", bpids); -- return null; -+ throw new ECMCBadRequestException(CMS.getUserMessage(locale, -+ "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + ":" + msg); - } - - // verifyPOPLinkWitness() will determine if this is -@@ -1021,8 +1068,8 @@ public abstract class EnrollProfile extends BasicProfile - ILogger.FAILURE, - method + msg); - audit(auditMessage); -- throw new EProfileException(CMS.getUserMessage(locale, -- "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg); -+ throw new ECMCBadRequestException(CMS.getUserMessage(locale, -+ "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + ":" + msg); - } else { - msg = ": ident_s=" + ident_s; - auditMessage = CMS.getLogMessage( -@@ -1041,6 +1088,14 @@ public abstract class EnrollProfile extends BasicProfile - - CMS.debug(method + "ends"); - return msgs; -+ } catch (ECMCBadMessageCheckException e) { -+ throw new ECMCBadMessageCheckException(e); -+ } catch (ECMCBadIdentityException e) { -+ throw new ECMCBadIdentityException(e); -+ } catch (ECMCPopFailedException e) { -+ throw new ECMCPopFailedException(e); -+ } catch (ECMCBadRequestException e) { -+ throw new ECMCBadRequestException(e); - } catch (EProfileException e) { - throw new EProfileException(e); - } catch (Exception e) { -@@ -1056,34 +1111,28 @@ public abstract class EnrollProfile extends BasicProfile - * - * @author cfu - */ -- private Integer verifyDecryptedPOP(Locale locale, DecryptedPOP decPop) -- throws EProfileException { -+ private BigInteger verifyDecryptedPOP(Locale locale, -+ DecryptedPOP decPop, -+ OCTET_STRING reqIdOS) -+ throws EProfileException, ECMCPopFailedException { - String method = "EnrollProfile: verifyDecryptedPOP: "; - CMS.debug(method + "begins"); - String msg = ""; - -- if (decPop == null) { -+ if (decPop == null || reqIdOS == null) { - CMS.debug(method + "method parameters cannot be null"); - return null; - } - -- // iBody contains the request id -- INTEGER iBody = decPop.getBodyPartID(); -- if (iBody == null) { -- msg = method + "iBody null after decPop.getBodyPartID"; -- CMS.debug(msg); -- return null; -- } -- CMS.debug(method + "request id from decryptedPOP =" + -- iBody.toString()); -- Integer reqId = new Integer(iBody.toString()); -+ byte[] reqIdBA = reqIdOS.toByteArray(); -+ BigInteger reqIdBI = new BigInteger(reqIdBA); - - OCTET_STRING witness_os = decPop.getWitness(); - - IRequestQueue reqQueue = getRequestQueue(); - IRequest req = null; - try { -- req = reqQueue.findRequest(new RequestId(reqId)); -+ req = reqQueue.findRequest(new RequestId(reqIdBI)); - } catch (Exception e) { - msg = method + "after findRequest: " + e; - CMS.debug(msg); -@@ -1095,7 +1144,7 @@ public abstract class EnrollProfile extends BasicProfile - if (pop_encryptedData == null) { - msg = method + - "pop_encryptedData not found in request:" + -- reqId.toString(); -+ reqIdBI.toString(); - CMS.debug(msg); - return null; - } -@@ -1104,7 +1153,7 @@ public abstract class EnrollProfile extends BasicProfile - if (pop_sysPubEncryptedSession == null) { - msg = method + - "pop_sysPubEncryptedSession not found in request:" + -- reqId.toString(); -+ reqIdBI.toString(); - CMS.debug(msg); - return null; - } -@@ -1113,7 +1162,7 @@ public abstract class EnrollProfile extends BasicProfile - if (cmc_msg == null) { - msg = method + - "cmc_msg not found in request:" + -- reqId.toString(); -+ reqIdBI.toString(); - CMS.debug(msg); - return null; - } -@@ -1185,8 +1234,8 @@ public abstract class EnrollProfile extends BasicProfile - return null; - } - } catch (Exception e) { -- msg = method + e; -- CMS.debug(msg); -+ msg = e.toString(); -+ CMS.debug(method + msg); - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + - e); -@@ -1198,7 +1247,7 @@ public abstract class EnrollProfile extends BasicProfile - CMS.debug(method + "cmc_POPchallengeRequired set back to false"); - CMS.debug(method + "ends"); - -- return reqId; -+ return reqIdBI; - } - - /** -@@ -1645,7 +1694,9 @@ public abstract class EnrollProfile extends BasicProfile - "method=" + method); - audit(auditMessage); - } else { -- throw new EBaseException("failed to verify"); -+ msg = "IdentityProofV2 failed to verify"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); - } - return verified; - } catch (Exception e) { -@@ -1677,28 +1728,28 @@ public abstract class EnrollProfile extends BasicProfile - return false; - } - -- String token = tokenClass.getSharedToken(mCMCData); -- OCTET_STRING ostr = null; -- try { -- ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -- ASN1Util.encode(vals.elementAt(0)))); -- } catch (InvalidBERException e) { -- CMS.debug(method + "Failed to decode the byte value."); -- return false; -- } -- byte[] b = ostr.toByteArray(); -- byte[] text = ASN1Util.encode(reqSeq); -+ String token = tokenClass.getSharedToken(mCMCData); -+ OCTET_STRING ostr = null; -+ try { -+ ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -+ ASN1Util.encode(vals.elementAt(0)))); -+ } catch (InvalidBERException e) { -+ CMS.debug(method + "Failed to decode the byte value."); -+ return false; -+ } -+ byte[] b = ostr.toByteArray(); -+ byte[] text = ASN1Util.encode(reqSeq); - -- verified = verifyDigest(token.getBytes(), text, b); -- if (verified) {// update auditSubjectID -- //placeholder. Should probably just disable this v1 method -- } -- return verified; -+ verified = verifyDigest(token.getBytes(), text, b); -+ if (verified) {// update auditSubjectID -+ //placeholder. Should probably just disable this v1 method -+ } -+ return verified; - } - - public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, - IRequest req) -- throws EProfileException { -+ throws EProfileException, ECMCPopFailedException, ECMCBadRequestException { - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - -@@ -1832,7 +1883,7 @@ public abstract class EnrollProfile extends BasicProfile - fillCertReqMsg(locale, crm, info, req); - } else { - CMS.debug(method + " unsupported type (not CRMF or PKCS10)"); -- throw new EProfileException( -+ throw new ECMCBadRequestException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); - } - } -@@ -1951,7 +2002,7 @@ public abstract class EnrollProfile extends BasicProfile - - public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info, - IRequest req) -- throws EProfileException { -+ throws EProfileException, ECMCUnsupportedExtException { - String method = "EnrollProfile: fillCertReqMsg: "; - try { - CMS.debug(method + "Start parseCertReqMsg "); -@@ -2111,7 +2162,7 @@ public abstract class EnrollProfile extends BasicProfile - } catch (IOException e) { - CMS.debug("EnrollProfile: Unable to fill certificate request message: " + e); - CMS.debug(e); -- throw new EProfileException( -+ throw new ECMCUnsupportedExtException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); - } catch (InvalidKeyException e) { - CMS.debug("EnrollProfile: Unable to fill certificate request message: " + e); -@@ -2175,7 +2226,7 @@ public abstract class EnrollProfile extends BasicProfile - } - - public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req) -- throws EProfileException { -+ throws EProfileException, ECMCUnsupportedExtException { - String method = "EnrollProfile: fillPKCS10: "; - CMS.debug(method + "begins"); - X509Key key = pkcs10.getSubjectPublicKeyInfo(); -@@ -2234,7 +2285,7 @@ public abstract class EnrollProfile extends BasicProfile - CMS.debug(method + "Finish parsePKCS10 - " + pkcs10.getSubjectName()); - } catch (IOException e) { - CMS.debug(method + "Unable to fill PKCS #10: " + e); -- throw new EProfileException( -+ throw new ECMCUnsupportedExtException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); - } catch (CertificateException e) { - CMS.debug(method + "Unable to fill PKCS #10: " + e); -@@ -2582,7 +2633,7 @@ public abstract class EnrollProfile extends BasicProfile - * verifyPOP - CRMF POP verification for signing keys - */ - public void verifyPOP(Locale locale, CertReqMsg certReqMsg) -- throws EProfileException { -+ throws EProfileException, ECMCPopFailedException { - String method = "EnrollProfile: verifyPOP: "; - CMS.debug(method + "for signing keys begins."); - -@@ -2628,11 +2679,11 @@ public abstract class EnrollProfile extends BasicProfile - } - - private void popFailed(Locale locale, String auditSubjectID, String msg) -- throws EProfileException { -+ throws EProfileException, ECMCPopFailedException { - popFailed(locale, auditSubjectID, msg, null); - } - private void popFailed(Locale locale, String auditSubjectID, String msg, Exception e) -- throws EProfileException { -+ throws EProfileException, ECMCPopFailedException { - - if (e != null) - msg = msg + e.toString(); -@@ -2645,10 +2696,10 @@ public abstract class EnrollProfile extends BasicProfile - audit(auditMessage); - - if (e != null) { -- throw new EProfileException(CMS.getUserMessage(locale, -+ throw new ECMCPopFailedException(CMS.getUserMessage(locale, - "CMS_POP_VERIFICATION_ERROR"), e); - } else { -- throw new EProfileException(CMS.getUserMessage(locale, -+ throw new ECMCPopFailedException(CMS.getUserMessage(locale, - "CMS_POP_VERIFICATION_ERROR")); - } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index 067dce7..1e509d3 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -49,7 +49,7 @@ import org.mozilla.jss.crypto.SignatureAlgorithm; - import org.mozilla.jss.pkcs11.PK11PubKey; - import org.mozilla.jss.pkix.cert.Certificate; - import org.mozilla.jss.pkix.cmc.CMCCertId; --import org.mozilla.jss.pkix.cmc.CMCStatusInfo; -+import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; - import org.mozilla.jss.pkix.cmc.EncryptedPOP; - import org.mozilla.jss.pkix.cmc.GetCert; - import org.mozilla.jss.pkix.cmc.OtherInfo; -@@ -117,13 +117,13 @@ public class CMCOutputTemplate { - - int bpid = 1; - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(code), null); -- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo( -- new INTEGER(CMCStatusInfo.FAILED), -+ new INTEGER(code), null, null); -+ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2( -+ new INTEGER(CMCStatusInfoV2.FAILED), - bpids, s, otherInfo); - TaggedAttribute tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - - try { -@@ -166,6 +166,7 @@ public class CMCOutputTemplate { - // in rfc 2797: body list value is 1 - int bpid = 1; - SEQUENCE pending_bpids = null; -+ SEQUENCE popRequired_bpids = null; - SEQUENCE success_bpids = null; - SEQUENCE failed_bpids = null; - if (cert_request_type.equals("crmf") || -@@ -175,23 +176,24 @@ public class CMCOutputTemplate { - if (error_codes[0] == 2) { - PendInfo pendInfo = new PendInfo(reqId, new Date()); - otherInfo = new OtherInfo(OtherInfo.PEND, null, -- pendInfo); -+ pendInfo, null); - } else { - otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_REQUEST), null); -+ new INTEGER(OtherInfo.BAD_REQUEST), null, null); - } - - SEQUENCE bpids = new SEQUENCE(); - bpids.addElement(new INTEGER(1)); -- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.PENDING, -+ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.PENDING, - bpids, (String) null, otherInfo); - TaggedAttribute tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } else if (cert_request_type.equals("cmc")) { - CMS.debug(method + " processing cmc"); - pending_bpids = new SEQUENCE(); -+ popRequired_bpids = new SEQUENCE(); - success_bpids = new SEQUENCE(); - failed_bpids = new SEQUENCE(); - EncryptedPOP encPop = null; -@@ -205,11 +207,15 @@ public class CMCOutputTemplate { - } else if (error_codes[i] == 2) { - pending_bpids.addElement(new INTEGER( - reqs[i].getExtDataInBigInteger("bodyPartId"))); -+ } else if (error_codes[i] == 4) { -+ popRequired_bpids.addElement(new INTEGER( -+ reqs[i].getExtDataInBigInteger("bodyPartId"))); - try { - encPop = constructEncryptedPop(reqs[i]); - } catch (Exception e) { - CMS.debug(method + e); -- return; -+ failed_bpids.addElement(new INTEGER( -+ reqs[i].getExtDataInBigInteger("bodyPartId"))); - } - } else { - failed_bpids.addElement(new INTEGER( -@@ -221,41 +227,41 @@ public class CMCOutputTemplate { - } - - TaggedAttribute tagattr = null; -- CMCStatusInfo cmcStatusInfo = null; -+ CMCStatusInfoV2 cmcStatusInfoV2 = null; - - SEQUENCE decryptedPOPBpids = (SEQUENCE) context.get("decryptedPOP"); - if (decryptedPOPBpids != null && decryptedPOPBpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.POP_FAILED), null); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ new INTEGER(OtherInfo.POP_FAILED), null, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - decryptedPOPBpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - - SEQUENCE identificationBpids = (SEQUENCE) context.get("identification"); - if (identificationBpids != null && identificationBpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_IDENTITY), null); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ new INTEGER(OtherInfo.BAD_IDENTITY), null, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - identificationBpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - - SEQUENCE identityV2Bpids = (SEQUENCE) context.get("identityProofV2"); - if (identityV2Bpids != null && identityV2Bpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_IDENTITY), null); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ new INTEGER(OtherInfo.BAD_IDENTITY), null, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - identityV2Bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - -@@ -263,41 +269,41 @@ public class CMCOutputTemplate { - SEQUENCE identityBpids = (SEQUENCE) context.get("identityProof"); - if (identityBpids != null && identityBpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_IDENTITY), null); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ new INTEGER(OtherInfo.BAD_IDENTITY), null, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - identityBpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - - SEQUENCE POPLinkWitnessV2Bpids = (SEQUENCE) context.get("POPLinkWitnessV2"); - if (POPLinkWitnessV2Bpids != null && POPLinkWitnessV2Bpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_REQUEST), null); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ new INTEGER(OtherInfo.BAD_REQUEST), null, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - POPLinkWitnessV2Bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - - SEQUENCE POPLinkWitnessBpids = (SEQUENCE) context.get("POPLinkWitness"); - if (POPLinkWitnessBpids != null && POPLinkWitnessBpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_REQUEST), null); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ new INTEGER(OtherInfo.BAD_REQUEST), null, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - POPLinkWitnessBpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - -- if (pending_bpids.size() > 0) { -- // handle encryptedPOP control first -+ if (popRequired_bpids.size() > 0) { -+ // handle encryptedPOP control - - if (encPop != null) { - CMS.debug(method + "adding encPop"); -@@ -309,17 +315,35 @@ public class CMCOutputTemplate { - CMS.debug(method + "encPop added"); - } - -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -+ new INTEGER(OtherInfo.POP_REQUIRED), null, null); -+ cmcStatusInfoV2 = -+ new CMCStatusInfoV2(CMCStatusInfoV2.POP_REQUIRED, -+ popRequired_bpids, (String) null, otherInfo); -+ tagattr = new TaggedAttribute( -+ new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); -+ controlSeq.addElement(tagattr); -+ -+ // add request id -+ byte[] reqId = reqs[0].getRequestId().toBigInteger().toByteArray(); -+ TaggedAttribute reqIdTA = -+ new TaggedAttribute(new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_responseInfo, -+ new OCTET_STRING(reqId)); -+ controlSeq.addElement(reqIdTA); -+ } -+ -+ if (pending_bpids.size() > 0) { - String reqId = reqs[0].getRequestId().toString(); -- OtherInfo otherInfo = null; - PendInfo pendInfo = new PendInfo(reqId, new Date()); -- otherInfo = new OtherInfo(OtherInfo.PEND, null, -- pendInfo); -- // cfu: inject POP_REQUIRED when working on V2 status -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.PENDING, -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.PEND, null, -+ pendInfo, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.PENDING, - pending_bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - -@@ -333,27 +357,27 @@ public class CMCOutputTemplate { - } - if (confirmRequired) { - CMS.debug(method + " confirmRequired in the request"); -- cmcStatusInfo = -- new CMCStatusInfo(CMCStatusInfo.CONFIRM_REQUIRED, -+ cmcStatusInfoV2 = -+ new CMCStatusInfoV2(CMCStatusInfoV2.CONFIRM_REQUIRED, - success_bpids, (String) null, null); - } else { -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, - success_bpids, (String) null, null); - } - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - - if (failed_bpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_REQUEST), null); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ new INTEGER(OtherInfo.BAD_REQUEST), null, null); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - failed_bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - } -@@ -373,15 +397,15 @@ public class CMCOutputTemplate { - } catch (EBaseException ee) { - CMS.debug(method + ee.toString()); - OtherInfo otherInfo1 = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_CERT_ID), null); -+ new INTEGER(OtherInfo.BAD_CERT_ID), null, null); - SEQUENCE bpids1 = new SEQUENCE(); - bpids1.addElement(attr.getBodyPartID()); -- CMCStatusInfo cmcStatusInfo1 = new CMCStatusInfo( -- new INTEGER(CMCStatusInfo.FAILED), -+ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2( -+ new INTEGER(CMCStatusInfoV2.FAILED), - bpids1, null, otherInfo1); - TaggedAttribute tagattr1 = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo1); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr1); - } - } -@@ -537,7 +561,7 @@ public class CMCOutputTemplate { - } - - } else { -- msg = "popChallengeRequired required, but one more more of the pop_ data not found in request"; -+ msg = "popChallengeRequired, but one or more of the pop_ data not found in request"; - CMS.debug(method + msg); - throw new EBaseException(method + msg); - } -@@ -734,23 +758,23 @@ public class CMCOutputTemplate { - CMS.debug("CMCOutputTemplate: Certificate in the confirm acceptance control was not found"); - } - } -- CMCStatusInfo cmcStatusInfo = null; -+ CMCStatusInfoV2 cmcStatusInfoV2 = null; - if (confirmAccepted) { - CMS.debug("CMCOutputTemplate: Confirm Acceptance received. The certificate exists in the certificate repository."); -- cmcStatusInfo = -- new CMCStatusInfo(CMCStatusInfo.SUCCESS, seq, -+ cmcStatusInfoV2 = -+ new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, seq, - (String) null, null); - } else { - CMS.debug("CMCOutputTemplate: Confirm Acceptance received. The certificate does not exist in the certificate repository."); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -- new INTEGER(OtherInfo.BAD_CERT_ID), null); -- cmcStatusInfo = -- new CMCStatusInfo(CMCStatusInfo.FAILED, seq, -+ new INTEGER(OtherInfo.BAD_CERT_ID), null, null); -+ cmcStatusInfoV2 = -+ new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, seq, - (String) null, otherInfo); - } - TaggedAttribute statustagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(statustagattr); - } catch (Exception e) { - CMS.debug("CMCOutputTemplate exception: " + e.toString()); -@@ -825,28 +849,28 @@ public class CMCOutputTemplate { - } - - if (pending_bpids.size() > 0) { -- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.PENDING, -+ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.PENDING, - pending_bpids, (String) null, null); - TaggedAttribute tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - if (success_bpids.size() > 0) { -- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, -+ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, - pending_bpids, (String) null, null); - TaggedAttribute tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - - if (failed_bpids.size() > 0) { -- CMCStatusInfo cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ CMCStatusInfoV2 cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, - pending_bpids, (String) null, null); - TaggedAttribute tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - } - -@@ -959,7 +983,7 @@ public class CMCOutputTemplate { - - if (attr != null) { - INTEGER attrbpid = attr.getBodyPartID(); -- CMCStatusInfo cmcStatusInfo = null; -+ CMCStatusInfoV2 cmcStatusInfoV2 = null; - SET vals = attr.getValues(); - if (vals.size() > 0) { - RevokeRequest revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(), -@@ -988,14 +1012,14 @@ public class CMCOutputTemplate { - CMS.debug(method + "missing CMC signer principal"); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, - new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -- null); -+ null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, - otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - return bpid; - } -@@ -1021,15 +1045,15 @@ public class CMCOutputTemplate { - if (!verifyRevRequestSignature(msgData)) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, - new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -- null); -+ null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, - (String) null, - otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - return bpid; - } -@@ -1051,13 +1075,13 @@ public class CMCOutputTemplate { - if (tokenClass == null) { - CMS.debug(method + " Failed to retrieve shared secret plugin class"); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), -- null); -+ null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - return bpid; - } -@@ -1067,14 +1091,14 @@ public class CMCOutputTemplate { - - if (sharedSecret == null) { - CMS.debug("CMCOutputTemplate: shared secret not found."); -- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), -- null); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), -+ null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - return bpid; - } -@@ -1088,14 +1112,14 @@ public class CMCOutputTemplate { - } else { - CMS.debug(method - + " Client and server shared secret are not the same, cannot revoke certificate."); -- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -- null); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), -+ null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - - audit(new CertStatusChangeRequestProcessedEvent( -@@ -1123,13 +1147,13 @@ public class CMCOutputTemplate { - - if (record == null) { - CMS.debug(method + " The certificate is not found"); -- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - return bpid; - } -@@ -1138,11 +1162,11 @@ public class CMCOutputTemplate { - CMS.debug("CMCOutputTemplate: The certificate is already revoked."); - SEQUENCE success_bpids = new SEQUENCE(); - success_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, - success_bpids, (String) null, null); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - return bpid; - } -@@ -1159,14 +1183,14 @@ public class CMCOutputTemplate { - msg = "certificate principal and signer do not match"; - CMS.debug(method + msg); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), -- null); -+ null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, msg, -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, msg, - otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - - audit(new CertStatusChangeRequestProcessedEvent( -@@ -1220,14 +1244,14 @@ public class CMCOutputTemplate { - CMS.debug("CMCOutputTemplate: revReq exception: " + - revReq.getExtDataInString(IRequest.ERROR)); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), -- null); -+ null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, - otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - - audit(new CertStatusChangeRequestProcessedEvent( -@@ -1254,11 +1278,11 @@ public class CMCOutputTemplate { - CMS.debug(method + " Certificate revoked."); - SEQUENCE success_bpids = new SEQUENCE(); - success_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, - success_bpids, (String) null, null); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - - auditApprovalStatus = RequestStatus.COMPLETE; -@@ -1272,13 +1296,13 @@ public class CMCOutputTemplate { - auditApprovalStatus)); - return bpid; - } else { -- OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, (String) null, otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); - controlSeq.addElement(tagattr); - - audit(new CertStatusChangeRequestProcessedEvent( -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java -index 4578a98..cfd42ad 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java -@@ -35,7 +35,7 @@ import org.mozilla.jss.asn1.SEQUENCE; - import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.crypto.DigestAlgorithm; - import org.mozilla.jss.crypto.SignatureAlgorithm; --import org.mozilla.jss.pkix.cmc.CMCStatusInfo; -+import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; - import org.mozilla.jss.pkix.cmc.OtherInfo; - import org.mozilla.jss.pkix.cmc.PendInfo; - import org.mozilla.jss.pkix.cmc.ResponseBody; -@@ -98,7 +98,7 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { - RequestId reqId = req.getRequestId(); - - fixed.set(ICMSTemplateFiller.REQUEST_ID, reqId); -- // set pendInfo, CMCStatusInfo -+ // set pendInfo, CMCStatusInfoV2 - IArgBlock httpParams = cmsReq.getHttpParams(); - - if (doFullResponse(httpParams)) { -@@ -115,12 +115,12 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { - for (int i = 0; i < reqIdArray.length; i++) { - bpids.addElement(new INTEGER(reqIdArray[i])); - } -- CMCStatusInfo cmcStatusInfo = new -- CMCStatusInfo(CMCStatusInfo.PENDING, bpids, -+ CMCStatusInfoV2 cmcStatusInfo = new -+ CMCStatusInfoV2(CMCStatusInfoV2.PENDING, bpids, - (String) null, otherInfo); - TaggedAttribute ta = new TaggedAttribute(new - INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, - cmcStatusInfo); - - controlSeq.addElement(ta); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 73195e9..d087162 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -19,6 +19,7 @@ package com.netscape.cms.servlet.profile; - - import java.io.InputStream; - import java.io.OutputStream; -+import java.math.BigInteger; - import java.security.cert.X509Certificate; - import java.util.Enumeration; - import java.util.Locale; -@@ -51,6 +52,11 @@ import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; -+import com.netscape.certsrv.profile.ECMCBadIdentityException; -+import com.netscape.certsrv.profile.ECMCBadMessageCheckException; -+import com.netscape.certsrv.profile.ECMCBadRequestException; -+import com.netscape.certsrv.profile.ECMCPopFailedException; -+import com.netscape.certsrv.profile.ECMCPopRequiredException; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.ERejectException; -@@ -502,8 +508,60 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - try { - reqs = profile.createRequests(ctx, locale); -+ } catch (ECMCBadMessageCheckException e) { -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ CMCOutputTemplate template = new CMCOutputTemplate(); -+ SEQUENCE seq = new SEQUENCE(); -+ seq.addElement(new INTEGER(0)); -+ UTF8String s = null; -+ try { -+ s = new UTF8String(e.toString()); -+ } catch (Exception ee) { -+ } -+ template.createFullResponseWithFailedStatus(response, seq, -+ OtherInfo.BAD_MESSAGE_CHECK, s); -+ return; -+ } catch (ECMCBadIdentityException e) { -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ CMCOutputTemplate template = new CMCOutputTemplate(); -+ SEQUENCE seq = new SEQUENCE(); -+ seq.addElement(new INTEGER(0)); -+ UTF8String s = null; -+ try { -+ s = new UTF8String(e.toString()); -+ } catch (Exception ee) { -+ } -+ template.createFullResponseWithFailedStatus(response, seq, -+ OtherInfo.BAD_IDENTITY, s); -+ return; -+ } catch (ECMCPopFailedException e) { -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ CMCOutputTemplate template = new CMCOutputTemplate(); -+ SEQUENCE seq = new SEQUENCE(); -+ seq.addElement(new INTEGER(0)); -+ UTF8String s = null; -+ try { -+ s = new UTF8String(e.toString()); -+ } catch (Exception ee) { -+ } -+ template.createFullResponseWithFailedStatus(response, seq, -+ OtherInfo.POP_FAILED, s); -+ return; -+ } catch (ECMCBadRequestException e) { -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ CMCOutputTemplate template = new CMCOutputTemplate(); -+ SEQUENCE seq = new SEQUENCE(); -+ seq.addElement(new INTEGER(0)); -+ UTF8String s = null; -+ try { -+ s = new UTF8String(e.toString()); -+ } catch (Exception ee) { -+ } -+ template.createFullResponseWithFailedStatus(response, seq, -+ OtherInfo.BAD_REQUEST, s); -+ return; - } catch (EProfileException e) { -- CMS.debug("ProfileSubmitCMCServlet: createRequests " + e.toString()); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -516,7 +574,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - OtherInfo.INTERNAL_CA_ERROR, s); - return; - } catch (Throwable e) { -- CMS.debug("ProfileSubmitCMCServlet: createRequests " + e.toString()); -+ CMS.debug("ProfileSubmitCMCServlet: createRequests - " + e.toString()); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -570,7 +628,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - boolean isRevoke = false; - if (reqs == null) { - // handling DecryptedPOP request here -- Integer reqID = (Integer) context.get("cmcDecryptedPopReqId"); -+ BigInteger reqID = (BigInteger) context.get("cmcDecryptedPopReqId"); - if (reqID == null) { - CMS.debug("ProfileSubmitCMCServlet: revocation request"); - isRevoke = true; -@@ -683,8 +741,21 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - profile.populateInput(ctx, reqs[k]); - profile.populate(reqs[k]); -+ } catch (ECMCPopFailedException e) { -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); -+ CMCOutputTemplate template = new CMCOutputTemplate(); -+ SEQUENCE seq = new SEQUENCE(); -+ seq.addElement(new INTEGER(0)); -+ UTF8String s = null; -+ try { -+ s = new UTF8String(e.toString()); -+ } catch (Exception ee) { -+ } -+ template.createFullResponseWithFailedStatus(response, seq, -+ OtherInfo.POP_FAILED, s); -+ return; - } catch (EProfileException e) { -- CMS.debug("ProfileSubmitCMCServlet: populate " + e.toString()); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -697,7 +768,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - OtherInfo.BAD_REQUEST, s); - return; - } catch (Throwable e) { -- CMS.debug("ProfileSubmitCMCServlet: populate " + e.toString()); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); - // throw new IOException("Profile " + profileId + - // " cannot populate"); - CMCOutputTemplate template = new CMCOutputTemplate(); -@@ -780,6 +851,21 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - errorReason = CMS.getUserMessage(locale, - "CMS_PROFILE_REJECTED", - e.toString()); -+ } catch (ECMCPopRequiredException e) { -+ // return popRequired message to the user -+ CMS.debug("ProfileSubmitCMCServlet: popRequired; set request to PENDING"); -+ reqs[k].setRequestStatus(RequestStatus.PENDING); -+ // need to notify -+ INotify notify = profile.getRequestQueue().getPendingNotify(); -+ if (notify != null) { -+ notify.notify(reqs[k]); -+ } -+ -+ CMS.debug("ProfileSubmitCMCServlet: submit " + e.toString()); -+ errorCode = "4"; -+ errorReason = CMS.getUserMessage(locale, -+ "CMS_PROFILE_CMC_POP_REQUIRED", -+ e.toString()); - } catch (Throwable e) { - // return error to the user - CMS.debug("ProfileSubmitCMCServlet: submit " + e.toString()); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java -index 76700fe..5666c13 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java -@@ -48,7 +48,7 @@ import org.mozilla.jss.asn1.SEQUENCE; - import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.crypto.DigestAlgorithm; - import org.mozilla.jss.crypto.SignatureAlgorithm; --import org.mozilla.jss.pkix.cmc.CMCStatusInfo; -+import org.mozilla.jss.pkix.cmc.CMCStatusInfoV2; - import org.mozilla.jss.pkix.cmc.PKIData; - import org.mozilla.jss.pkix.cmc.ResponseBody; - import org.mozilla.jss.pkix.cmc.TaggedAttribute; -@@ -431,11 +431,11 @@ public class CheckRequest extends CMSServlet { - - if (bodyPartId != null) - bpids.addElement(bodyPartId); -- CMCStatusInfo cmcStatusInfo = new -- CMCStatusInfo(CMCStatusInfo.SUCCESS, bpids); -+ CMCStatusInfoV2 cmcStatusInfo = new -+ CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, bpids); - TaggedAttribute ta = new TaggedAttribute(new - INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, - cmcStatusInfo); - - controlSeq.addElement(ta); -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index ff56465..ed2a620 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -801,6 +801,7 @@ CMS_PROFILE_SUBJDIR_EMPTY_ATTRVAL=Attribute value should not be empty - CMS_PROFILE_CRL_DISTRIBUTION_POINTS=CRL Distribution Points - CMS_PROFILE_REJECTED=Request {0} Rejected - {1} - CMS_PROFILE_DEFERRED=Request Deferred - {0} -+CMS_PROFILE_CMC_POP_REQUIRED=Request Deferred due to missing POP - {0} - CMS_PROFILE_INTERNAL_ERROR=Request {0} - Server Internal Error - CMS_PROFILE_KEY_ID=Key ID - CMS_PROFILE_NOT_OWNER=Not Profile Owner --- -1.8.3.1 - diff --git a/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch b/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch deleted file mode 100644 index 615721b..0000000 --- a/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch +++ /dev/null @@ -1,151 +0,0 @@ -From cf8ba1882bd5349f53d3171824d1eb4c56bc7348 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 28 Aug 2017 23:50:33 +0200 -Subject: [PATCH] Displaying tokenType and tokenOrigin in TPS UI and CLI. - -The TPSCertService has been modified to include tokenType and -tokenOrigin fields in the returned token certificate data. The -TPS UI and CLI have been modified to display the fields. - -https://pagure.io/dogtagpki/issue/2793 - -Change-Id: I740fa69b81de3033e186f8d99c335814275b7218 -(cherry picked from commit 062c99a9012b2d7b00fabc2d2b565415800ce6a7) ---- - .../com/netscape/certsrv/tps/cert/TPSCertData.java | 52 +++++++++++++++++----- - .../com/netscape/cmstools/tps/cert/TPSCertCLI.java | 4 +- - 2 files changed, 45 insertions(+), 11 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java b/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java -index 7cefc791d..63ea26667 100644 ---- a/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java -+++ b/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java -@@ -53,10 +53,12 @@ public class TPSCertData { - String id; - String serialNumber; - String subject; -+ String userID; - String tokenID; -+ String origin; -+ String type; - String keyType; - String status; -- String userID; - Date createTime; - Date modifyTime; - -@@ -89,6 +91,15 @@ public class TPSCertData { - this.subject = subject; - } - -+ @XmlElement(name="UserID") -+ public String getUserID() { -+ return userID; -+ } -+ -+ public void setUserID(String userID) { -+ this.userID = userID; -+ } -+ - @XmlElement(name="TokenID") - public String getTokenID() { - return tokenID; -@@ -98,6 +109,24 @@ public class TPSCertData { - this.tokenID = tokenID; - } - -+ @XmlElement(name="Origin") -+ public String getOrigin() { -+ return origin; -+ } -+ -+ public void setOrigin(String origin) { -+ this.origin = origin; -+ } -+ -+ @XmlElement(name="Type") -+ public String getType() { -+ return type; -+ } -+ -+ public void setType(String type) { -+ this.type = type; -+ } -+ - @XmlElement(name="KeyType") - public String getKeyType() { - return keyType; -@@ -116,15 +145,6 @@ public class TPSCertData { - this.status = status; - } - -- @XmlElement(name="UserID") -- public String getUserID() { -- return userID; -- } -- -- public void setUserID(String userID) { -- this.userID = userID; -- } -- - @XmlElement(name="CreateTime") - public Date getCreateTime() { - return createTime; -@@ -161,10 +181,12 @@ public class TPSCertData { - result = prime * result + ((keyType == null) ? 0 : keyType.hashCode()); - result = prime * result + ((link == null) ? 0 : link.hashCode()); - result = prime * result + ((modifyTime == null) ? 0 : modifyTime.hashCode()); -+ result = prime * result + ((origin == null) ? 0 : origin.hashCode()); - result = prime * result + ((serialNumber == null) ? 0 : serialNumber.hashCode()); - result = prime * result + ((status == null) ? 0 : status.hashCode()); - result = prime * result + ((subject == null) ? 0 : subject.hashCode()); - result = prime * result + ((tokenID == null) ? 0 : tokenID.hashCode()); -+ result = prime * result + ((type == null) ? 0 : type.hashCode()); - result = prime * result + ((userID == null) ? 0 : userID.hashCode()); - return result; - } -@@ -203,6 +225,11 @@ public class TPSCertData { - return false; - } else if (!modifyTime.equals(other.modifyTime)) - return false; -+ if (origin == null) { -+ if (other.origin != null) -+ return false; -+ } else if (!origin.equals(other.origin)) -+ return false; - if (serialNumber == null) { - if (other.serialNumber != null) - return false; -@@ -223,6 +250,11 @@ public class TPSCertData { - return false; - } else if (!tokenID.equals(other.tokenID)) - return false; -+ if (type == null) { -+ if (other.type != null) -+ return false; -+ } else if (!type.equals(other.type)) -+ return false; - if (userID == null) { - if (other.userID != null) - return false; -diff --git a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java -index 835a522e1..db6867b2d 100644 ---- a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java -@@ -53,10 +53,12 @@ public class TPSCertCLI extends CLI { - System.out.println(" Cert ID: " + cert.getID()); - if (cert.getSerialNumber() != null) System.out.println(" Serial Number: " + cert.getSerialNumber()); - if (cert.getSubject() != null) System.out.println(" Subject: " + cert.getSubject()); -+ if (cert.getUserID() != null) System.out.println(" User ID: " + cert.getUserID()); - if (cert.getTokenID() != null) System.out.println(" Token ID: " + cert.getTokenID()); -+ if (cert.getOrigin() != null) System.out.println(" Origin: " + cert.getOrigin()); -+ if (cert.getType() != null) System.out.println(" Type: " + cert.getType()); - if (cert.getKeyType() != null) System.out.println(" Key Type: " + cert.getKeyType()); - if (cert.getStatus() != null) System.out.println(" Status: " + cert.getStatus()); -- if (cert.getUserID() != null) System.out.println(" User ID: " + cert.getUserID()); - if (cert.getCreateTime() != null) System.out.println(" Create Time: " + cert.getCreateTime()); - if (cert.getModifyTime() != null) System.out.println(" Modify Time: " + cert.getModifyTime()); - --- -2.13.5 - diff --git a/SOURCES/pki-core-Fix-3DES-archival.patch b/SOURCES/pki-core-Fix-3DES-archival.patch deleted file mode 100644 index a0099e8..0000000 --- a/SOURCES/pki-core-Fix-3DES-archival.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 1d7117081ad3b623af3938595436a35873b0bac6 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 16 Jun 2017 14:48:27 -0400 -Subject: [PATCH 4/4] Fix 3DES archival - -A previous commit mistakenly conflated the wrapping parameters for -DES and DES3 cases, resulting in incorrect data being stored if the -storage was successful at all. This broke ipa vault and probably -also token key archival and recovery. - -This patch sets the right parameters for the 3DES case again. -Part of BZ# 1458043 - -Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4 -(cherry picked from commit 89f14cc5b7858e60107dc0776a59394bdfb8edaf) ---- - .../src/netscape/security/util/WrappingParams.java | 23 ++++++++++++++-------- - 1 file changed, 15 insertions(+), 8 deletions(-) - -diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java -index cda8870..ded572f 100644 ---- a/base/util/src/netscape/security/util/WrappingParams.java -+++ b/base/util/src/netscape/security/util/WrappingParams.java -@@ -67,6 +67,10 @@ public class WrappingParams { - // New clients set this correctly. - // We'll assume the old DES3 wrapping here. - encrypt = EncryptionAlgorithm.DES_CBC_PAD; -+ } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) { -+ encrypt = EncryptionAlgorithm.DES3_CBC_PAD; -+ } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) { -+ encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; - } else { - encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); - } -@@ -135,23 +139,26 @@ public class WrappingParams { - payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; - payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; - skLength = 128; -- } -- -- if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { -+ } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { - skType = SymmetricKey.AES; - skKeyGenAlgorithm = KeyGenAlgorithm.AES; - payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; - payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; - skLength = 128; -- } -- -- if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { -+ } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { -+ skType = SymmetricKey.DES3; -+ skKeyGenAlgorithm = KeyGenAlgorithm.DES3; -+ skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; -+ payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; -+ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; -+ skLength = payloadEncryptionAlgorithm.getKeyStrength(); -+ } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { - skType = SymmetricKey.DES; - skKeyGenAlgorithm = KeyGenAlgorithm.DES; - skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; - payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; -- payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; -- skLength = 0; -+ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD; -+ skLength = payloadEncryptionAlgorithm.getKeyStrength(); - } - - if (priKeyAlgo.equals("EC")) { --- -1.8.3.1 - diff --git a/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch b/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch deleted file mode 100644 index 8ae52e9..0000000 --- a/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 4e76af1fe276a3b9b1392c97ef427a1ecfa42759 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Mon, 28 Aug 2017 14:43:55 +1000 -Subject: [PATCH] KeyClient: fix json encoding in Python 3 - -Fixes: https://pagure.io/dogtagpki/issue/2746 -Change-Id: Iec2912bb90192fec403ac94006ff5927d3526533 -(cherry picked from commit b654e60f20b9e83833313ab89006db8f063bff1f) ---- - base/common/python/pki/key.py | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py -index d2b82970e..a5fc7928c 100644 ---- a/base/common/python/pki/key.py -+++ b/base/common/python/pki/key.py -@@ -668,7 +668,7 @@ class KeyClient(object): - raise TypeError("Must specify Client Key ID") - - if trans_wrapped_session_key is not None: -- twsk = base64.b64encode(trans_wrapped_session_key) -+ twsk = base64.b64encode(trans_wrapped_session_key).decode('ascii') - # noinspection PyUnusedLocal - request = SymKeyGenerationRequest( - client_key_id=client_key_id, -@@ -861,9 +861,9 @@ class KeyClient(object): - if not nonce_iv: - raise TypeError('Missing nonce IV') - -- data = base64.b64encode(encrypted_data) -- twsk = base64.b64encode(wrapped_session_key) -- symkey_params = base64.b64encode(nonce_iv) -+ data = base64.b64encode(encrypted_data).decode('ascii') -+ twsk = base64.b64encode(wrapped_session_key).decode('ascii') -+ symkey_params = base64.b64encode(nonce_iv).decode('ascii') - - request = KeyArchivalRequest(client_key_id=client_key_id, - data_type=data_type, -@@ -904,7 +904,7 @@ class KeyClient(object): - if pki_archive_options is None: - raise TypeError("No data provided to be archived") - -- data = base64.b64encode(pki_archive_options) -+ data = base64.b64encode(pki_archive_options).decode('ascii') - request = KeyArchivalRequest(client_key_id=client_key_id, - data_type=data_type, - pki_archive_options=data, -@@ -1022,7 +1022,7 @@ class KeyClient(object): - key_id=key_id, - request_id=request_id, - trans_wrapped_session_key=base64.b64encode( -- trans_wrapped_session_key), -+ trans_wrapped_session_key).decode('ascii'), - payload_encryption_oid=self.encrypt_alg_oid, - payload_wrapping_name=self.wrap_name - ) --- -2.13.5 - diff --git a/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch b/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch deleted file mode 100644 index 374da35..0000000 --- a/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 606027b188fee6d20c17323d7c464d6630024a20 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 23 Aug 2017 20:53:25 +1000 -Subject: [PATCH] Fix regression in lightweight CA replication - -Fixes: https://pagure.io/dogtagpki/issue/2796 -Change-Id: Ic5e42b80156f777299f4e487932305160c2d48f6 ---- - base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index eca8dddb6..2daf0d797 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -2307,8 +2307,9 @@ public class CryptoUtil { - BIT_STRING encSymKey = encVal.getEncSymmKey(); - BIT_STRING encPrivKey = encVal.getEncValue(); - -- SymmetricKey sk = unwrap(token, SymmetricKey.Type.DES3, 0, null, unwrappingKey, encSymKey.getBits(), -- KeyWrapAlgorithm.RSA); -+ SymmetricKey sk = unwrap( -+ token, SymmetricKey.Type.DES3, 0, SymmetricKey.Usage.UNWRAP, -+ unwrappingKey, encSymKey.getBits(), KeyWrapAlgorithm.RSA); - - ASN1Value v = algId.getParameters(); - v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); --- -2.13.5 - diff --git a/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch b/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch deleted file mode 100644 index 9d0628e..0000000 --- a/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch +++ /dev/null @@ -1,71 +0,0 @@ -From ab0cb37875648abfc07e7d781fa91c368f67d313 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 25 Jul 2017 18:02:02 -0700 -Subject: [PATCH] Ticket #2788 Missing CN in user signing cert would cause - error in cmc user-signed This patch takes care of the issue that - CMCUserSignedAuth cannot handle cases when CN is not in the subjectDN - -Change-Id: Ieac0712d051dcb993498d9680f005c04158b5549 -(cherry picked from commit 507a8888b6eccfe716ca7bc4647f71cee973afcf) ---- - .../netscape/cms/authentication/CMCUserSignedAuth.java | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index e11a34427..7f872c83d 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -371,9 +371,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } else { - CMS.debug(method + "signed with user cert"); - userid = userToken.getInString("userid"); -- uid = userToken.getInString("cn"); -+ uid = userToken.getInString("id"); - if (userid == null && uid == null) { -- msg = " verifySignerInfo failure... missing userid and cn"; -+ msg = " verifySignerInfo failure... missing id"; - CMS.debug(method + msg); - throw new EBaseException(msg); - } -@@ -1069,7 +1069,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // cert subject principal later in CMCOutputTemplate - // in case of user signed revocation - auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, cmcPrincipal); -- auditContext.put(SessionContext.CMC_SIGNER_INFO, cmcPrincipal.getCommonName()); -+ auditContext.put(SessionContext.CMC_SIGNER_INFO, -+ cmcPrincipal.toString()); - - // check ssl client cert against cmc signer - if (!clientPrincipal.equals(cmcPrincipal)) { -@@ -1160,13 +1161,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - IAuthToken tempToken = new AuthToken(null); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); -- String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); -- CMS.debug(method + " Principal name = " + CN); -+ String ID = tempPrincipal.toString(); //tempToken.get("userid"); -+ CMS.debug(method + " Principal name = " + ID); - - BigInteger certSerial = x509Certs[0].getSerialNumber(); - CMS.debug(method + " verified cert serial=" + certSerial.toString()); - authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); -- tempToken.set("cn", CN); -+ tempToken.set("id", ID); - - s.close(); - return tempToken; -@@ -1221,9 +1222,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - netscape.security.x509.X500Name principal = - (X500Name) cert.getSubjectDN(); - -- String CN = principal.getCommonName(); -- CMS.debug(method + " Principal name = " + CN); -- auditContext.put(SessionContext.USER_ID, CN); -+ CMS.debug(method + " Principal name = " + principal.toString()); -+ auditContext.put(SessionContext.USER_ID, principal.toString()); - } - - public String[] getExtendedPluginInfo(Locale locale) { --- -2.13.5 - diff --git a/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch b/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch deleted file mode 100644 index d2b1f67..0000000 --- a/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 887d70ce1b8c4a00f62c2b4eec24326e487da5bd Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 15 Jun 2017 12:38:26 +1000 -Subject: [PATCH 3/4] Fix regression in pkcs12 key bag creation - -Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12 -file handing to never deal with raw private key material. -PKCS12Util.addKeyBag() was changed to export the PrivateKey handle, -or fail. This change missed this case where a PKCS #12 file is -loaded from file, possibly modified, then written back to a file, -without involving an NSSDB. One example is pkcs12-cert-del which -deletes a certificate and associated key from a PKCS #12 file. - -Fix the PKCS12Util.addKeyBag() method to use the stored -EncryptedPricateKeyInfo if available, otherwise export the -PrivateKey handle. - -Fixes: https://pagure.io/dogtagpki/issue/2741 -Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a -(cherry picked from commit a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de) ---- - .../src/netscape/security/pkcs/PKCS12Util.java | 58 ++++++++++++++-------- - 1 file changed, 37 insertions(+), 21 deletions(-) - -diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java -index 31c7126..1bc1bae 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS12Util.java -+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java -@@ -102,33 +102,49 @@ public class PKCS12Util { - icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2])); - } - -- /** -- * Used during EXPORT to add a private key to the PKCS12. -+ /** Add a private key to the PKCS #12 object. -+ * -+ * The PKCS12KeyInfo object received comes about in two -+ * different scenarios: -+ * -+ * - The private key could be in encrypted byte[] form (e.g. -+ * when we have merely loaded a PKCS #12 file for inspection -+ * or e.g. to delete a certificate and its associated key). -+ * In this case we simply re-use this encrypted private key -+ * info byte[]. - * -- * The private key is exported directly from the token, into -- * an EncryptedPrivateKeyInfo value, then added as a -- * "Shrouded Key Bag" to the PKCS #12 object. Unencrypted -- * key material is never seen. -+ * - The private key could be a be an NSS PrivateKey handle. In -+ * this case we must export the PrivateKey from the token to -+ * obtain the EncryptedPrivateKeyInfo. -+ * -+ * The common final step is to add the encrypted private key -+ * data to a "Shrouded Key Bag" to the PKCS #12 object. -+ * Unencrypted key material is never seen. - */ - public void addKeyBag(PKCS12KeyInfo keyInfo, Password password, - SEQUENCE encSafeContents) throws Exception { -- PrivateKey k = keyInfo.getPrivateKey(); -- if (k == null) { -- logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN); -- return; -- } -- - logger.debug("Creating key bag for " + keyInfo.subjectDN); - -- PasswordConverter passConverter = new PasswordConverter(); -- byte[] epkiBytes = CryptoManager.getInstance() -- .getInternalKeyStorageToken() -- .getCryptoStore() -- .getEncryptedPrivateKeyInfo( -- /* NSS has a bug that causes any AES CBC encryption -- * to use AES-256, but AlgorithmID contains chosen -- * alg. To avoid mismatch, use AES_256_CBC. */ -- passConverter, password, EncryptionAlgorithm.AES_256_CBC, 0, k); -+ byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes(); -+ if (epkiBytes == null) { -+ PrivateKey k = keyInfo.getPrivateKey(); -+ if (k == null) { -+ logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN); -+ return; -+ } -+ logger.debug("Encrypting private key for " + keyInfo.subjectDN); -+ -+ PasswordConverter passConverter = new PasswordConverter(); -+ epkiBytes = CryptoManager.getInstance() -+ .getInternalKeyStorageToken() -+ .getCryptoStore() -+ .getEncryptedPrivateKeyInfo( -+ /* NSS has a bug that causes any AES CBC encryption -+ * to use AES-256, but AlgorithmID contains chosen -+ * alg. To avoid mismatch, use AES_256_CBC. */ -+ passConverter, password, -+ EncryptionAlgorithm.AES_256_CBC, 0, k); -+ } - - SET keyAttrs = createKeyBagAttrs(keyInfo); - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch b/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch deleted file mode 100644 index f6f74f2..0000000 --- a/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e5bd4436541b726f128afd18b113ff80ce18a6b5 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 16 Jun 2017 19:25:05 -0400 -Subject: [PATCH 1/4] Fix token enrollment and recovery ivs - -In encryption mode, the archival of the geenrated key uses the -wrapIV, while the recovery uses the encryptIV. To make sure -these are consistent, they need to be set to be the same. - -Bugzilla BZ #1458043 - -Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b -(cherry picked from commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c) ---- - base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 96d7aae..07333b7 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService { - - try { - params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); -+ -+ // In encrypt mode, the recovery side is doing a decrypt() using the -+ // encryption IV. To be sure this is successful, we will make sure' -+ // the IVs are the same. -+ params.setPayloadEncryptionIV(params.getPayloadWrappingIV()); -+ - privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); - } catch (Exception e) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); --- -1.8.3.1 - diff --git a/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch b/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch deleted file mode 100644 index 38d1c4e..0000000 --- a/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 09b673f3f4bbc5e9b70722bbe240e0347e3dd3fc Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 11 Aug 2017 15:17:09 +1000 -Subject: [PATCH] Fix FixDeploymentDescriptor upgrade script if source file is - missing - -On RHEL, the pki#admin.xml file may be absent, causing the -FixDeploymentDescriptor to break (and subsequent upgrade scriptlets -to not be executed). Add a check that the source file exists. - -Fixes: https://pagure.io/dogtagpki/issue/2789 -Change-Id: I686e8fae534f8044cb1ce40b31e2462c4f0ac988 -(cherry picked from commit d0a861923a27672d8633c87e21fb8596080e84af) ---- - base/server/upgrade/10.3.5/02-FixDeploymentDescriptor | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor -index 27c895980..858dbed43 100644 ---- a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor -+++ b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor -@@ -46,6 +46,9 @@ class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet): - source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml - target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml - -+ if not os.path.exists(source_xml): -+ return -+ - # if deployment descriptor doesn't exist, install the default - if not os.path.exists(target_xml): - self.copy_file(instance, source_xml, target_xml) --- -2.13.5 - diff --git a/SOURCES/pki-core-HSM-key-changeover-SCP03-support.patch b/SOURCES/pki-core-HSM-key-changeover-SCP03-support.patch deleted file mode 100644 index 5d839da..0000000 --- a/SOURCES/pki-core-HSM-key-changeover-SCP03-support.patch +++ /dev/null @@ -1,97 +0,0 @@ -From af96c3fc7cb41cbe6c14722418e132f5eadd93e1 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Thu, 29 Jun 2017 14:23:47 -0700 -Subject: [PATCH] SCP03 support: fix Key Changeover with HSM (RHCS) - -Ticket #2764. - -This relatively simple fix involves making sure the correct crypto token is being used to search for the master key int the case of symmetric key changover where the master key resides on an HSM. - -(cherry picked from commit 7eb8ac9abb06d5a21c9d81d3f7fd08391a2a745e) ---- - .../cms/servlet/tks/SecureChannelProtocol.java | 29 ++++++++++++++-------- - 1 file changed, 18 insertions(+), 11 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -index 0542470..c3b3952 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -@@ -25,12 +25,12 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; - import org.mozilla.jss.crypto.SymmetricKeyDeriver; - import org.mozilla.jss.crypto.TokenException; - -+import sun.security.pkcs11.wrapper.PKCS11Constants; -+ - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.cmsutil.crypto.CryptoUtil; - --import sun.security.pkcs11.wrapper.PKCS11Constants; -- - public class SecureChannelProtocol { - - static String sharedSecretKeyName = null; -@@ -1874,13 +1874,13 @@ public class SecureChannelProtocol { - kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null,"DES3"); - } else if (protocol == PROTOCOL_THREE) { - CMS.debug(method + " Special case or returning to the dev key set (or ver 1) for DiversifyKey, protocol 3!"); -- encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, -+ encKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, - SecureChannelProtocol.encType, kekKeyArray, - keySet, CUIDValue, KDD, null, null, transportKeyName, params); -- macKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, -+ macKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, - SecureChannelProtocol.macType, kekKeyArray, - keySet, CUIDValue, KDD, null, null, transportKeyName, params); -- kekKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, -+ kekKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, - SecureChannelProtocol.kekType, kekKeyArray, - keySet, CUIDValue, KDD, null, null, transportKeyName, params); - } -@@ -1916,13 +1916,14 @@ public class SecureChannelProtocol { - } else { // protocol 3 - - CMS.debug(method + " Generating new card keys to upgrade to, protocol 3."); -- encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, -+ CMS.debug("tokenName: " + tokenName + " newTokenName: " + newTokenName); -+ encKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, - SecureChannelProtocol.encType, kekKeyArray, - keySet, CUIDValue, KDD, null, null, transportKeyName, params); -- macKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, -+ macKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, - SecureChannelProtocol.macType, kekKeyArray, - keySet, CUIDValue, KDD, null, null, transportKeyName, params); -- kekKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, -+ kekKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, - SecureChannelProtocol.kekType, kekKeyArray, - keySet, CUIDValue, KDD, null, null, transportKeyName, params); - -@@ -1931,6 +1932,7 @@ public class SecureChannelProtocol { - old_kek_sym_key = this.computeSessionKey_SCP03(tokenName, oldMasterKeyName, oldKeyInfo, - SecureChannelProtocol.kekType, kekKeyArray, - keySet, CUIDValue, KDD, null, null, transportKeyName, params); -+ - } - - if (encKey == null || macKey == null || kekKey == null) { -@@ -2076,9 +2078,14 @@ public class SecureChannelProtocol { - encrypted_mac_key = this.wrapSessionKey(tokenName, macKey, wrappingKey); - encrypted_kek_key = this.wrapSessionKey(tokenName, kekKey, wrappingKey); - -- keycheck_enc_key = this.computeKeyCheck_SCP03(encKey, tokenName); -- keycheck_mac_key = this.computeKeyCheck_SCP03(macKey, tokenName); -- keycheck_kek_key = this.computeKeyCheck_SCP03(kekKey, tokenName); -+ try { -+ keycheck_enc_key = this.computeKeyCheck_SCP03(encKey, encKey.getOwningToken().getName()); -+ keycheck_mac_key = this.computeKeyCheck_SCP03(macKey, macKey.getOwningToken().getName()); -+ keycheck_kek_key = this.computeKeyCheck_SCP03(kekKey, kekKey.getOwningToken().getName()); -+ } catch (TokenException e) { -+ throw new EBaseException(method + e); -+ } -+ - - } else { - throw new EBaseException(method + " Invalid SCP version requested!"); --- -1.8.3.1 - diff --git a/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch b/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch deleted file mode 100644 index 6a28873..0000000 --- a/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch +++ /dev/null @@ -1,77 +0,0 @@ -From b16956b856e9bb8ffa8d2cd356f4120b36ebe6e9 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 6 Apr 2017 13:27:56 +1000 -Subject: [PATCH] KRA: use AES in PKCS #12 recovery for encrypted keys - -The KRA has two private key recovery code paths: one dealing with -keys wrapped to the storage key, and one dealing with symmetrically -encrypted keys. Each has a separate function for constructing a -PKCS #12 file for the recovered key. - -This commit updates the PKCS #12 generation for encrypted keys to -use AES encryption. From the KRA recovery process we start with a -byte[] of PrivateKeyInfo. The previous procedure used -EncryptedPrivateKeyInfo.createPBE(), the encryption algorithm being -PBEAlgorithm.PBE_SHA1_DES3_CBC. This commit changes the procedure -to use AES, using the new EncryptedPrivateKeyInfo.createPBES2() JSS -method and AES_128_CBC_PAD. - -The old codepath is retained and selected by the kra.legacyPKCS12 -CMS config. It is needed if the token/HSM does not support the -CKM_PKCS5_PBKD2 PKCS #11 mechanism. - -Fixes: https://pagure.io/dogtagpki/issue/2664 - -Change-Id: Ie292147caab357679b2be5cf3b6cd739e5bed8e0 -(cherry picked from commit ae97f21bf8d2ec83a410127872dd196a46f9dbbd) ---- - base/kra/src/com/netscape/kra/RecoveryService.java | 24 +++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java -index 023eb8093..a7d639208 100644 ---- a/base/kra/src/com/netscape/kra/RecoveryService.java -+++ b/base/kra/src/com/netscape/kra/RecoveryService.java -@@ -648,18 +648,36 @@ public class RecoveryService implements IService { - SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new - PasswordConverter(); -- byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; - PrivateKeyInfo pki = (PrivateKeyInfo) - ASN1Util.decode(PrivateKeyInfo.getTemplate(), - priData); -- ASN1Value key = EncryptedPrivateKeyInfo.createPBE( -+ EncryptedPrivateKeyInfo epki = null; -+ -+ boolean legacyP12 = -+ CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true); -+ -+ if (legacyP12) { -+ /* legacy mode may be required e.g. when token/HSM -+ * does not support CKM_PKCS5_PBKD2 mechanism */ -+ byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; -+ epki = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, - pass, salt, 1, passConverter, pki); -+ } else { -+ epki = EncryptedPrivateKeyInfo.createPBES2( -+ 16, // saltLen -+ 2000, // kdfIterations -+ EncryptionAlgorithm.AES_128_CBC_PAD, -+ pass, -+ passConverter, -+ pki); -+ } -+ - SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), - localKeyId); - SafeBag keyBag = new SafeBag( -- SafeBag.PKCS8_SHROUDED_KEY_BAG, key, -+ SafeBag.PKCS8_SHROUDED_KEY_BAG, epki, - keyAttrs); // ?? - - safeContents.addElement(keyBag); --- -2.13.5 - diff --git a/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch b/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch deleted file mode 100644 index e0b175d..0000000 --- a/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 137832b2892dfc596ed067a86242d341f2c325e7 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 14 Sep 2017 12:22:47 +1000 -Subject: [PATCH] Make PKCS #12 files compatible with OpenSSL, NSS >= 3.31 - -For compatibility with OpenSSL and NSS >= 3.31, the passphrase must -not be BMPString-encoded when non-PKCS #12 PBE schemes such as -PBES2. - -Fixes: https://pagure.io/dogtagpki/issue/2809 - -Change-Id: Ic78ad337ac0b9b2f5d2e75581cc0ee55e6d82782 -(cherry picked from commit ed5cccefebf98e588a5385191e43f727349b54a9) ---- - base/kra/src/com/netscape/kra/RecoveryService.java | 26 +++++++++++++++---- - .../cms/servlet/csadmin/ConfigurationUtils.java | 15 ++++++++--- - .../src/netscape/security/pkcs/PKCS12Util.java | 29 ++++++++++++++++++---- - 3 files changed, 57 insertions(+), 13 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java -index a7d639208..0d293e411 100644 ---- a/base/kra/src/com/netscape/kra/RecoveryService.java -+++ b/base/kra/src/com/netscape/kra/RecoveryService.java -@@ -508,10 +508,21 @@ public class RecoveryService implements IService { - } - } else { - byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( -+ /* For compatibility with OpenSSL and NSS >= 3.31, -+ * do not BMPString-encode the passphrase when using -+ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. -+ * -+ * The resulting PKCS #12 is not compatible with -+ * NSS < 3.31. -+ */ -+ null /* passConverter */, -+ pass, - /* NSS has a bug that causes any AES CBC encryption - * to use AES-256, but AlgorithmID contains chosen - * alg. To avoid mismatch, use AES_256_CBC. */ -- passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); -+ EncryptionAlgorithm.AES_256_CBC, -+ 0 /* iterations (use default) */, -+ priKey); - CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); - if (epkiBytes == null) { - CMS.debug("RecoverService: createPFX() epkiBytes null"); -@@ -646,8 +657,6 @@ public class RecoveryService implements IService { - pwd.toCharArray()); - - SEQUENCE safeContents = new SEQUENCE(); -- PasswordConverter passConverter = new -- PasswordConverter(); - PrivateKeyInfo pki = (PrivateKeyInfo) - ASN1Util.decode(PrivateKeyInfo.getTemplate(), - priData); -@@ -662,14 +671,21 @@ public class RecoveryService implements IService { - byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; - epki = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, -- pass, salt, 1, passConverter, pki); -+ pass, salt, 1, new PasswordConverter(), pki); - } else { - epki = EncryptedPrivateKeyInfo.createPBES2( - 16, // saltLen - 2000, // kdfIterations - EncryptionAlgorithm.AES_128_CBC_PAD, - pass, -- passConverter, -+ /* For compatibility with OpenSSL and NSS >= 3.31, -+ * do not BMPString-encode the passphrase when using -+ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. -+ * -+ * The resulting PKCS #12 is not compatible with -+ * NSS < 3.31. -+ */ -+ null /* passConverter */, - pki); - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index ebade36bc..df3b4672d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -1058,9 +1058,18 @@ public class ConfigurationUtils { - // this is OK - } - -- // import private key into database -- store.importEncryptedPrivateKeyInfo( -- new PasswordConverter(), password, nickname, publicKey, epki); -+ try { -+ // first true without BMPString-encoding the passphrase. -+ store.importEncryptedPrivateKeyInfo( -+ null, password, nickname, publicKey, epki); -+ } catch (Exception e) { -+ // if that failed, try again with BMPString-encoded -+ // passphrase. This is required for PKCS #12 PBE -+ // schemes and for PKCS #12 files using PBES2 generated -+ // by NSS < 3.31 -+ store.importEncryptedPrivateKeyInfo( -+ new PasswordConverter(), password, nickname, publicKey, epki); -+ } - } - - CMS.debug("Importing new certificates:"); -diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java -index 1bc1baee5..1018b21f6 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS12Util.java -+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java -@@ -134,16 +134,25 @@ public class PKCS12Util { - } - logger.debug("Encrypting private key for " + keyInfo.subjectDN); - -- PasswordConverter passConverter = new PasswordConverter(); - epkiBytes = CryptoManager.getInstance() - .getInternalKeyStorageToken() - .getCryptoStore() - .getEncryptedPrivateKeyInfo( -+ /* For compatibility with OpenSSL and NSS >= 3.31, -+ * do not BMPString-encode the passphrase when using -+ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. -+ * -+ * The resulting PKCS #12 is not compatible with -+ * NSS < 3.31. -+ */ -+ null /* passConverter */, -+ password, - /* NSS has a bug that causes any AES CBC encryption - * to use AES-256, but AlgorithmID contains chosen - * alg. To avoid mismatch, use AES_256_CBC. */ -- passConverter, password, -- EncryptionAlgorithm.AES_256_CBC, 0, k); -+ EncryptionAlgorithm.AES_256_CBC, -+ 0 /* iterations (default) */, -+ k); - } - - SET keyAttrs = createKeyBagAttrs(keyInfo); -@@ -616,8 +625,18 @@ public class PKCS12Util { - "No EncryptedPrivateKeyInfo for key '" - + keyInfo.subjectDN + "'; skipping key"); - } -- store.importEncryptedPrivateKeyInfo( -- new PasswordConverter(), password, nickname, publicKey, epkiBytes); -+ try { -+ // first true without BMPString-encoding the passphrase. -+ store.importEncryptedPrivateKeyInfo( -+ null, password, nickname, publicKey, epkiBytes); -+ } catch (Exception e) { -+ // if that failed, try again with BMPString-encoded -+ // passphrase. This is required for PKCS #12 PBE -+ // schemes and for PKCS #12 files using PBES2 generated -+ // by NSS < 3.31 -+ store.importEncryptedPrivateKeyInfo( -+ new PasswordConverter(), password, nickname, publicKey, epkiBytes); -+ } - - // delete the cert again (it will be imported again later - // with the correct nickname) --- -2.13.5 - diff --git a/SOURCES/pki-core-SecurityDataRecoveryService.patch b/SOURCES/pki-core-SecurityDataRecoveryService.patch deleted file mode 100644 index 979abd5..0000000 --- a/SOURCES/pki-core-SecurityDataRecoveryService.patch +++ /dev/null @@ -1,88 +0,0 @@ ---- patch/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java 2017-06-06 04:56:02.188426066 +0200 -+++ pki/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java 2017-06-06 01:50:56.698341052 +0200 -@@ -17,6 +17,8 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.kra; - -+import java.math.BigInteger; -+ - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.dbs.keydb.KeyId; -@@ -41,6 +43,7 @@ public class SecurityDataRecoveryService - - private IKeyRecoveryAuthority kra = null; - private SecurityDataProcessor processor = null; -+ private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); - - public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) { - this.kra = kra; -@@ -65,8 +68,66 @@ public class SecurityDataRecoveryService - throws EBaseException { - - CMS.debug("SecurityDataRecoveryService.serviceRequest()"); -- processor.recover(request); -- kra.getRequestQueue().updateRequest(request); -+ -+ // parameters for auditing -+ String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); -+ BigInteger serialNumber = request.getExtDataInBigInteger("serialNumber"); -+ KeyId keyId = serialNumber != null ? new KeyId(serialNumber): null; -+ RequestId requestID = request.getRequestId(); -+ String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); -+ -+ try { -+ processor.recover(request); -+ kra.getRequestQueue().updateRequest(request); -+ auditRecoveryRequestProcessed( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ requestID, -+ keyId, -+ null, -+ approvers); -+ } catch (EBaseException e) { -+ auditRecoveryRequestProcessed( -+ auditSubjectID, -+ ILogger.FAILURE, -+ requestID, -+ keyId, -+ e.getMessage(), -+ approvers); -+ throw e; -+ } - return false; //TODO: return true? - } -+ -+ private void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ -+ private void audit(String msg) { -+ if (signedAuditLogger == null) -+ return; -+ -+ signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, -+ null, -+ ILogger.S_SIGNED_AUDIT, -+ ILogger.LL_SECURITY, -+ msg); -+ } -+ -+ private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, -+ KeyId keyID, String reason, String recoveryAgents) { -+ audit(new SecurityDataRecoveryProcessedEvent( -+ subjectID, -+ status, -+ requestID, -+ keyID, -+ reason, -+ recoveryAgents)); -+ } - } diff --git a/SOURCES/pki-core-alpha.patch b/SOURCES/pki-core-alpha.patch deleted file mode 100644 index 8b8c196..0000000 --- a/SOURCES/pki-core-alpha.patch +++ /dev/null @@ -1,18931 +0,0 @@ -From 8d60caa44803915c153e1919ccaf08b166d38190 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 29 Mar 2017 03:36:39 +0200 -Subject: [PATCH 01/59] Removed duplicate PROP_ROLLOVER_INTERVAL constant. - -Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98 ---- - .../src/com/netscape/cms/logging/RollingLogFile.java | 18 +++++++++--------- - .../netscape/cms/servlet/admin/LogAdminServlet.java | 2 +- - 2 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -index 32568da..d84c441 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -@@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.IExtendedPluginInfo; -+import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.logging.ConsoleError; - import com.netscape.certsrv.logging.ELogException; -@@ -49,7 +50,6 @@ import com.netscape.cmsutil.util.Utils; - */ - public class RollingLogFile extends LogFile { - public static final String PROP_MAX_FILE_SIZE = "maxFileSize"; -- public static final String PROP_ROLLOVER_INTERVAL = "rolloverInterval"; - public static final String PROP_EXPIRATION_TIME = "expirationTime"; - - /** -@@ -116,7 +116,7 @@ public class RollingLogFile extends LogFile { - super.init(config); - - rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE), -- config.getString(PROP_ROLLOVER_INTERVAL, ROLLOVER_INTERVAL), -+ config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL), - config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME)); - } - -@@ -585,7 +585,7 @@ public class RollingLogFile extends LogFile { - Vector v = super.getDefaultParams(); - - v.addElement(PROP_MAX_FILE_SIZE + "="); -- v.addElement(PROP_ROLLOVER_INTERVAL + "="); -+ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "="); - //v.addElement(PROP_EXPIRATION_TIME + "="); - return v; - } -@@ -596,15 +596,15 @@ public class RollingLogFile extends LogFile { - try { - v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024); - if (mRolloverInterval / 1000 <= 60 * 60) -- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Hourly"); -+ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly"); - else if (mRolloverInterval / 1000 <= 60 * 60 * 24) -- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Daily"); -+ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Daily"); - else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 7) -- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Weekly"); -+ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Weekly"); - else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 30) -- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Monthly"); -+ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Monthly"); - else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 366) -- v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Yearly"); -+ v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Yearly"); - - //v.addElement(PROP_EXPIRATION_TIME + "=" + mExpirationTime / 1000); - } catch (Exception e) { -@@ -622,7 +622,7 @@ public class RollingLogFile extends LogFile { - } - info.addElement(PROP_MAX_FILE_SIZE - + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated."); -- info.addElement(PROP_ROLLOVER_INTERVAL -+ info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL - + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated."); - info.addElement(PROP_EXPIRATION_TIME - + ";integer;The amount of time before a backed up log is removed in seconds"); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -index d665224..08c3293 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -@@ -1645,7 +1645,7 @@ public class LogAdminServlet extends AdminServlet { - - } - -- if (key.equals("rolloverInterval")) { -+ if (key.equals(Constants.PR_LOG_ROLLEROVER_INTERVAL)) { - if (val.equals("Hourly")) - val = Integer.toString(60 * 60); - else if (val.equals("Daily")) --- -1.8.3.1 - - -From 939896c06013065a7566002a2708d4598d3d7b96 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 30 Mar 2017 07:08:52 +0200 -Subject: [PATCH 02/59] Removed duplicate PROP_MAX_FILE_SIZE constant. - -Change-Id: Ic2aa92985e8aee9b5405ad542c640ca67a0047c6 ---- - base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -index d84c441..4d29715 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils; - * @version $Revision$, $Date$ - */ - public class RollingLogFile extends LogFile { -- public static final String PROP_MAX_FILE_SIZE = "maxFileSize"; - public static final String PROP_EXPIRATION_TIME = "expirationTime"; - - /** -@@ -115,7 +114,7 @@ public class RollingLogFile extends LogFile { - EBaseException { - super.init(config); - -- rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE), -+ rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE), - config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL), - config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME)); - } -@@ -584,7 +583,7 @@ public class RollingLogFile extends LogFile { - public Vector getDefaultParams() { - Vector v = super.getDefaultParams(); - -- v.addElement(PROP_MAX_FILE_SIZE + "="); -+ v.addElement(Constants.PR_LOG_MAXFILESIZE + "="); - v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "="); - //v.addElement(PROP_EXPIRATION_TIME + "="); - return v; -@@ -594,7 +593,7 @@ public class RollingLogFile extends LogFile { - Vector v = super.getInstanceParams(); - - try { -- v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024); -+ v.addElement(Constants.PR_LOG_MAXFILESIZE + "=" + mMaxFileSize / 1024); - if (mRolloverInterval / 1000 <= 60 * 60) - v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly"); - else if (mRolloverInterval / 1000 <= 60 * 60 * 24) -@@ -620,7 +619,7 @@ public class RollingLogFile extends LogFile { - if (!p[i].startsWith(IExtendedPluginInfo.HELP_TOKEN) && !p[i].startsWith(IExtendedPluginInfo.HELP_TEXT)) - info.addElement(p[i]); - } -- info.addElement(PROP_MAX_FILE_SIZE -+ info.addElement(Constants.PR_LOG_MAXFILESIZE - + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated."); - info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL - + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated."); --- -1.8.3.1 - - -From 01b510f51992e04ffc84aefdd2d3e1f09b09b480 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 30 Mar 2017 22:57:19 +0200 -Subject: [PATCH 03/59] Removed duplicate PROP_EXPIRATION_TIME constant. - -Change-Id: Ife9108019994b385fc452da0f29dee64d0ccc5d3 ---- - base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 7 +++---- - .../cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java | 6 +++--- - 2 files changed, 6 insertions(+), 7 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -index 4d29715..fb70f46 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils; - * @version $Revision$, $Date$ - */ - public class RollingLogFile extends LogFile { -- public static final String PROP_EXPIRATION_TIME = "expirationTime"; - - /** - * The default max file size in bytes -@@ -116,7 +115,7 @@ public class RollingLogFile extends LogFile { - - rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE), - config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL), -- config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME)); -+ config.getString(Constants.PR_LOG_EXPIRED_TIME, EXPIRATION_TIME)); - } - - /** -@@ -585,7 +584,7 @@ public class RollingLogFile extends LogFile { - - v.addElement(Constants.PR_LOG_MAXFILESIZE + "="); - v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "="); -- //v.addElement(PROP_EXPIRATION_TIME + "="); -+ //v.addElement(Constants.PR_LOG_EXPIRED_TIME + "="); - return v; - } - -@@ -623,7 +622,7 @@ public class RollingLogFile extends LogFile { - + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated."); - info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL - + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated."); -- info.addElement(PROP_EXPIRATION_TIME -+ info.addElement(Constants.PR_LOG_EXPIRED_TIME - + ";integer;The amount of time before a backed up log is removed in seconds"); - info.addElement(IExtendedPluginInfo.HELP_TOKEN + - //";configuration-logrules-rollinglogfile"); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -index 08c3293..13ba52c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -@@ -834,7 +834,7 @@ public class LogAdminServlet extends AdminServlet { - // files is no longer supported, it is still a required parameter - // that must be present during the creation and modification of - // custom log plugins. -- substore.put("expirationTime", "0"); -+ substore.put(Constants.PR_LOG_EXPIRED_TIME, "0"); - - // Instantiate an object for this implementation - String className = plugin.getClassPath(); -@@ -1591,7 +1591,7 @@ public class LogAdminServlet extends AdminServlet { - // files is no longer supported, it is still a required parameter - // that must be present during the creation and modification of - // custom log plugins. -- substore.put("expirationTime", "0"); -+ substore.put(Constants.PR_LOG_EXPIRED_TIME, "0"); - - // IMPORTANT: save a copy of the original log file path - origLogPath = substore.getString(Constants.PR_LOG_FILENAME); -@@ -1702,7 +1702,7 @@ public class LogAdminServlet extends AdminServlet { - } - } - /* -- if (key.equals("expirationTime")) { -+ if (key.equals(Constants.PR_LOG_EXPIRED_TIME)) { - String origVal = substore.getString(key); - - val = val.trim(); --- -1.8.3.1 - - -From 1d3216aece7381cbac7b812dfbb969b466b31abe Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 30 Mar 2017 22:31:30 +0200 -Subject: [PATCH 04/59] Fixed default subsystems for top-level CLI commands. - -The top-level CLI commands have been modified to get the subsystem -name from the parent subsystem CLI if available, otherwise they -will use a hard-coded default value. - -https://pagure.io/dogtagpki/issue/2626 - -Change-Id: Ieef45abfdfb4a6fc63fd06a6ccda4e70366de4a0 ---- - base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java | 10 ++++++++-- - base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java | 10 ++++++++-- - base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java | 9 +++++++-- - .../src/com/netscape/cmstools/system/SecurityDomainCLI.java | 10 ++++++++-- - base/java-tools/src/com/netscape/cmstools/user/UserCLI.java | 10 ++++++++-- - 5 files changed, 39 insertions(+), 10 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java -index 9687084..af117a6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java -@@ -32,6 +32,7 @@ import com.netscape.certsrv.cert.CertReviewResponse; - import com.netscape.certsrv.client.PKIClient; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; -+import com.netscape.cmstools.cli.SubsystemCLI; - - /** - * @author Endi S. Dewata -@@ -81,8 +82,13 @@ public class CertCLI extends CLI { - PKIClient client = getClient(); - - // determine the subsystem -- String subsystem = client.getSubsystem(); -- if (subsystem == null) subsystem = "ca"; -+ String subsystem; -+ if (parent instanceof SubsystemCLI) { -+ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; -+ subsystem = subsystemCLI.getName(); -+ } else { -+ subsystem = "ca"; -+ } - - // create new cert client - certClient = new CertClient(client, subsystem); -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -index bd4651d..5ccf70d 100644 ---- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -@@ -26,6 +26,7 @@ import com.netscape.certsrv.group.GroupClient; - import com.netscape.certsrv.group.GroupData; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; -+import com.netscape.cmstools.cli.SubsystemCLI; - - /** - * @author Endi S. Dewata -@@ -67,8 +68,13 @@ public class GroupCLI extends CLI { - PKIClient client = getClient(); - - // determine the subsystem -- String subsystem = client.getSubsystem(); -- if (subsystem == null) subsystem = "ca"; -+ String subsystem; -+ if (parent instanceof SubsystemCLI) { -+ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; -+ subsystem = subsystemCLI.getName(); -+ } else { -+ subsystem = "ca"; -+ } - - // create new group client - groupClient = new GroupClient(client, subsystem); -diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java -index b9b27d1..d7c087f 100644 ---- a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java -@@ -27,6 +27,7 @@ import com.netscape.certsrv.system.SystemCertClient; - import com.netscape.certsrv.util.NSSCryptoProvider; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; -+import com.netscape.cmstools.cli.SubsystemCLI; - import com.netscape.cmsutil.util.Utils; - - /** -@@ -78,9 +79,13 @@ public class KeyCLI extends CLI { - PKIClient client = getClient(); - - // determine the subsystem -- String subsystem = client.getSubsystem(); -- if (subsystem == null) -+ String subsystem; -+ if (parent instanceof SubsystemCLI) { -+ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; -+ subsystem = subsystemCLI.getName(); -+ } else { - subsystem = "kra"; -+ } - - // create new key client - keyClient = new KeyClient(client, subsystem); -diff --git a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java -index d9db91e..ea6cd29 100644 ---- a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java -@@ -25,6 +25,7 @@ import com.netscape.certsrv.system.SecurityDomainHost; - import com.netscape.certsrv.system.SecurityDomainSubsystem; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; -+import com.netscape.cmstools.cli.SubsystemCLI; - - /** - * @author Endi S. Dewata -@@ -60,8 +61,13 @@ public class SecurityDomainCLI extends CLI { - PKIClient client = getClient(); - - // determine the subsystem -- String subsystem = client.getSubsystem(); -- if (subsystem == null) subsystem = "ca"; -+ String subsystem; -+ if (parent instanceof SubsystemCLI) { -+ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; -+ subsystem = subsystemCLI.getName(); -+ } else { -+ subsystem = "ca"; -+ } - - // create new security domain client - securityDomainClient = new SecurityDomainClient(client, subsystem); -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -index 57a132c..1acbf0b 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -@@ -27,6 +27,7 @@ import com.netscape.certsrv.user.UserData; - import com.netscape.certsrv.user.UserResource; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; -+import com.netscape.cmstools.cli.SubsystemCLI; - - /** - * @author Endi S. Dewata -@@ -70,8 +71,13 @@ public class UserCLI extends CLI { - PKIClient client = getClient(); - - // determine the subsystem -- String subsystem = client.getSubsystem(); -- if (subsystem == null) subsystem = "ca"; -+ String subsystem; -+ if (parent instanceof SubsystemCLI) { -+ SubsystemCLI subsystemCLI = (SubsystemCLI)parent; -+ subsystem = subsystemCLI.getName(); -+ } else { -+ subsystem = "ca"; -+ } - - // create new user client - userClient = new UserClient(client, subsystem); --- -1.8.3.1 - - -From 269f7d62ab3c8d13f7746fccb69cb0b305c46fb9 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 31 Mar 2017 04:48:24 +0200 -Subject: [PATCH 05/59] Fixed pylint errors in pki.server.cli.subsystem. - -https://pagure.io/dogtagpki/issue/2627 - -Change-Id: Icd47be636c78224328438a8091c7c3bdd07c06bd ---- - base/server/python/pki/server/cli/subsystem.py | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py -index 04461f2..ee5d2d2 100644 ---- a/base/server/python/pki/server/cli/subsystem.py -+++ b/base/server/python/pki/server/cli/subsystem.py -@@ -24,7 +24,6 @@ from __future__ import print_function - import getopt - import getpass - import os --import string - import subprocess - import sys - from tempfile import mkstemp -@@ -789,7 +788,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): - - # format cert data for LDAP database - lines = [data[i:i + 64] for i in range(0, len(data), 64)] -- data = string.join(lines, '\r\n') + '\r\n' -+ data = '\r\n'.join(lines) + '\r\n' - - if self.verbose: - print('Retrieving certificate request from CA database') -@@ -812,7 +811,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): - lines = lines[1:] - if lines[-1] == '-----END CERTIFICATE REQUEST-----': - lines = lines[:-1] -- request = string.join(lines, '') -+ request = ''.join(lines) - subsystem_cert['request'] = request - - else: --- -1.8.3.1 - - -From 671157f430eb6fa46ad2132758e3d06f602724f4 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 31 Mar 2017 05:05:37 +0200 -Subject: [PATCH 06/59] Fixed pylint error in pki.authority. - -https://pagure.io/dogtagpki/issue/2627 - -Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac ---- - base/common/python/pki/authority.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py -index 00c6fd9..f6880b5 100644 ---- a/base/common/python/pki/authority.py -+++ b/base/common/python/pki/authority.py -@@ -362,7 +362,7 @@ def main(): - try: - subca = ca_client.create_ca(data) - except ValueError as e: -- print(e.message) -+ print(e) - - # Get the host CA - print("Getting the host CA") --- -1.8.3.1 - - -From 3e80b04c1de37568d304b2d76f324c026830fd11 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Fri, 31 Mar 2017 09:48:07 -0600 -Subject: [PATCH 08/59] Misc pylint, flake8 and tox fixes - ---- - base/common/python/pki/__init__.py | 5 ++--- - base/common/python/pki/authority.py | 2 ++ - base/common/python/pki/client.py | 1 + - base/common/python/pki/feature.py | 1 + - base/kra/functional/drmclient_deprecated.py | 3 ++- - base/kra/functional/drmtest.py | 2 +- - base/server/python/pki/server/__init__.py | 2 +- - base/server/python/pki/server/cli/kra.py | 2 +- - .../python/pki/server/deployment/pkiparser.py | 2 +- - base/server/python/pki/server/upgrade.py | 4 ++-- - pylint-build-scan.py | 1 + - tox.ini | 26 +++++++++++++--------- - 12 files changed, 31 insertions(+), 20 deletions(-) - -diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py -index 5d2a143..c015126 100644 ---- a/base/common/python/pki/__init__.py -+++ b/base/common/python/pki/__init__.py -@@ -269,9 +269,8 @@ class RequestNotFoundException(ResourceNotFoundException): - class UserNotFoundException(ResourceNotFoundException): - """ User Not Found Exception: return code = 404 """ - --""" --Mapping from Java Server exception classes to python exception classes --""" -+ -+# Mapping from Java Server exception classes to python exception classes - EXCEPTION_MAPPINGS = { - "com.netscape.certsrv.base.BadRequestException": BadRequestException, - "com.netscape.certsrv.base.ConflictingOperationException": -diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py -index f6880b5..9fa459c 100644 ---- a/base/common/python/pki/authority.py -+++ b/base/common/python/pki/authority.py -@@ -289,6 +289,7 @@ class AuthorityClient(object): - - self.connection.delete(url, headers) - -+ - encoder.NOTYPES['AuthorityData'] = AuthorityData - - -@@ -499,5 +500,6 @@ def main(): - print("-----------------------------------") - issue_cert_using_authority(cert_client, sub_subca.aid) - -+ - if __name__ == "__main__": - main() -diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py -index 3e819cf..90ca4fe 100644 ---- a/base/common/python/pki/client.py -+++ b/base/common/python/pki/client.py -@@ -224,5 +224,6 @@ def main(): - conn.set_authentication_cert('/root/temp4.pem') - print(conn.get("", headers).json()) - -+ - if __name__ == "__main__": - main() -diff --git a/base/common/python/pki/feature.py b/base/common/python/pki/feature.py -index 0e5171d..1a2d402 100644 ---- a/base/common/python/pki/feature.py -+++ b/base/common/python/pki/feature.py -@@ -133,6 +133,7 @@ class FeatureClient(object): - headers=self.headers) - return FeatureCollection.from_json(response.json()) - -+ - encoder.NOTYPES['Feature'] = Feature - - -diff --git a/base/kra/functional/drmclient_deprecated.py b/base/kra/functional/drmclient_deprecated.py -index e333913..fe0f100 100644 ---- a/base/kra/functional/drmclient_deprecated.py -+++ b/base/kra/functional/drmclient_deprecated.py -@@ -1008,7 +1008,8 @@ class KRA: - self.debug('%s.recover_security_data()', self.fullname) - pass - --""" Sample Test execution starts here """ -+ -+# Sample Test execution starts here - parser = argparse.ArgumentParser(description="Sample Test execution") - parser.add_argument( - '-d', -diff --git a/base/kra/functional/drmtest.py b/base/kra/functional/drmtest.py -index 6853987..7e236ef 100755 ---- a/base/kra/functional/drmtest.py -+++ b/base/kra/functional/drmtest.py -@@ -302,7 +302,7 @@ def usage(): - print(' -P KRA server protocol (default: https).') - print(' -h KRA server hostname (default: localhost).') - print(' -p KRA server port (default: 8443).') -- print(' -n KRA agent certificate and private key (default: kraagent.pem).') # nopep8 -+ print(' -n KRA agent certificate and private key (default: kraagent.pem).') # noqa: E501 - print() - print(' --help Show this help message.') - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 70734c3..357bad3 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -469,7 +469,7 @@ class ExternalCert(object): - @functools.total_ordering - class PKIInstance(object): - -- def __init__(self, name, instanceType=10): # nopep8 -+ def __init__(self, name, instanceType=10): # noqa: N803 - - self.name = name - self.type = instanceType -diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py -index 5c9111d..5558d6a 100644 ---- a/base/server/python/pki/server/cli/kra.py -+++ b/base/server/python/pki/server/cli/kra.py -@@ -378,7 +378,7 @@ class KRADBVLVAddCLI(pki.cli.CLI): - print('KRA VLVs added to the database for ' + instance_name) - - except ldap.LDAPError as e: -- print("ERROR: " + e.message['desc']) -+ print("ERROR: {}".format(e)) - sys.exit(1) - - def add_vlv(self, subsystem, bind_dn, bind_password): -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 15e48ba..e05e0be 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -308,7 +308,7 @@ class PKIConfigParser: - - return value - -- def read_password(self, message, section=None, key=None, # nopep8 -+ def read_password(self, message, section=None, key=None, # noqa: N803 - verifyMessage=None): - message = ' ' * self.indent + message + ': ' - if verifyMessage is not None: # nopep8 -diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py -index 116ef3d..2c72e48 100644 ---- a/base/server/python/pki/server/upgrade.py -+++ b/base/server/python/pki/server/upgrade.py -@@ -155,8 +155,8 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): - - class PKIServerUpgrader(pki.upgrade.PKIUpgrader): - -- def __init__(self, instanceName=None, instanceType=None, # nopep8 -- subsystemName=None, upgrade_dir=UPGRADE_DIR, # nopep8 -+ def __init__(self, instanceName=None, instanceType=None, # noqa: N803 -+ subsystemName=None, upgrade_dir=UPGRADE_DIR, # noqa: N803 - version=None, index=None, silent=False): - super(PKIServerUpgrader, self).__init__( - upgrade_dir, version, index, silent) -diff --git a/pylint-build-scan.py b/pylint-build-scan.py -index 3a7b473..a25bab7 100755 ---- a/pylint-build-scan.py -+++ b/pylint-build-scan.py -@@ -131,5 +131,6 @@ def main(): - - return subprocess.call(pylint, cwd=env['sitepackages']) - -+ - if __name__ == '__main__': - sys.exit(main()) -diff --git a/tox.ini b/tox.ini -index f73818d..7b3d1fd 100644 ---- a/tox.ini -+++ b/tox.ini -@@ -19,14 +19,23 @@ - # - - [tox] --envlist = py27,py35,pep8,pep8py3,lint,lint3k,docs -+envlist = py27,py35,py36,,pep8,pep8py3,lint,lint3,docs - skip_missing_interpreters = true - -+[testenv:deps] -+deps = -+ lxml -+ pyldap -+ python-nss -+ requests -+ six -+ - [testenv] - # force installation of sphinx and lint in virtual env, otherwise - # the command pick up the `pki` package from the system's site packages. - install_command = pip install {opts} --force-reinstall --upgrade {packages} - deps = -+ {[testenv:deps]deps} - pytest - sitepackages = True - commands = -@@ -40,28 +49,24 @@ commands = - [testenv:lint] - basepython = python2.7 - deps = -+ {[testenv:deps]deps} - pylint - commands = -- {envpython} {toxinidir}/scripts/pylint-build-scan.py tox -- --[testenv:lint3k] --basepython = python2.7 --deps = -- pylint --commands = -- {envpython} {toxinidir}/scripts/pylint-build-scan.py tox -- --py3k -+ {envpython} {toxinidir}/pylint-build-scan.py tox - - [testenv:lint3] - basepython = python3 - deps = -+ {[testenv:deps]deps} - pylint - commands = -- {envpython} {toxinidir}/scripts/pylint-build-scan.py tox -+ {envpython} {toxinidir}/pylint-build-scan.py tox - - [testenv:pep8] - basepython = python2.7 - sitepackages = False - deps = -+ {[testenv:deps]deps} - flake8 - # flake8-import-order - pep8-naming -@@ -72,6 +77,7 @@ commands = - basepython = python3 - sitepackages = False - deps = -+ {[testenv:deps]deps} - flake8 - # flake8-import-order - pep8-naming --- -1.8.3.1 - - -From 34fe01c204711f0ef02a43a9aba1bf5141465af9 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Fri, 31 Mar 2017 10:57:06 -0600 -Subject: [PATCH 10/59] Fix for pylint when using Python 3.6 - -Added 'pylint: disable=no-member' whenever module 're' -attempts to reference its 'MULTILINE' member. ---- - base/server/python/pki/server/__init__.py | 6 +++++- - base/server/python/pki/server/deployment/pkihelper.py | 6 +++++- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 357bad3..5032274 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -858,7 +858,11 @@ class Tomcat(object): - output = output.decode('utf-8') - - # find "Server version: Apache Tomcat/." -- match = re.search(r'^Server version:[^/]*/(\d+).*$', output, re.MULTILINE) -+ match = re.search( -+ r'^Server version:[^/]*/(\d+).*$', -+ output, -+ re.MULTILINE # pylint: disable=no-member -+ ) - - if not match: - raise Exception('Unable to determine Tomcat version') -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 2e276f5..051778d 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -2721,7 +2721,11 @@ class Modutil: - output = output.decode('utf-8') - - # find modules from lines such as '1. NSS Internal PKCS #11 Module' -- modules = re.findall(r'^ +\d+\. +(.*)$', output, re.MULTILINE) -+ modules = re.findall( -+ r'^ +\d+\. +(.*)$', -+ output, -+ re.MULTILINE # pylint: disable=no-member -+ ) - - if modulename not in modules: - config.pki_log.info( --- -1.8.3.1 - - -From 7fc7d3e8844d4992db60a637370b8599bff5a282 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 31 Mar 2017 19:23:43 +0200 -Subject: [PATCH 11/59] Removed redundant Context attributes. - -All subclasses of PKIService have been modified to remove the -Context attribute since they have been declared in the base class. - -Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a ---- - .../org/dogtagpki/server/ca/rest/AuthorityService.java | 17 ----------------- - .../dogtagpki/server/ca/rest/CertRequestService.java | 17 ----------------- - .../src/org/dogtagpki/server/ca/rest/CertService.java | 17 ----------------- - .../dogtagpki/server/ca/rest/KRAConnectorService.java | 17 ----------------- - .../org/dogtagpki/server/ca/rest/ProfileService.java | 16 ---------------- - .../dogtagpki/server/kra/rest/KeyRequestService.java | 17 ----------------- - .../src/org/dogtagpki/server/kra/rest/KeyService.java | 17 ----------------- - .../cms/src/org/dogtagpki/server/rest/AuditService.java | 17 ----------------- - .../cms/src/org/dogtagpki/server/rest/GroupService.java | 17 ----------------- - .../dogtagpki/server/rest/SecurityDomainService.java | 17 ----------------- - .../src/org/dogtagpki/server/rest/SelfTestService.java | 17 ----------------- - .../org/dogtagpki/server/rest/SystemConfigService.java | 11 ----------- - .../cms/src/org/dogtagpki/server/rest/UserService.java | 17 ----------------- - .../dogtagpki/server/tks/rest/TPSConnectorService.java | 9 --------- - .../org/dogtagpki/server/tps/config/ConfigService.java | 17 ----------------- - .../org/dogtagpki/server/tps/rest/ActivityService.java | 17 ----------------- - .../dogtagpki/server/tps/rest/AuthenticatorService.java | 17 ----------------- - .../org/dogtagpki/server/tps/rest/ConnectorService.java | 17 ----------------- - .../server/tps/rest/ProfileMappingService.java | 17 ----------------- - .../org/dogtagpki/server/tps/rest/ProfileService.java | 17 ----------------- - .../org/dogtagpki/server/tps/rest/TPSCertService.java | 17 ----------------- - .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 ----------------- - 22 files changed, 359 deletions(-) - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java -index c734fbf..215d0fa 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java -@@ -27,13 +27,8 @@ import java.util.LinkedHashMap; - import java.util.List; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; - import javax.ws.rs.core.GenericEntity; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.IAuthToken; -@@ -75,18 +70,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou - hostCA = (ICertificateAuthority) CMS.getSubsystem("ca"); - } - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG = - "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3"; - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java -index a0d36b9..a0f3d46 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java -@@ -24,13 +24,8 @@ import java.util.ArrayList; - import java.util.Enumeration; - import java.util.List; - --import javax.servlet.http.HttpServletRequest; - import javax.ws.rs.PathParam; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.jboss.resteasy.plugins.providers.atom.Link; - -@@ -81,18 +76,6 @@ import netscape.security.x509.X500Name; - */ - public class CertRequestService extends PKIService implements CertRequestResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public static final int DEFAULT_START = 0; - public static final int DEFAULT_PAGESIZE = 20; - public static final int DEFAULT_MAXRESULTS = 100; -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java -index ebbab25..d5fe02f 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java -@@ -34,12 +34,7 @@ import java.util.List; - import java.util.Map; - import java.util.Random; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.catalina.realm.GenericPrincipal; - import org.jboss.resteasy.plugins.providers.atom.Link; -@@ -94,18 +89,6 @@ import netscape.security.x509.X509Key; - */ - public class CertService extends PKIService implements CertResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - ICertificateAuthority authority; - ICertificateRepository repo; - Random random; -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java -index 4ef1b7e..24c33fa 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java -@@ -17,12 +17,7 @@ - // --- END COPYRIGHT BLOCK --- - package org.dogtagpki.server.ca.rest; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.BadRequestException; -@@ -38,18 +33,6 @@ import com.netscape.cms.servlet.base.PKIService; - */ - public class KRAConnectorService extends PKIService implements KRAConnectorResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - @Override - public Response addConnector(KRAConnectorInfo info) { - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -index ba648a4..694fb92 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -@@ -32,11 +32,7 @@ import java.util.Map; - import java.util.Properties; - import java.util.Vector; - --import javax.servlet.http.HttpServletRequest; - import javax.ws.rs.PathParam; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; - import javax.ws.rs.core.UriBuilder; - import javax.ws.rs.core.UriInfo; -@@ -90,18 +86,6 @@ import com.netscape.cmscore.base.SimpleProperties; - */ - public class ProfileService extends SubsystemService implements ProfileResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID); - private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); - -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -index 4138b38..e0c4ca9 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -@@ -25,13 +25,8 @@ import java.security.Principal; - import java.util.HashMap; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; - import javax.ws.rs.core.MultivaluedMap; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.mozilla.jss.crypto.SymmetricKey; - -@@ -67,18 +62,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil; - */ - public class KeyRequestService extends SubsystemService implements KeyRequestResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; - -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -index e8cb6e9..e15b263 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -@@ -29,15 +29,10 @@ import java.util.Hashtable; - import java.util.Iterator; - import java.util.List; - --import javax.servlet.http.HttpServletRequest; - import javax.ws.rs.Path; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; - import javax.ws.rs.core.MultivaluedMap; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; - import javax.ws.rs.core.UriBuilder; --import javax.ws.rs.core.UriInfo; - - import org.jboss.resteasy.plugins.providers.atom.Link; - -@@ -82,18 +77,6 @@ import com.netscape.cmsutil.util.Utils; - */ - public class KeyService extends SubsystemService implements KeyResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; - private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE = -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -index 76a5396..9af95d9 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -@@ -26,12 +26,7 @@ import java.util.Map; - import java.util.TreeMap; - import java.util.TreeSet; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.jboss.resteasy.plugins.providers.atom.Link; -@@ -51,18 +46,6 @@ import com.netscape.cms.servlet.base.SubsystemService; - */ - public class AuditService extends SubsystemService implements AuditResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public AuditService() { - CMS.debug("AuditService.()"); - } -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -index 9d127c8..4ee2810 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -@@ -23,12 +23,7 @@ import java.net.URLEncoder; - import java.util.Enumeration; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.jboss.resteasy.plugins.providers.atom.Link; -@@ -58,18 +53,6 @@ import com.netscape.cms.servlet.base.SubsystemService; - */ - public class GroupService extends SubsystemService implements GroupResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); - - public GroupData createGroupData(IGroup group) throws Exception { -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java -index 3d708eb..3dccea1 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java -@@ -17,12 +17,7 @@ - // --- END COPYRIGHT BLOCK --- - package org.dogtagpki.server.rest; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.PKIException; -@@ -37,18 +32,6 @@ import com.netscape.cms.servlet.csadmin.SecurityDomainProcessor; - */ - public class SecurityDomainService extends PKIService implements SecurityDomainResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - @Override - public Response getInstallToken(String hostname, String subsystem) { - CMS.debug("SecurityDomainService.getInstallToken(" + hostname + ", " + subsystem + ")"); -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java -index 9108a45..7cfe85f 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java -@@ -27,12 +27,7 @@ import java.util.ArrayList; - import java.util.Collection; - import java.util.Iterator; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.jboss.resteasy.plugins.providers.atom.Link; - -@@ -53,18 +48,6 @@ import com.netscape.cms.servlet.base.PKIService; - */ - public class SelfTestService extends PKIService implements SelfTestResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public SelfTestService() { - CMS.debug("SelfTestService.()"); - } -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -index 18263f7..27a6817 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -@@ -73,17 +67,6 @@ import netscape.security.x509.X509CertImpl; - * - */ - public class SystemConfigService extends PKIService implements SystemConfigResource { -- @Context -- public UriInfo uriInfo; -- -- @Context -- public HttpHeaders headers; -- -- @Context -- public Request request; -- -- @Context -- public HttpServletRequest servletRequest; - - public IConfigStore cs; - public String csType; -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -index 529c472..eeadba5 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -@@ -32,12 +32,7 @@ import java.util.Iterator; - import java.util.List; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.jboss.resteasy.plugins.providers.atom.Link; -@@ -84,18 +79,6 @@ import netscape.security.x509.X509CertImpl; - */ - public class UserService extends SubsystemService implements UserResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public final static String BACK_SLASH = "\\"; - public final static String SYSTEM_USER = "$System$"; - -diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java -index 9119d77..77aba1a 100644 ---- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java -+++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java -@@ -12,10 +12,7 @@ import java.util.Iterator; - import java.util.List; - import java.util.TreeSet; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.ArrayUtils; - import org.apache.commons.lang.StringUtils; -@@ -52,12 +49,6 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou - - IConfigStore cs = CMS.getConfigStore(); - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpServletRequest servletRequest; -- - public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); - - @Override -diff --git a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java -index 8309a2f..e9590e6 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java -@@ -23,12 +23,7 @@ import java.net.URI; - import java.util.HashMap; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.jboss.resteasy.plugins.providers.atom.Link; - -@@ -45,18 +40,6 @@ import com.netscape.cms.servlet.base.SubsystemService; - */ - public class ConfigService extends SubsystemService implements ConfigResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public ConfigService() { - CMS.debug("ConfigService.()"); - } -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java -index 90029ea..37a3083 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java -@@ -23,12 +23,7 @@ import java.net.URI; - import java.net.URLEncoder; - import java.util.Iterator; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.dogtagpki.server.tps.TPSSubsystem; - import org.dogtagpki.server.tps.dbs.ActivityDatabase; -@@ -49,18 +44,6 @@ import com.netscape.cms.servlet.base.PKIService; - */ - public class ActivityService extends PKIService implements ActivityResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public ActivityService() { - CMS.debug("ActivityService.()"); - } -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java -index 424cd14..50453ee 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java -@@ -26,12 +26,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.dogtagpki.server.tps.TPSSubsystem; -@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; - */ - public class AuthenticatorService extends SubsystemService implements AuthenticatorResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public AuthenticatorService() { - CMS.debug("AuthenticatorService.()"); - } -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java -index c789f14..01bc132 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java -@@ -26,12 +26,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.dogtagpki.server.tps.TPSSubsystem; -@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; - */ - public class ConnectorService extends SubsystemService implements ConnectorResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public ConnectorService() { - CMS.debug("ConnectorService.()"); - } -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java -index eca1803..2c070c0 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java -@@ -26,12 +26,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.dogtagpki.server.tps.TPSSubsystem; -@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; - */ - public class ProfileMappingService extends SubsystemService implements ProfileMappingResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public ProfileMappingService() { - CMS.debug("ProfileMappingService.()"); - } -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java -index b769134..8058caf 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java -@@ -26,12 +26,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.dogtagpki.server.tps.TPSSubsystem; -@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService; - */ - public class ProfileService extends SubsystemService implements ProfileResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public ProfileService() { - CMS.debug("ProfileService.()"); - } -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java -index 074d3d0..9b62752 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java -@@ -25,12 +25,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.Map; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.dogtagpki.server.tps.TPSSubsystem; - import org.dogtagpki.server.tps.dbs.TPSCertDatabase; -@@ -50,18 +45,6 @@ import com.netscape.cms.servlet.base.PKIService; - */ - public class TPSCertService extends PKIService implements TPSCertResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public TPSCertService() { - CMS.debug("TPSCertService.()"); - } -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java -index a624e2a..f3d0d80 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java -@@ -29,12 +29,7 @@ import java.util.Map; - import java.util.MissingResourceException; - import java.util.ResourceBundle; - --import javax.servlet.http.HttpServletRequest; --import javax.ws.rs.core.Context; --import javax.ws.rs.core.HttpHeaders; --import javax.ws.rs.core.Request; - import javax.ws.rs.core.Response; --import javax.ws.rs.core.UriInfo; - - import org.apache.commons.lang.StringUtils; - import org.dogtagpki.server.tps.TPSSubsystem; -@@ -64,18 +59,6 @@ import netscape.ldap.LDAPException; - */ - public class TokenService extends SubsystemService implements TokenResource { - -- @Context -- private UriInfo uriInfo; -- -- @Context -- private HttpHeaders headers; -- -- @Context -- private Request request; -- -- @Context -- private HttpServletRequest servletRequest; -- - public TokenService() throws Exception { - CMS.debug("TokenService.()"); - } --- -1.8.3.1 - - -From 6749f6bffe92743373d4b86bbd05e5a957e74d96 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 31 Mar 2017 18:42:56 +0200 -Subject: [PATCH 12/59] Refactored AuditCLI. - -The AuditCLI has been modified to create the AuditClient with lazy -initialization. - -Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9 ---- - base/common/src/com/netscape/certsrv/tps/TPSClient.java | 2 -- - .../java-tools/src/com/netscape/cmstools/logging/AuditCLI.java | 10 +++++++--- - 2 files changed, 7 insertions(+), 5 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/tps/TPSClient.java b/base/common/src/com/netscape/certsrv/tps/TPSClient.java -index da00225..19273f7 100644 ---- a/base/common/src/com/netscape/certsrv/tps/TPSClient.java -+++ b/base/common/src/com/netscape/certsrv/tps/TPSClient.java -@@ -23,7 +23,6 @@ import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.client.SubsystemClient; - import com.netscape.certsrv.group.GroupClient; - import com.netscape.certsrv.logging.ActivityClient; --import com.netscape.certsrv.logging.AuditClient; - import com.netscape.certsrv.selftests.SelfTestClient; - import com.netscape.certsrv.tps.authenticator.AuthenticatorClient; - import com.netscape.certsrv.tps.cert.TPSCertClient; -@@ -46,7 +45,6 @@ public class TPSClient extends SubsystemClient { - - public void init() throws URISyntaxException { - addClient(new ActivityClient(client, name)); -- addClient(new AuditClient(client, name)); - addClient(new AuthenticatorClient(client, name)); - addClient(new TPSCertClient(client, name)); - addClient(new ConfigClient(client, name)); -diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java -index 1e2273e..ff489dc 100644 ---- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java -@@ -27,16 +27,20 @@ import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.logging.AuditClient; - import com.netscape.certsrv.logging.AuditConfig; - import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.SubsystemCLI; - - /** - * @author Endi S. Dewata - */ - public class AuditCLI extends CLI { - -+ public SubsystemCLI subsystemCLI; - public AuditClient auditClient; - -- public AuditCLI(CLI parent) { -- super("audit", "Audit management commands", parent); -+ public AuditCLI(SubsystemCLI subsystemCLI) { -+ super("audit", "Audit management commands", subsystemCLI); -+ -+ this.subsystemCLI = subsystemCLI; - - addModule(new AuditModifyCLI(this)); - addModule(new AuditShowCLI(this)); -@@ -52,7 +56,7 @@ public class AuditCLI extends CLI { - if (auditClient != null) return auditClient; - - PKIClient client = getClient(); -- auditClient = (AuditClient)parent.getClient("audit"); -+ auditClient = new AuditClient(client, subsystemCLI.getName()); - - return auditClient; - } --- -1.8.3.1 - - -From 136d22953d05c459986a98465e4266bac37b44dc Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 29 Mar 2017 10:46:22 -0400 -Subject: [PATCH 14/59] Fix generation of CRMF request for ECC keys - -Old CRMFPopClients add the OID for ECC public keys in the encryption -algorithm OID for no obvious reason (considering the OID was never -read on the server side to begin with). - -Now that we do read and use that field, we need to set it properly, -and also special case on the server side to handle old clients. - -Change-Id: I0d753e572206e9062746c879ce683978e5e657bd ---- - .../src/com/netscape/cmstools/CRMFPopClient.java | 16 +--------------- - base/util/src/netscape/security/util/WrappingParams.java | 11 ++++++++++- - 2 files changed, 11 insertions(+), 16 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 901528c..9d81a72 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -562,7 +562,7 @@ public class CRMFPopClient { - } - - byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); -- AlgorithmIdentifier aid = getAlgorithmId(algorithm, encryptAlg, iv); -+ AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); - WrappingParams params = getWrappingParams(encryptAlg, iv); - - PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( -@@ -600,20 +600,6 @@ public class CRMFPopClient { - } - } - -- private AlgorithmIdentifier getAlgorithmId(String algorithm, EncryptionAlgorithm encryptAlg, byte[] iv) -- throws Exception { -- AlgorithmIdentifier aid; -- if (algorithm.equals("rsa")) { -- aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); -- } else if (algorithm.equals("ec")) { -- // TODO(alee) figure out what this should be for ECC -- aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv)); -- } else { -- throw new Exception("Unknown algorithm: " + algorithm); -- } -- return aid; -- } -- - public OCTET_STRING createIDPOPLinkWitness() throws Exception { - - String secretValue = "testing"; -diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java -index b2814a3..8fe5df6 100644 ---- a/base/util/src/netscape/security/util/WrappingParams.java -+++ b/base/util/src/netscape/security/util/WrappingParams.java -@@ -58,7 +58,16 @@ public class WrappingParams { - - public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV) - throws NumberFormatException, NoSuchAlgorithmException { -- EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); -+ EncryptionAlgorithm encrypt = null; -+ OBJECT_IDENTIFIER eccOID = new OBJECT_IDENTIFIER("1.2.840.10045.2.1"); -+ if (encryptOID.equals(eccOID.toString())) { -+ // old CRMFPopClients send this OID for ECC Keys for no apparent reason. -+ // New clients set this correctly. -+ // We'll assume the old DES3 wrapping here. -+ encrypt = EncryptionAlgorithm.DES_CBC_PAD; -+ } else { -+ encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); -+ } - - KeyWrapAlgorithm wrap = null; - if (wrapName != null) { --- -1.8.3.1 - - -From 2d77ca150ee17238f4b137e3987a69e888141d51 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 29 Mar 2017 12:27:46 -0400 -Subject: [PATCH 15/59] Change default key size for KRA storage unit to 128 - -Most of the research out there seems to indicate that AES-128 is -more than sufficient for security. Use this as default. - -Change-Id: Ie333282eacc5ce628c90296561e4cd6a76dcbd8e ---- - base/kra/shared/conf/CS.cfg | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 045a823..bd49a8d 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -279,7 +279,7 @@ kra.storageUnit.wrapping.0.payloadEncryptionIV=AQEBAQEBAQE= - kra.storageUnit.wrapping.0.payloadWrapAlgorithm=DES3/CBC/Pad - kra.storageUnit.wrapping.0.payloadWrapIV=AQEBAQEBAQE= - kra.storageUnit.wrapping.0.sessionKeyType=DESede --kra.storageUnit.wrapping.1.sessionKeyLength=256 -+kra.storageUnit.wrapping.1.sessionKeyLength=128 - kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm=RSA - kra.storageUnit.wrapping.1.payloadEncryptionPadding=PKCS5Padding - kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES --- -1.8.3.1 - - -From 5dfd6e1c3cc38b5fbfdc4e96476934219f53e13f Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Mon, 3 Apr 2017 12:43:05 -0400 -Subject: [PATCH 16/59] Added python info client - -Add python client code to read from the InfoResource class and get -the server version. As the PKIConnection in the python client -currently requires a subsystem, it is difficult to add an infoclient -to an existing KRAClient (or any other client). - -To get around this, I modified the PKIConnection to allow using the -rootURI. - -Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97 ---- - base/common/python/pki/client.py | 51 ++++++++++++++++----- - base/common/python/pki/info.py | 98 ++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 138 insertions(+), 11 deletions(-) - create mode 100644 base/common/python/pki/info.py - -diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py -index 90ca4fe..805d0fa 100644 ---- a/base/common/python/pki/client.py -+++ b/base/common/python/pki/client.py -@@ -78,9 +78,8 @@ class PKIConnection: - self.port = port - self.subsystem = subsystem - -- self.serverURI = self.protocol + '://' + \ -- self.hostname + ':' + self.port + '/' + \ -- self.subsystem -+ self.rootURI = self.protocol + '://' + self.hostname + ':' + self.port -+ self.serverURI = self.rootURI + '/' + self.subsystem - - self.session = requests.Session() - self.session.trust_env = trust_env -@@ -125,7 +124,8 @@ class PKIConnection: - self.session.cert = pem_cert_path - - @catch_insecure_warning -- def get(self, path, headers=None, params=None, payload=None): -+ def get(self, path, headers=None, params=None, payload=None, -+ use_root_uri=False): - """ - Uses python-requests to issue a GET request to the server. - -@@ -137,12 +137,19 @@ class PKIConnection: - :type params: dict or bytes - :param payload: data to be sent in the body of the request - :type payload: dict, bytes, file-like object -+ :param use_root_uri: use root URI instead of subsystem URI as base -+ :type use_root_uri: boolean - :returns: request.response -- response from the server - :raises: Exception from python-requests in case the GET was not - successful, or returns an error code. - """ -+ if use_root_uri: -+ target_path = self.rootURI + path -+ else: -+ target_path = self.serverURI + path -+ - r = self.session.get( -- self.serverURI + path, -+ target_path, - verify=False, - headers=headers, - params=params, -@@ -151,7 +158,8 @@ class PKIConnection: - return r - - @catch_insecure_warning -- def post(self, path, payload, headers=None, params=None): -+ def post(self, path, payload, headers=None, params=None, -+ use_root_uri=False): - """ - Uses python-requests to issue a POST request to the server. - -@@ -163,12 +171,19 @@ class PKIConnection: - :type headers: dict - :param params: Query parameters for the POST request - :type params: dict or bytes -+ :param use_root_uri: use root URI instead of subsystem URI as base -+ :type use_root_uri: boolean - :returns: request.response -- response from the server - :raises: Exception from python-requests in case the POST was not - successful, or returns an error code. - """ -+ if use_root_uri: -+ target_path = self.rootURI + path -+ else: -+ target_path = self.serverURI + path -+ - r = self.session.post( -- self.serverURI + path, -+ target_path, - verify=False, - data=payload, - headers=headers, -@@ -177,7 +192,7 @@ class PKIConnection: - return r - - @catch_insecure_warning -- def put(self, path, payload, headers=None): -+ def put(self, path, payload, headers=None, use_root_uri=False): - """ - Uses python-requests to issue a PUT request to the server. - -@@ -187,16 +202,23 @@ class PKIConnection: - :type payload: dict, bytes, file-like object - :param headers: headers for the PUT request - :type headers: dict -+ :param use_root_uri: use root URI instead of subsystem URI as base -+ :type use_root_uri: boolean - :returns: request.response -- response from the server - :raises: Exception from python-requests in case the PUT was not - successful, or returns an error code. - """ -- r = self.session.put(self.serverURI + path, payload, headers=headers) -+ if use_root_uri: -+ target_path = self.rootURI + path -+ else: -+ target_path = self.serverURI + path -+ -+ r = self.session.put(target_path, payload, headers=headers) - r.raise_for_status() - return r - - @catch_insecure_warning -- def delete(self, path, headers=None): -+ def delete(self, path, headers=None, use_root_uri=False): - """ - Uses python-requests to issue a DEL request to the server. - -@@ -204,11 +226,18 @@ class PKIConnection: - :type path: str - :param headers: headers for the DEL request - :type headers: dict -+ :param use_root_uri: use root URI instead of subsystem URI as base -+ :type use_root_uri: boolean - :returns: request.response -- response from the server - :raises: Exception from python-requests in case the DEL was not - successful, or returns an error code. - """ -- r = self.session.delete(self.serverURI + path, headers=headers) -+ if use_root_uri: -+ target_path = self.rootURI + path -+ else: -+ target_path = self.serverURI + path -+ -+ r = self.session.delete(target_path, headers=headers) - r.raise_for_status() - return r - -diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py -new file mode 100644 -index 0000000..65d4825 ---- /dev/null -+++ b/base/common/python/pki/info.py -@@ -0,0 +1,98 @@ -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the Lesser GNU General Public License as published by -+# the Free Software Foundation; either version 3 of the License or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU Lesser General Public License for more details. -+# -+# You should have received a copy of the GNU Lesser General Public License -+# along with this program; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2013 Red Hat, Inc. -+# All rights reserved. -+# -+# Author: -+# Ade Lee -+# -+""" -+Module containing the Python client classes for the InfoClient -+""" -+from six import iteritems -+ -+import pki -+ -+ -+class Info(object): -+ """ -+ This class encapsulates the parameters returned by the server's -+ InfoService. -+ """ -+ -+ json_attribute_names = { -+ 'Version': 'version', -+ 'Banner': 'banner' -+ } -+ -+ def __init__(self, version=None, banner=None): -+ """ Constructor """ -+ self.version = version -+ self.banner = banner -+ -+ @classmethod -+ def from_json(cls, attr_list): -+ """ Return Info from JSON dict """ -+ info = cls() -+ for k, v in iteritems(attr_list): -+ if k in Info.json_attribute_names: -+ setattr(info, Info.json_attribute_names[k], v) -+ else: -+ setattr(info, k, v) -+ return info -+ -+ -+class Version(object): -+ """ -+ This class encapsulates a version object as returned from -+ a Dogtag server and decomposes it into major, minor, etc. -+ """ -+ -+ def __init__(self, version_string): -+ for idx, val in enumerate(version_string.split('.')): -+ if idx == 0: -+ self.major = val -+ if idx == 1: -+ self.minor = val -+ if idx == 2: -+ self.patch = val -+ -+ -+class InfoClient(object): -+ """ -+ Class encapsulating and mirroring the functionality in the -+ InfoResource Java interface class defining the REST API for -+ server Info resources. -+ """ -+ -+ def __init__(self, connection): -+ """ Constructor """ -+ self.connection = connection -+ -+ @pki.handle_exceptions() -+ def get_info(self): -+ """ Return an Info object form a PKI server """ -+ -+ url = '/pki/rest/info' -+ headers = {'Content-type': 'application/json', -+ 'Accept': 'application/json'} -+ r = self.connection.get(url, headers, use_root_uri=True) -+ return Info.from_json(r.json()) -+ -+ @pki.handle_exceptions() -+ def get_version(self): -+ """ return Version object from server """ -+ version_string = self.get_info().version -+ return Version(version_string) --- -1.8.3.1 - - -From a76ac1ca0472afb6931b9e3be156f1c057fcb161 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Mon, 3 Apr 2017 12:53:26 -0400 -Subject: [PATCH 17/59] Add util code to source environment files - -This is needed to set the same environment as the pki CLI -and pick up any client specific changes. - -Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc ---- - base/common/python/pki/util.py | 28 ++++++++++++++++++++++++++++ - 1 file changed, 28 insertions(+) - -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 68118f4..02ecde8 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -32,6 +32,11 @@ try: - except ImportError: - WindowsError = None - -+import subprocess -+ -+DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf', -+ '/etc/pki/pki.conf'] -+ - - def copy(source, dest): - """ -@@ -245,3 +250,26 @@ def copytree(src, dst, symlinks=False, ignore=None): - errors.extend((src, dst, str(why))) - if errors: - raise Error(errors) -+ -+ -+def read_environment_files(env_file_list=None): -+ if env_file_list is None: -+ env_file_list = DEFAULT_PKI_ENV_LIST -+ -+ file_command = '' -+ for env_file in env_file_list: -+ file_command += "source " + env_file + " && " -+ file_command += "env" -+ -+ command = [ -+ 'bash', -+ '-c', -+ file_command -+ ] -+ -+ env_vals = subprocess.check_output(command).split('\n') -+ -+ for env_val in env_vals: -+ (key, _, value) = env_val.partition("=") -+ os.environ[key] = value -+ --- -1.8.3.1 - - -From 8e7653987bf592ae6a5968fc0c5ef6696f13d348 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 28 Mar 2017 00:15:28 +0200 -Subject: [PATCH 19/59] Added audit service and CLI to all subsystems. - -Previously the audit service and CLI were only available on TPS. -Now they have been added to all subsystems. - -Change-Id: I3b472254641eb887289c5122df390c46ccd97d47 ---- - base/ca/shared/conf/acl.properties | 5 +++++ - base/ca/shared/conf/auth-method.properties | 1 + - base/ca/shared/webapps/ca/WEB-INF/web.xml | 13 +++++++++++++ - base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java | 4 ++++ - base/java-tools/src/com/netscape/cmstools/cli/CACLI.java | 2 ++ - base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java | 2 ++ - base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java | 2 ++ - base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java | 2 ++ - base/kra/shared/conf/acl.properties | 5 +++++ - base/kra/shared/conf/auth-method.properties | 1 + - base/kra/shared/webapps/kra/WEB-INF/web.xml | 13 +++++++++++++ - .../src/org/dogtagpki/server/kra/rest/KRAApplication.java | 4 ++++ - base/ocsp/shared/conf/acl.properties | 5 +++++ - base/ocsp/shared/conf/auth-method.properties | 1 + - base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 13 +++++++++++++ - .../src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java | 4 ++++ - base/tks/shared/conf/acl.properties | 5 +++++ - base/tks/shared/conf/auth-method.properties | 1 + - base/tks/shared/webapps/tks/WEB-INF/web.xml | 13 +++++++++++++ - .../src/org/dogtagpki/server/tks/rest/TKSApplication.java | 4 ++++ - base/tps/shared/conf/acl.properties | 7 +++++-- - 21 files changed, 105 insertions(+), 2 deletions(-) - -diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties -index 8b3e9d0..c487e48 100644 ---- a/base/ca/shared/conf/acl.properties -+++ b/base/ca/shared/conf/acl.properties -@@ -7,6 +7,11 @@ - - account.login = certServer.ca.account,login - account.logout = certServer.ca.account,logout -+ -+# audit configuration -+audit.read = certServer.log.configuration,read -+audit.modify = certServer.log.configuration,modify -+ - certs = certServer.ca.certs,execute - certrequests = certServer.ca.certrequests,execute - groups = certServer.ca.groups,execute -diff --git a/base/ca/shared/conf/auth-method.properties b/base/ca/shared/conf/auth-method.properties -index 8d67690..f7b203d 100644 ---- a/base/ca/shared/conf/auth-method.properties -+++ b/base/ca/shared/conf/auth-method.properties -@@ -8,6 +8,7 @@ - - default = * - account = certUserDBAuthMgr,passwdUserDBAuthMgr -+audit = certUserDBAuthMgr - authorities = certUserDBAuthMgr - certs = certUserDBAuthMgr - certrequests = certUserDBAuthMgr -diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml -index d887db4..bf8aed4 100644 ---- a/base/ca/shared/webapps/ca/WEB-INF/web.xml -+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml -@@ -2417,6 +2417,19 @@ - - - -+ Audit -+ /rest/audit/* -+ -+ -+ * -+ -+ -+ CONFIDENTIAL -+ -+ -+ -+ -+ - Authority Services - /rest/authorities/* - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java -index b0fc73c..ae18e02 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java -@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; - - import org.dogtagpki.server.rest.ACLInterceptor; - import org.dogtagpki.server.rest.AccountService; -+import org.dogtagpki.server.rest.AuditService; - import org.dogtagpki.server.rest.AuthMethodInterceptor; - import org.dogtagpki.server.rest.FeatureService; - import org.dogtagpki.server.rest.GroupService; -@@ -32,6 +33,9 @@ public class CAApplication extends Application { - // account - classes.add(AccountService.class); - -+ // audit -+ classes.add(AuditService.class); -+ - // installer - classes.add(CAInstallerService.class); - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java -index 2ec20dc..8e72405 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java -@@ -25,6 +25,7 @@ import com.netscape.cmstools.authority.AuthorityCLI; - import com.netscape.cmstools.cert.CertCLI; - import com.netscape.cmstools.feature.FeatureCLI; - import com.netscape.cmstools.group.GroupCLI; -+import com.netscape.cmstools.logging.AuditCLI; - import com.netscape.cmstools.profile.ProfileCLI; - import com.netscape.cmstools.selftests.SelfTestCLI; - import com.netscape.cmstools.system.KRAConnectorCLI; -@@ -41,6 +42,7 @@ public class CACLI extends SubsystemCLI { - super("ca", "CA management commands", parent); - - addModule(new AuthorityCLI(this)); -+ addModule(new AuditCLI(this)); - addModule(new CertCLI(this)); - addModule(new FeatureCLI(this)); - addModule(new GroupCLI(this)); -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java -index 2db85aa..190be11 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java -@@ -23,6 +23,7 @@ import com.netscape.certsrv.client.SubsystemClient; - import com.netscape.certsrv.kra.KRAClient; - import com.netscape.cmstools.group.GroupCLI; - import com.netscape.cmstools.key.KeyCLI; -+import com.netscape.cmstools.logging.AuditCLI; - import com.netscape.cmstools.selftests.SelfTestCLI; - import com.netscape.cmstools.user.UserCLI; - -@@ -36,6 +37,7 @@ public class KRACLI extends SubsystemCLI { - public KRACLI(CLI parent) { - super("kra", "KRA management commands", parent); - -+ addModule(new AuditCLI(this)); - addModule(new GroupCLI(this)); - addModule(new KeyCLI(this)); - addModule(new SelfTestCLI(this)); -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java -index 6348359..15ec5e3 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java -@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.client.SubsystemClient; - import com.netscape.certsrv.ocsp.OCSPClient; - import com.netscape.cmstools.group.GroupCLI; -+import com.netscape.cmstools.logging.AuditCLI; - import com.netscape.cmstools.selftests.SelfTestCLI; - import com.netscape.cmstools.user.UserCLI; - -@@ -35,6 +36,7 @@ public class OCSPCLI extends SubsystemCLI { - public OCSPCLI(CLI parent) { - super("ocsp", "OCSP management commands", parent); - -+ addModule(new AuditCLI(this)); - addModule(new GroupCLI(this)); - addModule(new SelfTestCLI(this)); - addModule(new UserCLI(this)); -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java -index 1afdf64..1e2db2c 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java -@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.client.SubsystemClient; - import com.netscape.certsrv.tks.TKSClient; - import com.netscape.cmstools.group.GroupCLI; -+import com.netscape.cmstools.logging.AuditCLI; - import com.netscape.cmstools.selftests.SelfTestCLI; - import com.netscape.cmstools.system.TPSConnectorCLI; - import com.netscape.cmstools.user.UserCLI; -@@ -36,6 +37,7 @@ public class TKSCLI extends SubsystemCLI { - public TKSCLI(CLI parent) { - super("tks", "TKS management commands", parent); - -+ addModule(new AuditCLI(this)); - addModule(new GroupCLI(this)); - addModule(new SelfTestCLI(this)); - addModule(new TPSConnectorCLI(this)); -diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties -index 3fde904..8cac3ee 100644 ---- a/base/kra/shared/conf/acl.properties -+++ b/base/kra/shared/conf/acl.properties -@@ -7,6 +7,11 @@ - - account.login = certServer.kra.account,login - account.logout = certServer.kra.account,logout -+ -+# audit configuration -+audit.read = certServer.log.configuration,read -+audit.modify = certServer.log.configuration,modify -+ - groups = certServer.kra.groups,execute - keys = certServer.kra.keys,execute - keyrequests = certServer.kra.keyrequests,execute -diff --git a/base/kra/shared/conf/auth-method.properties b/base/kra/shared/conf/auth-method.properties -index 108448c..2944e49 100644 ---- a/base/kra/shared/conf/auth-method.properties -+++ b/base/kra/shared/conf/auth-method.properties -@@ -8,6 +8,7 @@ - - default = * - account = certUserDBAuthMgr,passwdUserDBAuthMgr -+audit = certUserDBAuthMgr - groups = certUserDBAuthMgr - keys = certUserDBAuthMgr - keyrequests = certUserDBAuthMgr -diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml -index ce0a51e..5b7031a 100644 ---- a/base/kra/shared/webapps/kra/WEB-INF/web.xml -+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml -@@ -1104,6 +1104,19 @@ - - - -+ -+ -+ Audit -+ /rest/audit/* -+ -+ -+ * -+ -+ -+ CONFIDENTIAL -+ -+ -+ - [PKI_OPEN_STANDALONE_COMMENT] - - -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java -index 773d8dd..6244270 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java -@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; - - import org.dogtagpki.server.rest.ACLInterceptor; - import org.dogtagpki.server.rest.AccountService; -+import org.dogtagpki.server.rest.AuditService; - import org.dogtagpki.server.rest.AuthMethodInterceptor; - import org.dogtagpki.server.rest.GroupService; - import org.dogtagpki.server.rest.MessageFormatInterceptor; -@@ -31,6 +32,9 @@ public class KRAApplication extends Application { - // account - classes.add(AccountService.class); - -+ // audit -+ classes.add(AuditService.class); -+ - // installer - classes.add(KRAInstallerService.class); - -diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties -index 9528f11..26b212d 100644 ---- a/base/ocsp/shared/conf/acl.properties -+++ b/base/ocsp/shared/conf/acl.properties -@@ -7,6 +7,11 @@ - - account.login = certServer.ocsp.account,login - account.logout = certServer.ocsp.account,logout -+ -+# audit configuration -+audit.read = certServer.log.configuration,read -+audit.modify = certServer.log.configuration,modify -+ - groups = certServer.ocsp.groups,execute - selftests.read = certServer.ocsp.selftests,read - selftests.execute = certServer.ocsp.selftests,execute -diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties -index 9f5a7a1..98aee66 100644 ---- a/base/ocsp/shared/conf/auth-method.properties -+++ b/base/ocsp/shared/conf/auth-method.properties -@@ -8,6 +8,7 @@ - - default = * - account = certUserDBAuthMgr,passwdUserDBAuthMgr -+audit = certUserDBAuthMgr - groups = certUserDBAuthMgr - selftests = certUserDBAuthMgr - users = certUserDBAuthMgr -diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml -index b8eccf1..e610800 100644 ---- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml -+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml -@@ -726,6 +726,19 @@ - - - -+ -+ -+ Audit -+ /rest/audit/* -+ -+ -+ * -+ -+ -+ CONFIDENTIAL -+ -+ -+ - [PKI_OPEN_STANDALONE_COMMENT] - - -diff --git a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java -index 99fefae..8d6e4a9 100644 ---- a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java -+++ b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java -@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; - - import org.dogtagpki.server.rest.ACLInterceptor; - import org.dogtagpki.server.rest.AccountService; -+import org.dogtagpki.server.rest.AuditService; - import org.dogtagpki.server.rest.AuthMethodInterceptor; - import org.dogtagpki.server.rest.GroupService; - import org.dogtagpki.server.rest.MessageFormatInterceptor; -@@ -31,6 +32,9 @@ public class OCSPApplication extends Application { - // account - classes.add(AccountService.class); - -+ // audit -+ classes.add(AuditService.class); -+ - // installer - classes.add(OCSPInstallerService.class); - -diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties -index d2c2372..7146d38 100644 ---- a/base/tks/shared/conf/acl.properties -+++ b/base/tks/shared/conf/acl.properties -@@ -7,6 +7,11 @@ - - account.login = certServer.tks.account,login - account.logout = certServer.tks.account,logout -+ -+# audit configuration -+audit.read = certServer.log.configuration,read -+audit.modify = certServer.log.configuration,modify -+ - groups = certServer.tks.groups,execute - selftests.read = certServer.tks.selftests,read - selftests.execute = certServer.tks.selftests,execute -diff --git a/base/tks/shared/conf/auth-method.properties b/base/tks/shared/conf/auth-method.properties -index fe91b90..cc80825 100644 ---- a/base/tks/shared/conf/auth-method.properties -+++ b/base/tks/shared/conf/auth-method.properties -@@ -8,6 +8,7 @@ - - default = * - account = certUserDBAuthMgr,passwdUserDBAuthMgr -+audit = certUserDBAuthMgr - groups = certUserDBAuthMgr - selftests = certUserDBAuthMgr - tpsconnectors = certUserDBAuthMgr -diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml -index 2d4c029..18c85a3 100644 ---- a/base/tks/shared/webapps/tks/WEB-INF/web.xml -+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml -@@ -406,6 +406,19 @@ - - - -+ Audit -+ /rest/audit/* -+ -+ -+ * -+ -+ -+ CONFIDENTIAL -+ -+ -+ -+ -+ - Self Tests - /rest/selftests/* - -diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java -index 278076d..ca19e38 100644 ---- a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java -+++ b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java -@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; - - import org.dogtagpki.server.rest.ACLInterceptor; - import org.dogtagpki.server.rest.AccountService; -+import org.dogtagpki.server.rest.AuditService; - import org.dogtagpki.server.rest.AuthMethodInterceptor; - import org.dogtagpki.server.rest.GroupService; - import org.dogtagpki.server.rest.MessageFormatInterceptor; -@@ -26,6 +27,9 @@ public class TKSApplication extends Application { - // account - classes.add(AccountService.class); - -+ // audit -+ classes.add(AuditService.class); -+ - // installer - classes.add(TKSInstallerService.class); - -diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties -index 2d2dc71..1c581b3 100644 ---- a/base/tps/shared/conf/acl.properties -+++ b/base/tps/shared/conf/acl.properties -@@ -8,8 +8,11 @@ - - account.login = certServer.tps.account,login - account.logout = certServer.tps.account,logout --audit.read = certServer.tps.audit,read --audit.modify = certServer.tps.audit,modify -+ -+# audit configuration -+audit.read = certServer.log.configuration,read -+audit.modify = certServer.log.configuration,modify -+ - authenticators.read = certServer.tps.authenticators,read - authenticators.add = certServer.tps.authenticators,add - authenticators.modify = certServer.tps.authenticators,modify --- -1.8.3.1 - - -From 0b91066c5c5cb20e63d79d58a12a46e2069a11af Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 30 Mar 2017 17:12:02 +0200 -Subject: [PATCH 20/59] Added PKIRESTProvider. - -A new PKIRESTProvider has been added to send and receive -StreamingOutput object through REST API. - -Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e ---- - base/CMakeLists.txt | 7 ++ - base/ca/src/CMakeLists.txt | 7 -- - base/common/src/CMakeLists.txt | 2 +- - .../com/netscape/certsrv/client/PKIConnection.java | 4 +- - .../netscape/certsrv/client/PKIRESTProvider.java | 118 +++++++++++++++++++++ - base/java-tools/src/CMakeLists.txt | 7 -- - base/server/cms/src/CMakeLists.txt | 7 -- - 7 files changed, 128 insertions(+), 24 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java - -diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt -index d2ea9a5..4140adb 100644 ---- a/base/CMakeLists.txt -+++ b/base/CMakeLists.txt -@@ -30,6 +30,13 @@ find_file(SLF4J_JDK14_JAR - /usr/share/java/slf4j - ) - -+find_file(COMMONS_IO_JAR -+ NAMES -+ commons-io.jar -+ PATHS -+ /usr/share/java -+) -+ - find_file(JACKSON_CORE_JAR - NAMES - jackson-core-asl.jar -diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt -index 4982ef8..b23782d 100644 ---- a/base/ca/src/CMakeLists.txt -+++ b/base/ca/src/CMakeLists.txt -@@ -24,13 +24,6 @@ find_file(COMMONS_CODEC_JAR - /usr/share/java - ) - --find_file(COMMONS_IO_JAR -- NAMES -- commons-io.jar -- PATHS -- /usr/share/java --) -- - find_file(COMMONS_LANG_JAR - NAMES - commons-lang.jar -diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt -index c08d1b7..705d62c 100644 ---- a/base/common/src/CMakeLists.txt -+++ b/base/common/src/CMakeLists.txt -@@ -103,7 +103,7 @@ javac(pki-certsrv-classes - CLASSPATH - ${SLF4J_API_JAR} - ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR} -- ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} -+ ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR} - ${APACHE_COMMONS_LANG_JAR} - ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR} - ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR} -diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -index b75e332..c2ffd09 100644 ---- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java -+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -@@ -76,7 +76,6 @@ import org.jboss.resteasy.client.jaxrs.ResteasyClient; - import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; - import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget; - import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine; --import org.jboss.resteasy.spi.ResteasyProviderFactory; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.CryptoManager.NotInitializedException; - import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; -@@ -95,7 +94,6 @@ public class PKIConnection { - - ApacheHttpClient4Engine engine; - ResteasyClient resteasyClient; -- ResteasyProviderFactory providerFactory; - - int requestCounter; - int responseCounter; -@@ -204,7 +202,9 @@ public class PKIConnection { - }); - - engine = new ApacheHttpClient4Engine(httpClient); -+ - resteasyClient = new ResteasyClientBuilder().httpEngine(engine).build(); -+ resteasyClient.register(PKIRESTProvider.class); - } - - public boolean isVerbose() { -diff --git a/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java -new file mode 100644 -index 0000000..4018da3 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java -@@ -0,0 +1,118 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.client; -+ -+import java.io.File; -+import java.io.FileInputStream; -+import java.io.FileOutputStream; -+import java.io.IOException; -+import java.io.InputStream; -+import java.io.OutputStream; -+import java.lang.annotation.Annotation; -+import java.lang.reflect.Type; -+ -+import javax.ws.rs.Consumes; -+import javax.ws.rs.Produces; -+import javax.ws.rs.WebApplicationException; -+import javax.ws.rs.core.MediaType; -+import javax.ws.rs.core.MultivaluedMap; -+import javax.ws.rs.core.StreamingOutput; -+import javax.ws.rs.ext.MessageBodyReader; -+import javax.ws.rs.ext.MessageBodyWriter; -+import javax.ws.rs.ext.Provider; -+ -+import org.apache.commons.io.IOUtils; -+ -+@Provider -+@Consumes(MediaType.APPLICATION_OCTET_STREAM) -+@Produces(MediaType.APPLICATION_OCTET_STREAM) -+public class PKIRESTProvider implements MessageBodyReader, MessageBodyWriter { -+ -+ @Override -+ public boolean isReadable( -+ Class type, -+ Type genericType, -+ Annotation[] annotations, -+ MediaType mediaType) { -+ -+ return true; -+ } -+ -+ @Override -+ public StreamingOutput readFrom( -+ Class type, -+ Type genericType, -+ Annotation[] annotations, -+ MediaType mediaType, -+ MultivaluedMap httpHeaders, -+ InputStream entityStream) throws IOException, WebApplicationException { -+ -+ final File file = File.createTempFile("PKIRESTProvider-", ".tmp"); -+ file.deleteOnExit(); -+ -+ FileOutputStream out = new FileOutputStream(file); -+ IOUtils.copy(entityStream, out); -+ -+ return new StreamingOutput() { -+ -+ @Override -+ public void write(OutputStream out) throws IOException, WebApplicationException { -+ FileInputStream in = new FileInputStream(file); -+ IOUtils.copy(in, out); -+ } -+ -+ public void finalize() { -+ file.delete(); -+ } -+ }; -+ } -+ -+ @Override -+ public long getSize( -+ StreamingOutput out, -+ Class type, -+ Type genericType, -+ Annotation[] annotations, -+ MediaType mediaType) { -+ -+ return -1; -+ } -+ -+ @Override -+ public boolean isWriteable( -+ Class type, -+ Type genericType, -+ Annotation[] annotations, -+ MediaType mediaType) { -+ -+ return true; -+ } -+ -+ @Override -+ public void writeTo( -+ StreamingOutput so, -+ Class type, -+ Type genericType, -+ Annotation[] annotations, -+ MediaType mediaType, -+ MultivaluedMap httpHeaders, -+ OutputStream entityStream) throws IOException, WebApplicationException { -+ -+ so.write(entityStream); -+ } -+} -diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt -index c2f54d4..7c57eaa 100644 ---- a/base/java-tools/src/CMakeLists.txt -+++ b/base/java-tools/src/CMakeLists.txt -@@ -37,13 +37,6 @@ find_file(COMMONS_CODEC_JAR - /usr/share/java - ) - --find_file(COMMONS_IO_JAR -- NAMES -- commons-io.jar -- PATHS -- /usr/share/java --) -- - find_file(XALAN_JAR - NAMES - xalan-j2.jar -diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt -index c66227c..e72a821 100644 ---- a/base/server/cms/src/CMakeLists.txt -+++ b/base/server/cms/src/CMakeLists.txt -@@ -30,13 +30,6 @@ find_file(COMMONS_HTTPCLIENT_JAR - /usr/share/java - ) - --find_file(COMMONS_IO_JAR -- NAMES -- commons-io.jar -- PATHS -- /usr/share/java --) -- - find_file(COMMONS_LANG_JAR - NAMES - commons-lang.jar --- -1.8.3.1 - - -From 6a682f8e56c982ed0e0810326e71f9de23347590 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 4 Apr 2017 14:52:37 -0400 -Subject: [PATCH 24/59] Fix pylint errors - ---- - base/common/python/pki/info.py | 2 ++ - base/common/python/pki/util.py | 1 - - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py -index 65d4825..b4da8b0 100644 ---- a/base/common/python/pki/info.py -+++ b/base/common/python/pki/info.py -@@ -21,6 +21,8 @@ - """ - Module containing the Python client classes for the InfoClient - """ -+from __future__ import absolute_import -+from __future__ import print_function - from six import iteritems - - import pki -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 02ecde8..0765bcf 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -272,4 +272,3 @@ def read_environment_files(env_file_list=None): - for env_val in env_vals: - (key, _, value) = env_val.partition("=") - os.environ[key] = value -- --- -1.8.3.1 - - -From 88cd07655268831e14e7cd4f6f6a65e331f86583 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 28 Mar 2017 21:02:22 +0200 -Subject: [PATCH 25/59] Added CLIs to access audit log files. - -New pki audit commands have been added to list and retrieve audit -log files. - -Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5 ---- - base/ca/shared/conf/acl.properties | 3 + - .../com/netscape/certsrv/logging/AuditClient.java | 11 ++ - .../com/netscape/certsrv/logging/AuditFile.java | 123 +++++++++++++++++++++ - .../certsrv/logging/AuditFileCollection.java | 38 +++++++ - .../netscape/certsrv/logging/AuditResource.java | 19 +++- - .../com/netscape/cmstools/logging/AuditCLI.java | 11 ++ - .../cmstools/logging/AuditFileFindCLI.java | 90 +++++++++++++++ - .../cmstools/logging/AuditFileRetrieveCLI.java | 87 +++++++++++++++ - base/kra/shared/conf/acl.properties | 3 + - base/ocsp/shared/conf/acl.properties | 3 + - .../com/netscape/cms/servlet/base/PKIService.java | 1 + - .../org/dogtagpki/server/rest/AuditService.java | 107 ++++++++++++++++++ - base/tks/shared/conf/acl.properties | 3 + - base/tps/shared/conf/acl.properties | 3 + - 14 files changed, 501 insertions(+), 1 deletion(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFile.java - create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java - -diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties -index c487e48..a8fe65c 100644 ---- a/base/ca/shared/conf/acl.properties -+++ b/base/ca/shared/conf/acl.properties -@@ -12,6 +12,9 @@ account.logout = certServer.ca.account,logout - audit.read = certServer.log.configuration,read - audit.modify = certServer.log.configuration,modify - -+# audit logs -+audit-log.read = certServer.log.content.signedAudit,read -+ - certs = certServer.ca.certs,execute - certrequests = certServer.ca.certrequests,execute - groups = certServer.ca.groups,execute -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditClient.java b/base/common/src/com/netscape/certsrv/logging/AuditClient.java -index 018850c..9451e83 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditClient.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditClient.java -@@ -20,6 +20,7 @@ package com.netscape.certsrv.logging; - import java.net.URISyntaxException; - - import javax.ws.rs.core.Response; -+import javax.ws.rs.core.StreamingOutput; - - import com.netscape.certsrv.client.Client; - import com.netscape.certsrv.client.PKIClient; -@@ -54,4 +55,14 @@ public class AuditClient extends Client { - Response response = resource.changeAuditStatus(action); - return client.getEntity(response, AuditConfig.class); - } -+ -+ public AuditFileCollection findAuditFiles() { -+ Response response = resource.findAuditFiles(); -+ return client.getEntity(response, AuditFileCollection.class); -+ } -+ -+ public StreamingOutput getAuditFile(String filename) throws Exception { -+ Response response = resource.getAuditFile(filename); -+ return client.getEntity(response, StreamingOutput.class); -+ } - } -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFile.java b/base/common/src/com/netscape/certsrv/logging/AuditFile.java -new file mode 100644 -index 0000000..0edfc3a ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/AuditFile.java -@@ -0,0 +1,123 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.certsrv.logging; -+ -+import java.io.StringReader; -+import java.io.StringWriter; -+ -+import javax.xml.bind.JAXBContext; -+import javax.xml.bind.Marshaller; -+import javax.xml.bind.Unmarshaller; -+import javax.xml.bind.annotation.XmlAccessType; -+import javax.xml.bind.annotation.XmlAccessorType; -+import javax.xml.bind.annotation.XmlAttribute; -+import javax.xml.bind.annotation.XmlElement; -+import javax.xml.bind.annotation.XmlRootElement; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+@XmlRootElement(name="AuditFile") -+@XmlAccessorType(XmlAccessType.NONE) -+public class AuditFile { -+ -+ String name; -+ Long size; -+ -+ @XmlAttribute(name="name") -+ public String getName() { -+ return name; -+ } -+ -+ public void setName(String name) { -+ this.name = name; -+ } -+ -+ @XmlElement(name="Size") -+ public Long getSize() { -+ return size; -+ } -+ -+ public void setSize(Long size) { -+ this.size = size; -+ } -+ -+ @Override -+ public int hashCode() { -+ final int prime = 31; -+ int result = 1; -+ result = prime * result + ((name == null) ? 0 : name.hashCode()); -+ result = prime * result + ((size == null) ? 0 : size.hashCode()); -+ return result; -+ } -+ -+ @Override -+ public boolean equals(Object obj) { -+ if (this == obj) -+ return true; -+ if (obj == null) -+ return false; -+ if (getClass() != obj.getClass()) -+ return false; -+ AuditFile other = (AuditFile) obj; -+ if (name == null) { -+ if (other.name != null) -+ return false; -+ } else if (!name.equals(other.name)) -+ return false; -+ if (size == null) { -+ if (other.size != null) -+ return false; -+ } else if (!size.equals(other.size)) -+ return false; -+ return true; -+ } -+ -+ public String toString() { -+ try { -+ Marshaller marshaller = JAXBContext.newInstance(AuditFile.class).createMarshaller(); -+ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); -+ -+ StringWriter sw = new StringWriter(); -+ marshaller.marshal(this, sw); -+ return sw.toString(); -+ -+ } catch (Exception e) { -+ throw new RuntimeException(e); -+ } -+ } -+ -+ public static AuditFile valueOf(String string) throws Exception { -+ Unmarshaller unmarshaller = JAXBContext.newInstance(AuditFile.class).createUnmarshaller(); -+ return (AuditFile)unmarshaller.unmarshal(new StringReader(string)); -+ } -+ -+ public static void main(String args[]) throws Exception { -+ -+ AuditFile before = new AuditFile(); -+ before.setName("audit.log"); -+ before.setSize(1024l); -+ -+ String string = before.toString(); -+ System.out.println(string); -+ -+ AuditFile after = AuditFile.valueOf(string); -+ System.out.println(before.equals(after)); -+ } -+} -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java -new file mode 100644 -index 0000000..e5c4e20 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java -@@ -0,0 +1,38 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.certsrv.logging; -+ -+import java.util.Collection; -+ -+import javax.xml.bind.annotation.XmlElementRef; -+import javax.xml.bind.annotation.XmlRootElement; -+ -+import com.netscape.certsrv.base.DataCollection; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+@XmlRootElement(name="AuditFiles") -+public class AuditFileCollection extends DataCollection { -+ -+ @XmlElementRef -+ public Collection getEntries() { -+ return super.getEntries(); -+ } -+} -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditResource.java b/base/common/src/com/netscape/certsrv/logging/AuditResource.java -index 9b14986..4d33735 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditResource.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditResource.java -@@ -20,8 +20,12 @@ package com.netscape.certsrv.logging; - import javax.ws.rs.GET; - import javax.ws.rs.POST; - import javax.ws.rs.Path; -+import javax.ws.rs.PathParam; -+import javax.ws.rs.Produces; - import javax.ws.rs.QueryParam; -+import javax.ws.rs.core.MediaType; - import javax.ws.rs.core.Response; -+import javax.ws.rs.core.StreamingOutput; - - import org.jboss.resteasy.annotations.ClientResponseType; - -@@ -35,11 +39,11 @@ import com.netscape.certsrv.base.PATCH; - */ - @Path("audit") - @AuthMethodMapping("audit") --@ACLMapping("audit.read") - public interface AuditResource { - - @GET - @ClientResponseType(entityType=AuditConfig.class) -+ @ACLMapping("audit.read") - public Response getAuditConfig(); - - @PATCH -@@ -52,4 +56,17 @@ public interface AuditResource { - @ACLMapping("audit.modify") - public Response changeAuditStatus( - @QueryParam("action") String action); -+ -+ @GET -+ @Path("files") -+ @ClientResponseType(entityType=AuditFileCollection.class) -+ @ACLMapping("audit-log.read") -+ public Response findAuditFiles(); -+ -+ @GET -+ @Path("files/{filename}") -+ @Produces(MediaType.APPLICATION_OCTET_STREAM) -+ @ClientResponseType(entityType=StreamingOutput.class) -+ @ACLMapping("audit-log.read") -+ public Response getAuditFile(@PathParam("filename") String filename); - } -diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java -index ff489dc..06ba040 100644 ---- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java -@@ -26,6 +26,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link; - import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.logging.AuditClient; - import com.netscape.certsrv.logging.AuditConfig; -+import com.netscape.certsrv.logging.AuditFile; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.SubsystemCLI; - -@@ -42,8 +43,13 @@ public class AuditCLI extends CLI { - - this.subsystemCLI = subsystemCLI; - -+ // audit configuration - addModule(new AuditModifyCLI(this)); - addModule(new AuditShowCLI(this)); -+ -+ // audit files -+ addModule(new AuditFileFindCLI(this)); -+ addModule(new AuditFileRetrieveCLI(this)); - } - - @Override -@@ -83,4 +89,9 @@ public class AuditCLI extends CLI { - System.out.println(" Link: " + link.getHref()); - } - } -+ -+ public static void printAuditFile(AuditFile auditFile) { -+ System.out.println(" File name: " + auditFile.getName()); -+ System.out.println(" Size: " + auditFile.getSize()); -+ } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java -new file mode 100644 -index 0000000..5ae9ce7 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java -@@ -0,0 +1,90 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.logging; -+ -+import java.util.Collection; -+ -+import org.apache.commons.cli.CommandLine; -+ -+import com.netscape.certsrv.logging.AuditClient; -+import com.netscape.certsrv.logging.AuditFile; -+import com.netscape.certsrv.logging.AuditFileCollection; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class AuditFileFindCLI extends CLI { -+ -+ public AuditCLI auditCLI; -+ -+ public AuditFileFindCLI(AuditCLI auditCLI) { -+ super("file-find", "Find audit files", auditCLI); -+ this.auditCLI = auditCLI; -+ -+ createOptions(); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(getFullName() + " [OPTIONS...]", options); -+ } -+ -+ public void createOptions() { -+ options.addOption(null, "help", false, "Show help message."); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ CommandLine cmd = parser.parse(options, args); -+ -+ if (cmd.hasOption("help")) { -+ printHelp(); -+ return; -+ } -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length > 0) { -+ throw new Exception("Too many arguments specified."); -+ } -+ -+ AuditClient auditClient = auditCLI.getAuditClient(); -+ AuditFileCollection response = auditClient.findAuditFiles(); -+ -+ MainCLI.printMessage(response.getTotal() + " entries matched"); -+ if (response.getTotal() == 0) return; -+ -+ Collection entries = response.getEntries(); -+ boolean first = true; -+ -+ for (AuditFile auditFile : entries) { -+ -+ if (first) { -+ first = false; -+ } else { -+ System.out.println(); -+ } -+ -+ AuditCLI.printAuditFile(auditFile); -+ } -+ -+ MainCLI.printMessage("Number of entries returned " + entries.size()); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java -new file mode 100644 -index 0000000..07af3a4 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java -@@ -0,0 +1,87 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.logging; -+ -+import java.io.FileOutputStream; -+import java.io.OutputStream; -+ -+import javax.ws.rs.core.StreamingOutput; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.certsrv.logging.AuditClient; -+import com.netscape.cmstools.cli.CLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class AuditFileRetrieveCLI extends CLI { -+ -+ public AuditCLI auditCLI; -+ -+ public AuditFileRetrieveCLI(AuditCLI auditCLI) { -+ super("file-retrieve", "Retrieve audit file", auditCLI); -+ this.auditCLI = auditCLI; -+ -+ createOptions(); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(getFullName() + " [OPTIONS...]", options); -+ } -+ -+ public void createOptions() { -+ Option option = new Option(null, "output", true, "Output file."); -+ option.setArgName("path"); -+ options.addOption(option); -+ -+ options.addOption(null, "help", false, "Show help message."); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ CommandLine cmd = parser.parse(options, args); -+ -+ if (cmd.hasOption("help")) { -+ printHelp(); -+ return; -+ } -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length < 1) { -+ throw new Exception("Missing audit file name."); -+ -+ } if (cmdArgs.length > 1) { -+ throw new Exception("Too many arguments specified."); -+ } -+ -+ String filename = cmdArgs[0]; -+ String output = cmd.getOptionValue("output"); -+ if (output == null) output = filename; -+ -+ AuditClient auditClient = auditCLI.getAuditClient(); -+ StreamingOutput so = auditClient.getAuditFile(filename); -+ -+ try (OutputStream out = new FileOutputStream(output)) { -+ so.write(out); -+ } -+ } -+} -diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties -index 8cac3ee..bcb1456 100644 ---- a/base/kra/shared/conf/acl.properties -+++ b/base/kra/shared/conf/acl.properties -@@ -12,6 +12,9 @@ account.logout = certServer.kra.account,logout - audit.read = certServer.log.configuration,read - audit.modify = certServer.log.configuration,modify - -+# audit logs -+audit-log.read = certServer.log.content.signedAudit,read -+ - groups = certServer.kra.groups,execute - keys = certServer.kra.keys,execute - keyrequests = certServer.kra.keyrequests,execute -diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties -index 26b212d..e8188b8 100644 ---- a/base/ocsp/shared/conf/acl.properties -+++ b/base/ocsp/shared/conf/acl.properties -@@ -12,6 +12,9 @@ account.logout = certServer.ocsp.account,logout - audit.read = certServer.log.configuration,read - audit.modify = certServer.log.configuration,modify - -+# audit logs -+audit-log.read = certServer.log.content.signedAudit,read -+ - groups = certServer.ocsp.groups,execute - selftests.read = certServer.ocsp.selftests,read - selftests.execute = certServer.ocsp.selftests,execute -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -index 8dfbef1..e023aa6 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -@@ -59,6 +59,7 @@ public class PKIService { - MediaType.APPLICATION_XML_TYPE, - MediaType.APPLICATION_JSON_TYPE, - MediaType.APPLICATION_FORM_URLENCODED_TYPE, -+ MediaType.APPLICATION_OCTET_STREAM_TYPE, - MediaType.valueOf("application/pkix-cert"), - MediaType.valueOf("application/pkcs7-mime"), - MediaType.valueOf("application/x-pem-file") -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -index 9af95d9..7bb048f 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -@@ -18,16 +18,27 @@ - - package org.dogtagpki.server.rest; - -+import java.io.File; -+import java.io.FileInputStream; -+import java.io.IOException; -+import java.io.InputStream; -+import java.io.OutputStream; - import java.io.UnsupportedEncodingException; - import java.net.URI; -+import java.util.ArrayList; - import java.util.Collection; -+import java.util.Collections; - import java.util.HashMap; -+import java.util.List; - import java.util.Map; - import java.util.TreeMap; - import java.util.TreeSet; - -+import javax.ws.rs.WebApplicationException; - import javax.ws.rs.core.Response; -+import javax.ws.rs.core.StreamingOutput; - -+import org.apache.commons.io.IOUtils; - import org.apache.commons.lang.StringUtils; - import org.jboss.resteasy.plugins.providers.atom.Link; - -@@ -36,7 +47,10 @@ import com.netscape.certsrv.base.BadRequestException; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.PKIException; -+import com.netscape.certsrv.base.ResourceNotFoundException; - import com.netscape.certsrv.logging.AuditConfig; -+import com.netscape.certsrv.logging.AuditFile; -+import com.netscape.certsrv.logging.AuditFileCollection; - import com.netscape.certsrv.logging.AuditResource; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.SubsystemService; -@@ -299,6 +313,99 @@ public class AuditService extends SubsystemService implements AuditResource { - } - } - -+ public File getCurrentLogFile() { -+ IConfigStore cs = CMS.getConfigStore(); -+ String filename = cs.get("log.instance.SignedAudit.fileName"); -+ return new File(filename); -+ } -+ -+ public File getLogDirectory() { -+ File file = getCurrentLogFile(); -+ return file.getParentFile(); -+ } -+ -+ public List getLogFiles() { -+ -+ List filenames = new ArrayList<>(); -+ -+ File currentFile = getCurrentLogFile(); -+ String currentFilename = currentFile.getName(); -+ File logDir = currentFile.getParentFile(); -+ -+ // add all log files except the current one -+ for (String filename : logDir.list()) { -+ if (filename.equals(currentFilename)) continue; -+ filenames.add(filename); -+ } -+ -+ // sort log files in ascending order -+ Collections.sort(filenames); -+ -+ // add the current log file last (i.e. newest) -+ filenames.add(currentFilename); -+ -+ List files = new ArrayList<>(); -+ for (String filename : filenames) { -+ files.add(new File(logDir, filename)); -+ } -+ -+ return files; -+ } -+ -+ @Override -+ public Response findAuditFiles() { -+ -+ AuditFileCollection response = new AuditFileCollection(); -+ -+ List files = getLogFiles(); -+ -+ CMS.debug("Audit files:"); -+ for (File file : files) { -+ String name = file.getName(); -+ CMS.debug(" - " + name); -+ -+ AuditFile auditFile = new AuditFile(); -+ auditFile.setName(name); -+ auditFile.setSize(file.length()); -+ -+ response.addEntry(auditFile); -+ } -+ -+ response.setTotal(files.size()); -+ -+ return createOKResponse(response); -+ } -+ -+ @Override -+ public Response getAuditFile(String filename) { -+ -+ // make sure filename does not contain path -+ if (!new File(filename).getName().equals(filename)) { -+ CMS.debug("Invalid file name: " + filename); -+ throw new BadRequestException("Invalid file name: " + filename); -+ } -+ -+ File logDir = getLogDirectory(); -+ File file = new File(logDir, filename); -+ -+ if (!file.exists()) { -+ throw new ResourceNotFoundException("File not found: " + filename); -+ } -+ -+ StreamingOutput so = new StreamingOutput() { -+ -+ @Override -+ public void write(OutputStream out) throws IOException, WebApplicationException { -+ -+ try (InputStream is = new FileInputStream(file)) { -+ IOUtils.copy(is, out); -+ } -+ } -+ }; -+ -+ return createOKResponse(so); -+ } -+ - /* - * in case of failure, "info" should be in the params - */ -diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties -index 7146d38..5c072c7 100644 ---- a/base/tks/shared/conf/acl.properties -+++ b/base/tks/shared/conf/acl.properties -@@ -12,6 +12,9 @@ account.logout = certServer.tks.account,logout - audit.read = certServer.log.configuration,read - audit.modify = certServer.log.configuration,modify - -+# audit logs -+audit-log.read = certServer.log.content.signedAudit,read -+ - groups = certServer.tks.groups,execute - selftests.read = certServer.tks.selftests,read - selftests.execute = certServer.tks.selftests,execute -diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties -index 1c581b3..6b51485 100644 ---- a/base/tps/shared/conf/acl.properties -+++ b/base/tps/shared/conf/acl.properties -@@ -13,6 +13,9 @@ account.logout = certServer.tps.account,logout - audit.read = certServer.log.configuration,read - audit.modify = certServer.log.configuration,modify - -+# audit logs -+audit-log.read = certServer.log.content.signedAudit,read -+ - authenticators.read = certServer.tps.authenticators,read - authenticators.add = certServer.tps.authenticators,add - authenticators.modify = certServer.tps.authenticators,modify --- -1.8.3.1 - - -From 4ab0608cbda0c9336c5eb9ea40a7d3ca769ab17b Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 4 Apr 2017 17:53:53 +0200 -Subject: [PATCH 26/59] Fixed PKIServerSocketListener. - -The PKIServerSocketListener.alertReceived() has been fixed to -generate audit log when the SSL socket is closed by the client. - -The log message has been modified to include the reason for the -termination. - -https://pagure.io/dogtagpki/issue/2602 - -Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988 ---- - .../dogtagpki/server/PKIServerSocketListener.java | 39 +++++++++++++++++++++- - base/server/cmsbundle/src/LogMessages.properties | 2 +- - 2 files changed, 39 insertions(+), 2 deletions(-) - -diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -index f147c77..adba676 100644 ---- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -@@ -41,6 +41,42 @@ public class PKIServerSocketListener implements SSLSocketListener { - - @Override - public void alertReceived(SSLAlertEvent event) { -+ try { -+ SSLSocket socket = event.getSocket(); -+ -+ SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); -+ InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); -+ InetAddress serverAddress = socket.getLocalAddress(); -+ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); -+ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -+ -+ SSLSecurityStatus status = socket.getStatus(); -+ X509Certificate peerCertificate = status.getPeerCertificate(); -+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); -+ String subjectID = subjectDN == null ? "" : subjectDN.toString(); -+ -+ int description = event.getDescription(); -+ String reason = SSLAlertDescription.valueOf(description).toString(); -+ -+ logger.debug("SSL alert received:"); -+ logger.debug(" - client: " + clientAddress); -+ logger.debug(" - server: " + serverAddress); -+ logger.debug(" - reason: " + reason); -+ -+ IAuditor auditor = CMS.getAuditor(); -+ -+ String auditMessage = CMS.getLogMessage( -+ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", -+ clientIP, -+ serverIP, -+ subjectID, -+ reason); -+ -+ auditor.log(auditMessage); -+ -+ } catch (Exception e) { -+ e.printStackTrace(); -+ } - } - - @Override -@@ -75,7 +111,8 @@ public class PKIServerSocketListener implements SSLSocketListener { - "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", - clientIP, - serverIP, -- subjectID); -+ subjectID, -+ reason); - - auditor.log(auditMessage); - -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index dde53ba..7572db4 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2737,7 +2737,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ - # separated by + (if more than one name;;value pair) of config params changed - # - LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ --:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success] access session terminated -+:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success][Info={3}] access session terminated - - - ########################### --- -1.8.3.1 - - -From 8463f5f791ced714d64ff891dc015666a971454b Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Mon, 3 Apr 2017 12:56:48 -0400 -Subject: [PATCH 27/59] Add python-cryptography crypto provider - -The python-cryptography provider is added. It will use AES -mechanisms by default. The eventual goal is to use this -provider by default, and to obsolete the NSS CryptoProvider. - -Added some methods to determine which crypto keyset levels are -supported by the crypto provider. - -Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819 ---- - base/common/python/pki/crypto.py | 206 ++++++++++++++++++++++++++++++++++++--- - base/common/python/pki/util.py | 6 +- - 2 files changed, 196 insertions(+), 16 deletions(-) - -diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py -index 86fa16e..b767abd 100644 ---- a/base/common/python/pki/crypto.py -+++ b/base/common/python/pki/crypto.py -@@ -23,13 +23,21 @@ Module containing crypto classes. - """ - from __future__ import absolute_import - import abc --import nss.nss as nss - import os --import six - import shutil - import subprocess - import tempfile - -+import nss.nss as nss -+import six -+from cryptography.hazmat.backends import default_backend -+from cryptography.hazmat.primitives.ciphers import ( -+ Cipher, algorithms, modes -+) -+from cryptography.hazmat.primitives import padding -+from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 -+import cryptography.x509 -+ - - class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): - """ -@@ -43,30 +51,32 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): - @abc.abstractmethod - def initialize(self): - """ Initialization code """ -- pass - -- @staticmethod - @abc.abstractmethod -- def generate_nonce_iv(mechanism): -+ def get_supported_algorithm_keyset(self): -+ """ returns highest supported algorithm keyset """ -+ -+ @abc.abstractmethod -+ def set_algorithm_keyset(self, level): -+ """ sets required keyset """ -+ -+ @abc.abstractmethod -+ def generate_nonce_iv(self, mechanism): - """ Create a random initialization vector """ -- pass - - @abc.abstractmethod - def generate_symmetric_key(self, mechanism=None, size=0): - """ Generate and return a symmetric key """ -- pass - - @abc.abstractmethod - def generate_session_key(self): - """ Generate a session key to be used for wrapping data to the DRM - This must return a 3DES 168 bit key """ -- pass - - @abc.abstractmethod - def symmetric_wrap(self, data, wrapping_key, mechanism=None, - nonce_iv=None): - """ encrypt data using a symmetric key (wrapping key)""" -- pass - - @abc.abstractmethod - def symmetric_unwrap(self, data, wrapping_key, mechanism=None, -@@ -77,7 +87,6 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): - The mechanism is the type of key used to do the wrapping. It defaults - to a 56 bit DES3 key. - """ -- pass - - @abc.abstractmethod - def asymmetric_wrap(self, data, wrapping_cert, mechanism=None): -@@ -86,12 +95,10 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): - The mechanism is the type of symmetric key, which defaults to a 56 bit - DES3 key. - """ -- pass - - # abc.abstractmethod - def get_cert(self, cert_nick): - """ Get the certificate for the specified cert_nick. """ -- pass - - - class NSSCryptoProvider(CryptoProvider): -@@ -152,6 +159,18 @@ class NSSCryptoProvider(CryptoProvider): - """ - nss.nss_init(self.certdb_dir) - -+ def get_supported_algorithm_keyset(self): -+ """ returns highest supported algorithm keyset """ -+ return 0 -+ -+ def set_algorithm_keyset(self, level): -+ """ sets required keyset """ -+ if level > 0: -+ raise Exception("Invalid keyset") -+ -+ # basically, do what we have always done, no need to set anything -+ # special here. -+ - def import_cert(self, cert_nick, cert, trust=',,'): - """ Import a certificate into the nss database - """ -@@ -170,8 +189,7 @@ class NSSCryptoProvider(CryptoProvider): - '-i', cert_file.name] - subprocess.check_call(command) - -- @staticmethod -- def generate_nonce_iv(mechanism=nss.CKM_DES3_CBC_PAD): -+ def generate_nonce_iv(self, mechanism=nss.CKM_DES3_CBC_PAD): - """ Create a random initialization vector """ - iv_length = nss.get_iv_length(mechanism) - if iv_length > 0: -@@ -237,6 +255,8 @@ class NSSCryptoProvider(CryptoProvider): - """ - :param data Data to be wrapped - :param wrapping_key Symmetric key to wrap data -+ :param mechanism Mechanism to user when wrapping -+ :param nonce_iv Nonce to use when wrapping - - Wrap (encrypt) data using the supplied symmetric key - """ -@@ -255,6 +275,7 @@ class NSSCryptoProvider(CryptoProvider): - """ - :param data Data to be unwrapped - :param wrapping_key Symmetric key to unwrap data -+ :param mechanism Mechanism to use when wrapping - :param nonce_iv iv data - - Unwrap (decrypt) data using the supplied symmetric key -@@ -288,3 +309,160 @@ class NSSCryptoProvider(CryptoProvider): - Searches NSS database and returns SecItem object for this certificate. - """ - return nss.find_cert_from_nickname(cert_nick) -+ -+ -+class CryptographyCryptoProvider(CryptoProvider): -+ """ -+ Class that defines python-cryptography implementation of CryptoProvider. -+ Requires a PEM file containing the agent cert to be initialized. -+ -+ Note that all inputs and outputs are unencoded. -+ """ -+ -+ def __init__(self, transport_cert_nick, transport_cert, -+ backend=default_backend()): -+ """ Initialize python-cryptography -+ """ -+ super(CryptographyCryptoProvider, self).__init__() -+ self.certs = {} -+ -+ if not isinstance(transport_cert, cryptography.x509.Certificate): -+ # it's a file name -+ with open(transport_cert, 'r') as f: -+ transport_pem = f.read() -+ transport_cert = cryptography.x509.load_pem_x509_certificate( -+ transport_pem, -+ backend) -+ -+ self.certs[transport_cert_nick] = transport_cert -+ -+ # default to AES -+ self.encrypt_alg = algorithms.AES -+ self.encrypt_mode = modes.CBC -+ self.encrypt_size = 128 -+ self.backend = backend -+ -+ def initialize(self): -+ """ -+ Any operations here that need to be performed before crypto -+ operations. -+ """ -+ pass -+ -+ def get_supported_algorithm_keyset(self): -+ """ returns highest supported algorithm keyset """ -+ return 1 -+ -+ def set_algorithm_keyset(self, level): -+ """ sets required keyset """ -+ if level > 1: -+ raise ValueError("Invalid keyset") -+ elif level == 1: -+ self.encrypt_alg = algorithms.AES -+ self.encrypt_mode = modes.CBC -+ self.encrypt_size = 128 -+ elif level == 0: -+ self.encrypt_alg = algorithms.TripleDES -+ self.encrypt_mode = modes.CBC -+ self.encrypt_size = 168 -+ -+ def generate_nonce_iv(self, mechanism='AES'): -+ """ Create a random initialization vector """ -+ return os.urandom(self.encrypt_alg.block_size // 8) -+ -+ def generate_symmetric_key(self, mechanism=None, size=0): -+ """ Returns a symmetric key. -+ """ -+ if mechanism is None: -+ size = self.encrypt_size // 8 -+ return os.urandom(size) -+ -+ def generate_session_key(self): -+ """ Returns a session key to be used when wrapping secrets for the DRM. -+ """ -+ return self.generate_symmetric_key() -+ -+ def symmetric_wrap(self, data, wrapping_key, mechanism=None, -+ nonce_iv=None): -+ """ -+ :param data Data to be wrapped -+ :param wrapping_key Symmetric key to wrap data -+ :param mechanism Mechanism to use for wrapping key -+ :param nonce_iv Nonce for initialization vector -+ -+ Wrap (encrypt) data using the supplied symmetric key -+ """ -+ # TODO(alee) Not sure yet how to handle non-default mechanisms -+ # For now, lets just ignore them -+ -+ if wrapping_key is None: -+ raise ValueError("Wrapping key must be provided") -+ -+ if self.encrypt_mode.name == "CBC": -+ padder = padding.PKCS7(self.encrypt_alg.block_size).padder() -+ padded_data = padder.update(data) + padder.finalize() -+ data = padded_data -+ else: -+ raise ValueError('Only CBC mode is currently supported') -+ -+ cipher = Cipher(self.encrypt_alg(wrapping_key), -+ self.encrypt_mode(nonce_iv), -+ backend=self.backend) -+ -+ encryptor = cipher.encryptor() -+ ct = encryptor.update(data) + encryptor.finalize() -+ return ct -+ -+ def symmetric_unwrap(self, data, wrapping_key, -+ mechanism=None, nonce_iv=None): -+ """ -+ :param data Data to be unwrapped -+ :param wrapping_key Symmetric key to unwrap data -+ :param mechanism Mechanism to use when unwrapping -+ :param nonce_iv iv data -+ -+ Unwrap (decrypt) data using the supplied symmetric key -+ """ -+ -+ # TODO(alee) As above, no idea what to do with mechanism -+ # ignoring for now. -+ -+ if wrapping_key is None: -+ raise ValueError("Wrapping key must be provided") -+ -+ cipher = Cipher(self.encrypt_alg(wrapping_key), -+ self.encrypt_mode(nonce_iv), -+ backend=self.backend) -+ -+ decryptor = cipher.decryptor() -+ unwrapped = decryptor.update(data) + decryptor.finalize() -+ -+ if self.encrypt_mode.name == 'CBC': -+ unpadder = padding.PKCS7(self.encrypt_alg.block_size).unpadder() -+ unpadded = unpadder.update(unwrapped) + unpadder.finalize() -+ unwrapped = unpadded -+ else: -+ raise ValueError('Only CBC mode is currently supported') -+ -+ return unwrapped -+ -+ def asymmetric_wrap(self, data, wrapping_cert, -+ mechanism=None): -+ """ -+ :param data Data to be wrapped -+ :param wrapping_cert Public key to wrap data -+ :param mechanism algorithm of symmetric key to be wrapped -+ -+ Wrap (encrypt) data using the supplied asymmetric key -+ """ -+ public_key = wrapping_cert.public_key() -+ return public_key.encrypt( -+ data, -+ PKCS1v15() -+ ) -+ -+ def get_cert(self, cert_nick): -+ """ -+ :param cert_nick Nickname for the certificate to be returned. -+ """ -+ return self.certs[cert_nick] -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 0765bcf..0de13fd 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -34,8 +34,10 @@ except ImportError: - - import subprocess - --DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf', -- '/etc/pki/pki.conf'] -+DEFAULT_PKI_ENV_LIST = [ -+ '/usr/share/pki/etc/pki.conf', -+ '/etc/pki/pki.conf', -+] - - - def copy(source, dest): --- -1.8.3.1 - - -From a1e30184b675c69fa858eb4fb85a6d358deb9bf1 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Mon, 3 Apr 2017 13:00:03 -0400 -Subject: [PATCH 28/59] Add code in KRA python client to support multiple - crypto algorithms - -Added code to: -* Add an InfoClient to the KRAClient -* Check the server, client and crypto provider keyset levels and - select the highest possible level accordingly. -* Added new fields as returned by the server for retrieval. -* Added new fields to KeyRecoveryRequest as added in AES changes. - -Changes to decode keywrapped symmetirc and asymmetric keys will -be added in subsequent patches. Right now, encrypt/decrypt works. - -Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d ---- - base/common/python/pki/info.py | 52 +++++++++++++++----- - base/common/python/pki/key.py | 105 ++++++++++++++++++++++++++++++++++------- - base/common/python/pki/kra.py | 23 ++++++--- - 3 files changed, 144 insertions(+), 36 deletions(-) - -diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py -index b4da8b0..f4ab68c 100644 ---- a/base/common/python/pki/info.py -+++ b/base/common/python/pki/info.py -@@ -56,20 +56,38 @@ class Info(object): - return info - - --class Version(object): -- """ -- This class encapsulates a version object as returned from -- a Dogtag server and decomposes it into major, minor, etc. -- """ -+class Version(tuple): -+ __slots__ = () -+ -+ def __new__(cls, version): -+ parts = [int(p) for p in version.split('.')] -+ if len(parts) < 3: -+ parts.extend([0] * (3 - len(parts))) -+ if len(parts) > 3: -+ raise ValueError(version) -+ return tuple.__new__(cls, tuple(parts)) -+ -+ def __str__(self): -+ return '{}.{}.{}'.format(*self) -+ -+ def __repr__(self): -+ return "".format(*self) - -- def __init__(self, version_string): -- for idx, val in enumerate(version_string.split('.')): -- if idx == 0: -- self.major = val -- if idx == 1: -- self.minor = val -- if idx == 2: -- self.patch = val -+ def __getnewargs__(self): -+ # pickle support -+ return str(self) -+ -+ @property -+ def major(self): -+ return self[0] -+ -+ @property -+ def minor(self): -+ return self[1] -+ -+ @property -+ def patchlevel(self): -+ return self[2] - - - class InfoClient(object): -@@ -98,3 +116,11 @@ class InfoClient(object): - """ return Version object from server """ - version_string = self.get_info().version - return Version(version_string) -+ -+ -+if __name__ == '__main__': -+ print(Version('10')) -+ print(Version('10.1')) -+ print(Version('10.1.1')) -+ print(tuple(Version('10.1.1'))) -+ print(Version('10.1.1.1')) -diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py -index da4efd6..6c5641a 100644 ---- a/base/common/python/pki/key.py -+++ b/base/common/python/pki/key.py -@@ -27,12 +27,15 @@ from __future__ import absolute_import - from __future__ import print_function - import base64 - import json -+import os - - from six import iteritems - from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 - - import pki - import pki.encoder as encoder -+from pki.info import Version -+import pki.util - - - # should be moved to request.py -@@ -58,7 +61,10 @@ class KeyData(object): - json_attribute_names = { - 'nonceData': 'nonce_data', - 'wrappedPrivateData': 'wrapped_private_data', -- 'requestID': 'request_id' -+ 'requestID': 'request_id', -+ 'encryptAlgorithmOID': 'encrypt_algorithm_oid', -+ 'wrapAlgorithm': 'wrap_algorithm', -+ 'publicKey': 'public_key' - } - - # pylint: disable=C0103 -@@ -69,6 +75,10 @@ class KeyData(object): - self.request_id = None - self.size = None - self.wrapped_private_data = None -+ self.encrypt_algorithm_oid = None -+ self.wrap_algorithm = None -+ self.public_key = None -+ self.type = None - - @classmethod - def from_json(cls, attr_list): -@@ -102,6 +112,11 @@ class Key(object): - self.algorithm = key_data.algorithm - self.size = key_data.size - -+ self.encrypt_algorithm_oid = getattr( -+ key_data, "encrypt_algorithm_oid", None) -+ self.wrap_algorithm = getattr(key_data, "wrap_algorithm", None) -+ self.public_key = getattr(key_data, "public_key", None) -+ - # To store the unwrapped key information. - # The decryption takes place on the client side. - self.data = None -@@ -341,7 +356,8 @@ class KeyRecoveryRequest(pki.ResourceMessage): - trans_wrapped_session_key=None, - session_wrapped_passphrase=None, - nonce_data=None, certificate=None, -- passphrase=None): -+ passphrase=None, payload_wrapping_name=None, -+ payload_encryption_oid=None): - """ Constructor """ - pki.ResourceMessage.__init__( - self, -@@ -354,6 +370,8 @@ class KeyRecoveryRequest(pki.ResourceMessage): - self.add_attribute("certificate", certificate) - self.add_attribute("passphrase", passphrase) - self.add_attribute("keyId", key_id) -+ self.add_attribute("payloadWrappingName", payload_wrapping_name) -+ self.add_attribute("payloadEncryptionOID", payload_encryption_oid) - - - class SymKeyGenerationRequest(pki.ResourceMessage): -@@ -443,8 +461,10 @@ class KeyClient(object): - - # default session key wrapping algorithm - DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}" -+ AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}" - -- def __init__(self, connection, crypto, transport_cert_nick=None): -+ def __init__(self, connection, crypto, transport_cert_nick=None, -+ info_client=None): - """ Constructor """ - self.connection = connection - self.headers = {'Content-type': 'application/json', -@@ -459,6 +479,10 @@ class KeyClient(object): - else: - self.transport_cert = None - -+ self.info_client = info_client -+ self.encrypt_alg_oid = None -+ self.set_crypto_algorithms() -+ - def set_transport_cert(self, transport_cert_nick): - """ Set the transport certificate for crypto operations """ - if transport_cert_nick is None: -@@ -467,6 +491,44 @@ class KeyClient(object): - self.transport_cert = self.crypto.get_cert(transport_cert_nick) - - @pki.handle_exceptions() -+ def set_crypto_algorithms(self): -+ server_keyset = self.get_server_keyset() -+ client_keyset = self.get_client_keyset() -+ crypto_keyset = self.crypto.get_supported_algorithm_keyset() -+ keyset_id = min([server_keyset, client_keyset, crypto_keyset]) -+ -+ # set keyset in crypto provider -+ self.crypto.set_algorithm_keyset(keyset_id) -+ -+ # set keyset related constants needed in KeyClient -+ if keyset_id == 0: -+ self.encrypt_alg_oid = self.DES_EDE3_CBC_OID -+ else: -+ self.encrypt_alg_oid = self.AES_128_CBC_OID -+ -+ def get_client_keyset(self): -+ # get client keyset -+ pki.util.read_environment_files() -+ client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET') -+ if client_keyset is not None: -+ return client_keyset -+ return 0 -+ -+ def get_server_keyset(self): -+ # get server keyset id -+ server_version = Version("0.0.0") -+ try: -+ server_version = self.info_client.get_version() -+ except Exception: # pylint: disable=W0703 -+ # TODO(alee) tighten up the exception here -+ pass -+ -+ if server_version >= (10, 4): -+ return 1 -+ -+ return 0 -+ -+ @pki.handle_exceptions() - def list_keys(self, client_key_id=None, status=None, max_results=None, - max_time=None, start=None, size=None, realm=None): - """ List/Search archived secrets in the DRM. -@@ -785,7 +847,8 @@ class KeyClient(object): - raise TypeError('Missing wrapped session key') - - if not algorithm_oid: -- algorithm_oid = KeyClient.DES_EDE3_CBC_OID -+ algorithm_oid = KeyClient.AES_128_CBC_OID -+ # algorithm_oid = KeyClient.DES_EDE3_CBC_OID - - if not nonce_iv: - raise TypeError('Missing nonce IV') -@@ -910,7 +973,7 @@ class KeyClient(object): - approval is required, then the KeyData will include the secret. - - * If the key cannot be retrieved synchronously - ie. if more than one -- approval is needed, then the KeyData obect will include the request -+ approval is needed, then the KeyData object will include the request - ID for a recovery request that was created on the server. When that - request is approved, callers can retrieve the key using - retrieve_key() and setting the request_id. -@@ -951,7 +1014,9 @@ class KeyClient(object): - key_id=key_id, - request_id=request_id, - trans_wrapped_session_key=base64.b64encode( -- trans_wrapped_session_key)) -+ trans_wrapped_session_key), -+ payload_encryption_oid=self.encrypt_alg_oid -+ ) - - key = self.retrieve_key_data(request) - if not key_provided and key.encrypted_data is not None: -@@ -982,12 +1047,13 @@ class KeyClient(object): - - 1) A passphrase is provided by the caller. - -- In this case, CryptoProvider methods will be called to create the data -- to securely send the passphrase to the DRM. Basically, three pieces of -- data will be sent: -+ In this case, CryptoProvider methods will be called to create the -+ data to securely send the passphrase to the DRM. Basically, three -+ pieces of data will be sent: - -- - the passphrase wrapped by a 168 bit 3DES symmetric key (the session -- key). This is referred to as the parameter session_wrapped_passphrase. -+ - the passphrase wrapped by a 168 bit 3DES symmetric key (the -+ session key). This is referred to as the parameter -+ session_wrapped_passphrase. - - - the session key wrapped with the public key in the DRM transport - certificate. This is referred to as the trans_wrapped_session_key. -@@ -999,9 +1065,10 @@ class KeyClient(object): - 2) The caller provides the trans_wrapped_session_key, - session_wrapped_passphrase and nonce_data. - -- In this case, the data will simply be passed to the DRM. The function -- will return the secret encrypted by the passphrase using PBE Encryption. -- The secret will still need to be decrypted by the caller. -+ In this case, the data will simply be passed to the DRM. -+ The function will return the secret encrypted by the passphrase -+ using PBE Encryption. The secret will still need to be decrypted -+ by the caller. - - The function will return the tuple (KeyData, None) - """ -@@ -1053,12 +1120,18 @@ def main(): - usages = [SymKeyGenerationRequest.DECRYPT_USAGE, - SymKeyGenerationRequest.ENCRYPT_USAGE] - gen_request = SymKeyGenerationRequest(client_key_id, 128, "AES", usages) -- print(json.dumps(gen_request, cls=encoder.CustomTypeEncoder, sort_keys=True)) -+ print(json.dumps(gen_request, -+ cls=encoder.CustomTypeEncoder, -+ sort_keys=True)) - - print("printing key recovery request") - key_request = KeyRecoveryRequest("25", "MX12345BBBAAA", None, - "1234ABC", None, None) -- print(json.dumps(key_request, cls=encoder.CustomTypeEncoder, sort_keys=True)) -+ print(json.dumps( -+ key_request, -+ cls=encoder.CustomTypeEncoder, -+ sort_keys=True) -+ ) - - print("printing key archival request") - archival_request = KeyArchivalRequest(client_key_id, "symmetricKey", -diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py -index b98f856..6b2de63 100644 ---- a/base/common/python/pki/kra.py -+++ b/base/common/python/pki/kra.py -@@ -26,6 +26,7 @@ KeyRequestResource REST APIs. - """ - - from __future__ import absolute_import -+from pki.info import InfoClient - import pki.key as key - - from pki.systemcert import SystemCertClient -@@ -41,18 +42,26 @@ class KRAClient(object): - """ Constructor - - :param connection - PKIConnection object with DRM connection info. -- :param crypto - CryptoProvider object. NSSCryptoProvider is provided by -- default. If a different crypto implementation is -+ :param crypto - CryptoProvider object. NSSCryptoProvider is provided -+ by default. If a different crypto implementation is - desired, a different subclass of CryptoProvider must be - provided. - :param transport_cert_nick - identifier for the DRM transport - certificate. This will be passed to the -- CryptoProvider.get_cert() command to get a representation -- of the transport certificate usable for crypto ops. -- Note that for NSS databases, the database must have been -- initialized beforehand. -+ CryptoProvider.get_cert() command to get a -+ representation of the transport certificate usable for -+ crypto ops. -+ -+ Note that for NSS databases, the database must have -+ been initialized beforehand. - """ - self.connection = connection - self.crypto = crypto -- self.keys = key.KeyClient(connection, crypto, transport_cert_nick) -+ self.info = InfoClient(connection) -+ self.keys = key.KeyClient( -+ connection, -+ crypto, -+ transport_cert_nick, -+ self.info -+ ) - self.system_certs = SystemCertClient(connection) --- -1.8.3.1 - - -From 60f0adb9205d5c7d4d9294ca620530ff3df2000e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 17 Mar 2017 04:48:07 +0100 -Subject: [PATCH 31/59] Added SSLSocketListener for PKIConnection. - -To help troubleshooting the PKIConnection has been modified to -register an SSL socket listener which will display SSL alerts -that it has received or sent. - -https://pagure.io/dogtagpki/issue/2625 - -Change-Id: I8f2e4f55a3d6bc8a7360f666c9b18e4c0d6c6d83 ---- - .../com/netscape/certsrv/client/PKIConnection.java | 40 ++++++++++++++++++++++ - 1 file changed, 40 insertions(+) - -diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -index c2ffd09..d5e4c00 100644 ---- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java -+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -@@ -78,8 +78,13 @@ import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget; - import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.CryptoManager.NotInitializedException; -+import org.mozilla.jss.ssl.SSLAlertDescription; -+import org.mozilla.jss.ssl.SSLAlertEvent; -+import org.mozilla.jss.ssl.SSLAlertLevel; - import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; -+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; - import org.mozilla.jss.ssl.SSLSocket; -+import org.mozilla.jss.ssl.SSLSocketListener; - - import com.netscape.certsrv.base.PKIException; - -@@ -352,6 +357,41 @@ public class PKIConnection { - socket.setClientCertNickname(certNickname); - } - -+ socket.addSocketListener(new SSLSocketListener() { -+ -+ @Override -+ public void alertReceived(SSLAlertEvent event) { -+ -+ int intLevel = event.getLevel(); -+ SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel); -+ -+ int intDescription = event.getDescription(); -+ SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription); -+ -+ if (level == SSLAlertLevel.FATAL || verbose) { -+ System.err.println(level + ": SSL alert received: " + description); -+ } -+ } -+ -+ @Override -+ public void alertSent(SSLAlertEvent event) { -+ -+ int intLevel = event.getLevel(); -+ SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel); -+ -+ int intDescription = event.getDescription(); -+ SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription); -+ -+ if (level == SSLAlertLevel.FATAL || verbose) { -+ System.err.println(level + ": SSL alert sent: " + description); -+ } -+ } -+ -+ @Override -+ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { -+ } -+ -+ }); - return socket; - } - --- -1.8.3.1 - - -From 0409bfa35601a0b59f75c05cf8a34aed6514fc24 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 8 Apr 2017 09:04:54 +0200 -Subject: [PATCH 32/59] Fixed pki user and group commands. - -The UserCLI and GroupCLI have been fixed to use the subsystem name -in the client configuration object if available. - -https://pagure.io/dogtagpki/issue/2626 - -Change-Id: Ibf099cefe880a238468fad7fb2aabc9cc2d55c1f ---- - base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java | 3 ++- - base/java-tools/src/com/netscape/cmstools/user/UserCLI.java | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -index 5ccf70d..95eb3a2 100644 ---- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -@@ -73,7 +73,8 @@ public class GroupCLI extends CLI { - SubsystemCLI subsystemCLI = (SubsystemCLI)parent; - subsystem = subsystemCLI.getName(); - } else { -- subsystem = "ca"; -+ subsystem = client.getSubsystem(); -+ if (subsystem == null) subsystem = "ca"; - } - - // create new group client -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -index 1acbf0b..affda9c 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -@@ -76,7 +76,8 @@ public class UserCLI extends CLI { - SubsystemCLI subsystemCLI = (SubsystemCLI)parent; - subsystem = subsystemCLI.getName(); - } else { -- subsystem = "ca"; -+ subsystem = client.getSubsystem(); -+ if (subsystem == null) subsystem = "ca"; - } - - // create new user client --- -1.8.3.1 - - -From 0c8aedd8a79841751005c531cf6cfbc08a4fd4dd Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 8 Apr 2017 09:05:48 +0200 -Subject: [PATCH 33/59] Deprecated -t option for pki CLI. - -The MainCLI has been modified to generate a deprecation warning -for the -t option. - -Change-Id: I28ac45954a900f6944528ef52913982d72896c92 ---- - base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index d7aa54c..1b9c569 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -124,12 +124,12 @@ public class MainCLI extends CLI { - - public void printVersion() { - Package pkg = MainCLI.class.getPackage(); -- System.out.println("PKI Command-Line Interface "+pkg.getImplementationVersion()); -+ System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion()); - } - - public void printHelp() { - -- formatter.printHelp(name+" [OPTIONS..] [ARGS..]", options); -+ formatter.printHelp(name + " [OPTIONS..] [ARGS..]", options); - System.out.println(); - - int leftPadding = 1; -@@ -169,7 +169,7 @@ public class MainCLI extends CLI { - option.setArgName("port"); - options.addOption(option); - -- option = new Option("t", true, "Subsystem type"); -+ option = new Option("t", true, "Subsystem type (deprecated)"); - option.setArgName("type"); - options.addOption(option); - -@@ -340,8 +340,10 @@ public class MainCLI extends CLI { - if (uri == null) - uri = protocol + "://" + hostname + ":" + port; - -- if (subsystem != null) -+ if (subsystem != null) { -+ System.err.println("WARNING: The -t option has been deprecated. Use pki " + subsystem + " command instead."); - uri = uri + "/" + subsystem; -+ } - - config.setServerURI(uri); - --- -1.8.3.1 - - -From 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 7 Apr 2017 19:45:10 +0200 -Subject: [PATCH 34/59] Added FIPS-compliant password generator. - -A new function has been added to generate a random password that -meets FIPS requirements for a strong password. This function is -used to generate NSS database password during installation. - -https://pagure.io/dogtagpki/issue/2556 - -Change-Id: I64dd36125ec968f6253f90835e6065325d720032 ---- - base/common/python/pki/__init__.py | 63 ++++++++++++++++++++++ - .../python/pki/server/deployment/pkiparser.py | 12 +---- - 2 files changed, 65 insertions(+), 10 deletions(-) - -diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py -index c015126..1fc5385 100644 ---- a/base/common/python/pki/__init__.py -+++ b/base/common/python/pki/__init__.py -@@ -26,7 +26,9 @@ from __future__ import print_function - - from functools import wraps - import os -+import random - import re -+import string - import sys - - import requests -@@ -124,6 +126,67 @@ def implementation_version(): - raise Exception('Missing implementation version.') - - -+def generate_password(): -+ """ -+ This function generates FIPS-compliant password. -+ -+ See sftk_newPinCheck() in the following file: -+ https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c -+ -+ The minimum password length is FIPS_MIN_PIN Unicode characters. -+ -+ The password must contain at least 3 character classes: -+ * digits (string.digits) -+ * ASCII lowercase letters (string.ascii_lowercase) -+ * ASCII uppercase letters (string.ascii_uppercase) -+ * ASCII non-alphanumeric characters (string.punctuation) -+ * non-ASCII characters -+ -+ If an ASCII uppercase letter is the first character of the password, -+ the uppercase letter is not counted toward its character class. -+ -+ If a digit is the last character of the password, the digit is not -+ counted toward its character class. -+ -+ The FIPS_MIN_PIN is defined in the following file: -+ https://dxr.mozilla.org/nss/source/nss/lib/softoken/pkcs11i.h -+ -+ #define FIPS_MIN_PIN 7 -+ """ -+ -+ rnd = random.SystemRandom() -+ -+ valid_chars = string.digits +\ -+ string.ascii_lowercase +\ -+ string.ascii_uppercase +\ -+ string.punctuation -+ -+ chars = [] -+ -+ # add 1 random char from each char class to meet -+ # the minimum number of char class requirement -+ chars.append(rnd.choice(string.digits)) -+ chars.append(rnd.choice(string.ascii_lowercase)) -+ chars.append(rnd.choice(string.ascii_uppercase)) -+ chars.append(rnd.choice(string.punctuation)) -+ -+ # add 6 additional random chars -+ chars.extend(rnd.choice(valid_chars) for i in range(6)) -+ -+ # randomize the char order -+ rnd.shuffle(chars) -+ -+ # add 2 random chars at the beginning and the end -+ # to maintain the minimum number of char class -+ chars.insert(0, rnd.choice(valid_chars)) -+ chars.append(rnd.choice(valid_chars)) -+ -+ # final password is 12 chars -+ password = ''.join(chars) -+ -+ return password -+ -+ - # pylint: disable=R0903 - class Attribute(object): - """ -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index e05e0be..df04ff8 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -583,12 +583,6 @@ class PKIConfigParser: - - self.deployer.flatten_master_dict() - -- # Generate random 'pin's for use as security database passwords -- # and add these to the "sensitive" key value pairs read in from -- # the configuration file -- pin_low = 100000000000 -- pin_high = 999999999999 -- - instance = pki.server.PKIInstance(self.mdict['pki_instance_name']) - instance.load() - -@@ -604,11 +598,9 @@ class PKIConfigParser: - - # otherwise, generate a random password - else: -- self.mdict['pki_pin'] = \ -- random.randint(pin_low, pin_high) -+ self.mdict['pki_pin'] = pki.generate_password() - -- self.mdict['pki_client_pin'] = \ -- random.randint(pin_low, pin_high) -+ self.mdict['pki_client_pin'] = pki.generate_password() - - pkilogging.sensitive_parameters = \ - self.mdict['sensitive_parameters'].split() --- -1.8.3.1 - - -From d8081073d10065987341a6583a6a7e7351b22438 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 11 Apr 2017 18:04:41 +0200 -Subject: [PATCH 35/59] Added pki-server -audit-file-find CLI. - -A new pki-server -audit-file-find CLI has been added -to list audit log files on the server. - -Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f ---- - base/server/python/pki/server/__init__.py | 14 ++++ - base/server/python/pki/server/cli/audit.py | 109 +++++++++++++++++++++++++++++ - base/server/python/pki/server/cli/ca.py | 2 + - base/server/python/pki/server/cli/kra.py | 2 + - base/server/python/pki/server/cli/ocsp.py | 2 + - base/server/python/pki/server/cli/tks.py | 2 + - base/server/python/pki/server/cli/tps.py | 2 + - 7 files changed, 133 insertions(+) - create mode 100644 base/server/python/pki/server/cli/audit.py - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 5032274..112dcbf 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -389,6 +389,20 @@ class PKISubsystem(object): - - pki.util.customize_file(input_file, output_file, params) - -+ def get_audit_log_files(self): -+ -+ current_file_path = self.config['log.instance.SignedAudit.fileName'] -+ (log_dir, current_file) = os.path.split(current_file_path) -+ -+ # sort log files based on timestamp -+ files = [f for f in os.listdir(log_dir) if f != current_file] -+ files.sort() -+ -+ # put the current log file at the end -+ files.append(current_file) -+ -+ return files -+ - def __repr__(self): - return str(self.instance) + '/' + self.name - -diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py -new file mode 100644 -index 0000000..3bb9d5f ---- /dev/null -+++ b/base/server/python/pki/server/cli/audit.py -@@ -0,0 +1,109 @@ -+# Authors: -+# Endi S. Dewata -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+# -+ -+from __future__ import absolute_import -+from __future__ import print_function -+import getopt -+import sys -+ -+import pki.cli -+ -+ -+class AuditCLI(pki.cli.CLI): -+ -+ def __init__(self, parent): -+ super(AuditCLI, self).__init__( -+ 'audit', 'Audit management commands') -+ -+ self.parent = parent -+ self.add_module(AuditFileFindCLI(self)) -+ -+ -+class AuditFileFindCLI(pki.cli.CLI): -+ -+ def __init__(self, parent): -+ super(AuditFileFindCLI, self).__init__( -+ 'file-find', 'Find audit log files') -+ -+ self.parent = parent -+ -+ def print_help(self): -+ print('Usage: pki-server %s-audit-file-find [OPTIONS]' % self.parent.parent.name) -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' --help Show help message.') -+ print() -+ -+ def execute(self, args): -+ -+ try: -+ opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ 'instance=', -+ 'verbose', 'help']) -+ -+ except getopt.GetoptError as e: -+ print('ERROR: ' + str(e)) -+ self.print_help() -+ sys.exit(1) -+ -+ instance_name = 'pki-tomcat' -+ -+ for o, a in opts: -+ if o in ('-i', '--instance'): -+ instance_name = a -+ -+ elif o in ('-v', '--verbose'): -+ self.set_verbose(True) -+ -+ elif o == '--help': -+ self.print_help() -+ sys.exit() -+ -+ else: -+ print('ERROR: unknown option ' + o) -+ self.print_help() -+ sys.exit(1) -+ -+ instance = pki.server.PKIInstance(instance_name) -+ if not instance.is_valid(): -+ print('ERROR: Invalid instance %s.' % instance_name) -+ sys.exit(1) -+ -+ instance.load() -+ -+ subsystem_name = self.parent.parent.name -+ subsystem = instance.get_subsystem(subsystem_name) -+ if not subsystem: -+ print('ERROR: No %s subsystem in instance %s.' -+ % (subsystem_name.upper(), instance_name)) -+ sys.exit(1) -+ -+ log_files = subsystem.get_audit_log_files() -+ -+ self.print_message('%s entries matched' % len(log_files)) -+ -+ first = True -+ for filename in log_files: -+ if first: -+ first = False -+ else: -+ print() -+ -+ print(' File name: %s' % filename) -diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py -index 1d1c00f..550e511 100644 ---- a/base/server/python/pki/server/cli/ca.py -+++ b/base/server/python/pki/server/cli/ca.py -@@ -28,6 +28,7 @@ import sys - import tempfile - - import pki.cli -+import pki.server.cli.audit - - - class CACLI(pki.cli.CLI): -@@ -38,6 +39,7 @@ class CACLI(pki.cli.CLI): - - self.add_module(CACertCLI()) - self.add_module(CACloneCLI()) -+ self.add_module(pki.server.cli.audit.AuditCLI(self)) - - - class CACertCLI(pki.cli.CLI): -diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py -index 5558d6a..3724014 100644 ---- a/base/server/python/pki/server/cli/kra.py -+++ b/base/server/python/pki/server/cli/kra.py -@@ -32,6 +32,7 @@ import tempfile - import time - - import pki.cli -+import pki.server.cli.audit - - - KRA_VLVS = ['allKeys', 'kraAll', -@@ -51,6 +52,7 @@ class KRACLI(pki.cli.CLI): - - self.add_module(KRACloneCLI()) - self.add_module(KRADBCLI()) -+ self.add_module(pki.server.cli.audit.AuditCLI(self)) - - - class KRACloneCLI(pki.cli.CLI): -diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py -index 246f593..3e9b6aa 100644 ---- a/base/server/python/pki/server/cli/ocsp.py -+++ b/base/server/python/pki/server/cli/ocsp.py -@@ -28,6 +28,7 @@ import sys - import tempfile - - import pki.cli -+import pki.server.cli.audit - - - class OCSPCLI(pki.cli.CLI): -@@ -37,6 +38,7 @@ class OCSPCLI(pki.cli.CLI): - 'ocsp', 'OCSP management commands') - - self.add_module(OCSPCloneCLI()) -+ self.add_module(pki.server.cli.audit.AuditCLI(self)) - - - class OCSPCloneCLI(pki.cli.CLI): -diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py -index 2c4157a..0e6a998 100644 ---- a/base/server/python/pki/server/cli/tks.py -+++ b/base/server/python/pki/server/cli/tks.py -@@ -28,6 +28,7 @@ import sys - import tempfile - - import pki.cli -+import pki.server.cli.audit - - - class TKSCLI(pki.cli.CLI): -@@ -37,6 +38,7 @@ class TKSCLI(pki.cli.CLI): - 'tks', 'TKS management commands') - - self.add_module(TKSCloneCLI()) -+ self.add_module(pki.server.cli.audit.AuditCLI(self)) - - - class TKSCloneCLI(pki.cli.CLI): -diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py -index 1f71b8e..03df8de 100644 ---- a/base/server/python/pki/server/cli/tps.py -+++ b/base/server/python/pki/server/cli/tps.py -@@ -32,6 +32,7 @@ import tempfile - import time - - import pki.cli -+import pki.server.cli.audit - - - TPS_VLV_PATH = '/usr/share/pki/tps/conf/vlv.ldif' -@@ -46,6 +47,7 @@ class TPSCLI(pki.cli.CLI): - - self.add_module(TPSCloneCLI()) - self.add_module(TPSDBCLI()) -+ self.add_module(pki.server.cli.audit.AuditCLI(self)) - - - class TPSCloneCLI(pki.cli.CLI): --- -1.8.3.1 - - -From a29888e42c14c9c7e642769b747bb288d39a0809 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 11 Apr 2017 18:04:41 +0200 -Subject: [PATCH 36/59] Added pki-server -audit-file-verify CLI. - -A new pki-server -audit-file-verify CLI has been added -to verify audit log files on the server. - -Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f ---- - base/server/python/pki/server/__init__.py | 5 ++ - base/server/python/pki/server/cli/audit.py | 91 ++++++++++++++++++++++++++++++ - 2 files changed, 96 insertions(+) - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 112dcbf..8898654 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -389,6 +389,11 @@ class PKISubsystem(object): - - pki.util.customize_file(input_file, output_file, params) - -+ def get_audit_log_dir(self): -+ -+ current_file_path = self.config['log.instance.SignedAudit.fileName'] -+ return os.path.dirname(current_file_path) -+ - def get_audit_log_files(self): - - current_file_path = self.config['log.instance.SignedAudit.fileName'] -diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py -index 3bb9d5f..0833ca8 100644 ---- a/base/server/python/pki/server/cli/audit.py -+++ b/base/server/python/pki/server/cli/audit.py -@@ -21,7 +21,11 @@ - from __future__ import absolute_import - from __future__ import print_function - import getopt -+import os -+import shutil -+import subprocess - import sys -+import tempfile - - import pki.cli - -@@ -34,6 +38,7 @@ class AuditCLI(pki.cli.CLI): - - self.parent = parent - self.add_module(AuditFileFindCLI(self)) -+ self.add_module(AuditFileVerifyCLI(self)) - - - class AuditFileFindCLI(pki.cli.CLI): -@@ -107,3 +112,89 @@ class AuditFileFindCLI(pki.cli.CLI): - print() - - print(' File name: %s' % filename) -+ -+ -+class AuditFileVerifyCLI(pki.cli.CLI): -+ -+ def __init__(self, parent): -+ super(AuditFileVerifyCLI, self).__init__( -+ 'file-verify', 'Verify audit log files') -+ -+ self.parent = parent -+ -+ def print_help(self): -+ print('Usage: pki-server %s-audit-file-verify [OPTIONS]' % self.parent.parent.name) -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' --help Show help message.') -+ print() -+ -+ def execute(self, args): -+ -+ try: -+ opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ 'instance=', -+ 'verbose', 'help']) -+ -+ except getopt.GetoptError as e: -+ print('ERROR: ' + str(e)) -+ self.print_help() -+ sys.exit(1) -+ -+ instance_name = 'pki-tomcat' -+ -+ for o, a in opts: -+ if o in ('-i', '--instance'): -+ instance_name = a -+ -+ elif o in ('-v', '--verbose'): -+ self.set_verbose(True) -+ -+ elif o == '--help': -+ self.print_help() -+ sys.exit() -+ -+ else: -+ print('ERROR: unknown option ' + o) -+ self.print_help() -+ sys.exit(1) -+ -+ instance = pki.server.PKIInstance(instance_name) -+ if not instance.is_valid(): -+ print('ERROR: Invalid instance %s.' % instance_name) -+ sys.exit(1) -+ -+ instance.load() -+ -+ subsystem_name = self.parent.parent.name -+ subsystem = instance.get_subsystem(subsystem_name) -+ if not subsystem: -+ print('ERROR: No %s subsystem in instance %s.' -+ % (subsystem_name.upper(), instance_name)) -+ sys.exit(1) -+ -+ log_dir = subsystem.get_audit_log_dir() -+ log_files = subsystem.get_audit_log_files() -+ signing_cert = subsystem.get_subsystem_cert('audit_signing') -+ -+ tmpdir = tempfile.mkdtemp() -+ -+ try: -+ file_list = os.path.join(tmpdir, 'audit.txt') -+ -+ with open(file_list, 'w') as f: -+ for filename in log_files: -+ f.write(os.path.join(log_dir, filename) + '\n') -+ -+ cmd = ['AuditVerify', -+ '-d', instance.nssdb_dir, -+ '-n', signing_cert['nickname'], -+ '-a', file_list] -+ -+ if self.verbose: -+ print('Command: %s' % ' '.join(cmd)) -+ -+ subprocess.call(cmd) -+ -+ finally: -+ shutil.rmtree(tmpdir) --- -1.8.3.1 - - -From 77d2064858e4623fa25f4986647f318d8bf8a6f7 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 7 Apr 2017 12:23:47 -0400 -Subject: [PATCH 37/59] Add KRAInfo resource - -This resource (which will be accessed at /kra/rest/info) -will initially return the mechanism for archival or retrieval. - -This is needed by clients to know how to package secrets when -archiving. - -Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec ---- - .../src/com/netscape/certsrv/kra/KRAClient.java | 3 + - base/common/src/org/dogtagpki/common/KRAInfo.java | 136 +++++++++++++++++++++ - .../src/org/dogtagpki/common/KRAInfoClient.java | 48 ++++++++ - .../src/org/dogtagpki/common/KRAInfoResource.java | 40 ++++++ - .../dogtagpki/server/kra/rest/KRAApplication.java | 4 + - .../org/dogtagpki/server/rest/KRAInfoService.java | 67 ++++++++++ - 6 files changed, 298 insertions(+) - create mode 100644 base/common/src/org/dogtagpki/common/KRAInfo.java - create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoClient.java - create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoResource.java - create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java - -diff --git a/base/common/src/com/netscape/certsrv/kra/KRAClient.java b/base/common/src/com/netscape/certsrv/kra/KRAClient.java -index 1eb102f..9440174 100644 ---- a/base/common/src/com/netscape/certsrv/kra/KRAClient.java -+++ b/base/common/src/com/netscape/certsrv/kra/KRAClient.java -@@ -1,5 +1,7 @@ - package com.netscape.certsrv.kra; - -+import org.dogtagpki.common.KRAInfoClient; -+ - import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.client.SubsystemClient; - import com.netscape.certsrv.group.GroupClient; -@@ -22,5 +24,6 @@ public class KRAClient extends SubsystemClient { - addClient(new SelfTestClient(client, name)); - addClient(new SystemCertClient(client, name)); - addClient(new UserClient(client, name)); -+ addClient(new KRAInfoClient(client, name)); - } - } -diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java -new file mode 100644 -index 0000000..e17bd64 ---- /dev/null -+++ b/base/common/src/org/dogtagpki/common/KRAInfo.java -@@ -0,0 +1,136 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.common; -+ -+import java.io.StringReader; -+import java.io.StringWriter; -+ -+import javax.xml.bind.JAXBContext; -+import javax.xml.bind.Marshaller; -+import javax.xml.bind.Unmarshaller; -+import javax.xml.bind.annotation.XmlElement; -+import javax.xml.bind.annotation.XmlRootElement; -+ -+import org.slf4j.Logger; -+import org.slf4j.LoggerFactory; -+ -+import com.netscape.certsrv.base.ResourceMessage; -+ -+/** -+ * @author Ade Lee -+ */ -+@XmlRootElement(name="KRAInfo") -+public class KRAInfo extends ResourceMessage { -+ -+ private static Logger logger = LoggerFactory.getLogger(Info.class); -+ -+ public static Marshaller marshaller; -+ public static Unmarshaller unmarshaller; -+ -+ static { -+ try { -+ marshaller = JAXBContext.newInstance(KRAInfo.class).createMarshaller(); -+ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); -+ unmarshaller = JAXBContext.newInstance(KRAInfo.class).createUnmarshaller(); -+ } catch (Exception e) { -+ logger.error(e.getMessage(), e); -+ } -+ } -+ -+ String archivalMechanism; -+ String recoveryMechanism; -+ -+ @XmlElement(name="ArchivalMechanism") -+ public String getArchivalMechanism() { -+ return archivalMechanism; -+ } -+ -+ public void setArchivalMechanism(String archivalMechanism) { -+ this.archivalMechanism = archivalMechanism; -+ } -+ -+ @XmlElement(name="RecoveryMechanism") -+ public String getRecoveryMechanism() { -+ return recoveryMechanism; -+ } -+ -+ public void setRecoveryMechanism(String recoveryMechanism) { -+ this.recoveryMechanism = recoveryMechanism; -+ } -+ -+ @Override -+ public int hashCode() { -+ final int prime = 31; -+ int result = super.hashCode(); -+ result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); -+ result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode()); -+ return result; -+ } -+ -+ @Override -+ public boolean equals(Object obj) { -+ if (this == obj) -+ return true; -+ if (!super.equals(obj)) -+ return false; -+ if (getClass() != obj.getClass()) -+ return false; -+ KRAInfo other = (KRAInfo) obj; -+ if (archivalMechanism == null) { -+ if (other.archivalMechanism != null) -+ return false; -+ } else if (!archivalMechanism.equals(other.archivalMechanism)) -+ return false; -+ if (recoveryMechanism == null) { -+ if (other.recoveryMechanism != null) -+ return false; -+ } else if (!recoveryMechanism.equals(other.recoveryMechanism)) -+ return false; -+ return true; -+ } -+ -+ public String toString() { -+ try { -+ StringWriter sw = new StringWriter(); -+ marshaller.marshal(this, sw); -+ return sw.toString(); -+ -+ } catch (Exception e) { -+ throw new RuntimeException(e); -+ } -+ } -+ -+ public static KRAInfo valueOf(String string) throws Exception { -+ return (KRAInfo)unmarshaller.unmarshal(new StringReader(string)); -+ } -+ -+ public static void main(String args[]) throws Exception { -+ -+ KRAInfo before = new KRAInfo(); -+ before.setArchivalMechanism("encrypt"); -+ before.setRecoveryMechanism("keywrap"); -+ -+ String string = before.toString(); -+ System.out.println(string); -+ -+ KRAInfo after = KRAInfo.valueOf(string); -+ System.out.println(before.equals(after)); -+ } -+} -+ -diff --git a/base/common/src/org/dogtagpki/common/KRAInfoClient.java b/base/common/src/org/dogtagpki/common/KRAInfoClient.java -new file mode 100644 -index 0000000..c998401 ---- /dev/null -+++ b/base/common/src/org/dogtagpki/common/KRAInfoClient.java -@@ -0,0 +1,48 @@ -+//--- BEGIN COPYRIGHT BLOCK --- -+//This program is free software; you can redistribute it and/or modify -+//it under the terms of the GNU General Public License as published by -+//the Free Software Foundation; version 2 of the License. -+// -+//This program is distributed in the hope that it will be useful, -+//but WITHOUT ANY WARRANTY; without even the implied warranty of -+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+//GNU General Public License for more details. -+// -+//You should have received a copy of the GNU General Public License along -+//with this program; if not, write to the Free Software Foundation, Inc., -+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+//(C) 2017 Red Hat, Inc. -+//All rights reserved. -+//--- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.common; -+ -+import java.net.URISyntaxException; -+ -+import javax.ws.rs.core.Response; -+ -+import com.netscape.certsrv.client.Client; -+import com.netscape.certsrv.client.PKIClient; -+ -+/** -+ * @author Ade Lee -+ */ -+public class KRAInfoClient extends Client { -+ -+ public KRAInfoResource resource; -+ -+ public KRAInfoClient(PKIClient client, String subsystem) throws URISyntaxException { -+ super(client, subsystem, "info"); -+ init(); -+ } -+ -+ public void init() throws URISyntaxException { -+ resource = createProxy(KRAInfoResource.class); -+ } -+ -+ public KRAInfo getInfo() throws Exception { -+ Response response = resource.getInfo(); -+ return client.getEntity(response, KRAInfo.class); -+ } -+} -diff --git a/base/common/src/org/dogtagpki/common/KRAInfoResource.java b/base/common/src/org/dogtagpki/common/KRAInfoResource.java -new file mode 100644 -index 0000000..540e3a6 ---- /dev/null -+++ b/base/common/src/org/dogtagpki/common/KRAInfoResource.java -@@ -0,0 +1,40 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.common; -+ -+import javax.ws.rs.GET; -+import javax.ws.rs.Path; -+import javax.ws.rs.core.Response; -+ -+import org.jboss.resteasy.annotations.ClientResponseType; -+ -+/** -+ * @author Ade Lee -+ */ -+@Path("info") -+public interface KRAInfoResource { -+ -+ String ENCRYPT_MECHANISM = "encrypt"; -+ String KEYWRAP_MECHANISM = "keywrap"; -+ -+ @GET -+ @ClientResponseType(entityType=KRAInfo.class) -+ public Response getInfo() throws Exception; -+} -+ -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java -index 6244270..a1f58a8 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java -@@ -10,6 +10,7 @@ import org.dogtagpki.server.rest.AccountService; - import org.dogtagpki.server.rest.AuditService; - import org.dogtagpki.server.rest.AuthMethodInterceptor; - import org.dogtagpki.server.rest.GroupService; -+import org.dogtagpki.server.rest.KRAInfoService; - import org.dogtagpki.server.rest.MessageFormatInterceptor; - import org.dogtagpki.server.rest.PKIExceptionMapper; - import org.dogtagpki.server.rest.SecurityDomainService; -@@ -67,6 +68,9 @@ public class KRAApplication extends Application { - // exception mapper - classes.add(PKIExceptionMapper.class); - -+ // info service -+ classes.add(KRAInfoService.class); -+ - // interceptors - singletons.add(new SessionContextInterceptor()); - singletons.add(new AuthMethodInterceptor()); -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -new file mode 100644 -index 0000000..c4b3252 ---- /dev/null -+++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -@@ -0,0 +1,67 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.server.rest; -+ -+import javax.servlet.http.HttpSession; -+import javax.ws.rs.core.Response; -+ -+import org.dogtagpki.common.KRAInfo; -+import org.dogtagpki.common.KRAInfoResource; -+import org.slf4j.Logger; -+import org.slf4j.LoggerFactory; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.cms.servlet.base.PKIService; -+ -+/** -+ * @author Ade Lee -+ */ -+public class KRAInfoService extends PKIService implements KRAInfoResource { -+ -+ private static Logger logger = LoggerFactory.getLogger(InfoService.class); -+ -+ @Override -+ public Response getInfo() throws Exception { -+ -+ HttpSession session = servletRequest.getSession(); -+ logger.debug("KRAInfoService.getInfo(): session: " + session.getId()); -+ -+ KRAInfo info = new KRAInfo(); -+ info.setArchivalMechanism(getArchivalMechanism()); -+ info.setRecoveryMechanism(getRecoveryMechanism()); -+ -+ -+ return createOKResponse(info); -+ } -+ -+ String getArchivalMechanism() throws EBaseException { -+ IConfigStore cs = CMS.getConfigStore(); -+ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); -+ return encrypt_archival ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; -+ } -+ -+ String getRecoveryMechanism() throws EBaseException { -+ IConfigStore cs = CMS.getConfigStore(); -+ boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false); -+ return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; -+ } -+} -+ --- -1.8.3.1 - - -From 24d7e952e4f048fcb58dcd1b33009e92afde365d Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 7 Apr 2017 16:52:31 -0400 -Subject: [PATCH 38/59] Add CAInfo resource - -This resource (which will be accessed at /ca/rest/info) -will initially return the mechanism for archival. - -This is needed by clients to know how to package secrets when -archiving. We may add the transport cert later. - -Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b ---- - .../dogtagpki/server/ca/rest/CAApplication.java | 4 + - base/common/src/org/dogtagpki/common/CAInfo.java | 119 +++++++++++++++++++++ - .../src/org/dogtagpki/common/CAInfoClient.java | 49 +++++++++ - .../src/org/dogtagpki/common/CAInfoResource.java | 37 +++++++ - .../org/dogtagpki/server/rest/CAInfoService.java | 64 +++++++++++ - 5 files changed, 273 insertions(+) - create mode 100644 base/common/src/org/dogtagpki/common/CAInfo.java - create mode 100644 base/common/src/org/dogtagpki/common/CAInfoClient.java - create mode 100644 base/common/src/org/dogtagpki/common/CAInfoResource.java - create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java -index ae18e02..45881b9 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java -@@ -9,6 +9,7 @@ import org.dogtagpki.server.rest.ACLInterceptor; - import org.dogtagpki.server.rest.AccountService; - import org.dogtagpki.server.rest.AuditService; - import org.dogtagpki.server.rest.AuthMethodInterceptor; -+import org.dogtagpki.server.rest.CAInfoService; - import org.dogtagpki.server.rest.FeatureService; - import org.dogtagpki.server.rest.GroupService; - import org.dogtagpki.server.rest.MessageFormatInterceptor; -@@ -65,6 +66,9 @@ public class CAApplication extends Application { - // features - classes.add(FeatureService.class); - -+ // info service -+ classes.add(CAInfoService.class); -+ - // security domain - IConfigStore cs = CMS.getConfigStore(); - -diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java -new file mode 100644 -index 0000000..89255ed ---- /dev/null -+++ b/base/common/src/org/dogtagpki/common/CAInfo.java -@@ -0,0 +1,119 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.common; -+ -+import java.io.StringReader; -+import java.io.StringWriter; -+ -+import javax.xml.bind.JAXBContext; -+import javax.xml.bind.Marshaller; -+import javax.xml.bind.Unmarshaller; -+import javax.xml.bind.annotation.XmlElement; -+import javax.xml.bind.annotation.XmlRootElement; -+ -+import org.slf4j.Logger; -+import org.slf4j.LoggerFactory; -+ -+import com.netscape.certsrv.base.ResourceMessage; -+ -+/** -+ * @author Ade Lee -+ */ -+@XmlRootElement(name="CAInfo") -+public class CAInfo extends ResourceMessage { -+ -+ private static Logger logger = LoggerFactory.getLogger(Info.class); -+ -+ public static Marshaller marshaller; -+ public static Unmarshaller unmarshaller; -+ -+ static { -+ try { -+ marshaller = JAXBContext.newInstance(CAInfo.class).createMarshaller(); -+ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); -+ unmarshaller = JAXBContext.newInstance(CAInfo.class).createUnmarshaller(); -+ } catch (Exception e) { -+ logger.error(e.getMessage(), e); -+ } -+ } -+ -+ String archivalMechanism; -+ -+ @XmlElement(name="ArchivalMechanism") -+ public String getArchivalMechanism() { -+ return archivalMechanism; -+ } -+ -+ public void setArchivalMechanism(String archivalMechanism) { -+ this.archivalMechanism = archivalMechanism; -+ } -+ -+ @Override -+ public int hashCode() { -+ final int prime = 31; -+ int result = super.hashCode(); -+ result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); -+ return result; -+ } -+ -+ @Override -+ public boolean equals(Object obj) { -+ if (this == obj) -+ return true; -+ if (!super.equals(obj)) -+ return false; -+ if (getClass() != obj.getClass()) -+ return false; -+ CAInfo other = (CAInfo) obj; -+ if (archivalMechanism == null) { -+ if (other.archivalMechanism != null) -+ return false; -+ } else if (!archivalMechanism.equals(other.archivalMechanism)) -+ return false; -+ return true; -+ } -+ -+ public String toString() { -+ try { -+ StringWriter sw = new StringWriter(); -+ marshaller.marshal(this, sw); -+ return sw.toString(); -+ -+ } catch (Exception e) { -+ throw new RuntimeException(e); -+ } -+ } -+ -+ public static CAInfo valueOf(String string) throws Exception { -+ return (CAInfo)unmarshaller.unmarshal(new StringReader(string)); -+ } -+ -+ public static void main(String args[]) throws Exception { -+ -+ CAInfo before = new CAInfo(); -+ before.setArchivalMechanism("encrypt"); -+ -+ String string = before.toString(); -+ System.out.println(string); -+ -+ CAInfo after = CAInfo.valueOf(string); -+ System.out.println(before.equals(after)); -+ } -+} -+ -diff --git a/base/common/src/org/dogtagpki/common/CAInfoClient.java b/base/common/src/org/dogtagpki/common/CAInfoClient.java -new file mode 100644 -index 0000000..859c829 ---- /dev/null -+++ b/base/common/src/org/dogtagpki/common/CAInfoClient.java -@@ -0,0 +1,49 @@ -+//--- BEGIN COPYRIGHT BLOCK --- -+//This program is free software; you can redistribute it and/or modify -+//it under the terms of the GNU General Public License as published by -+//the Free Software Foundation; version 2 of the License. -+// -+//This program is distributed in the hope that it will be useful, -+//but WITHOUT ANY WARRANTY; without even the implied warranty of -+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+//GNU General Public License for more details. -+// -+//You should have received a copy of the GNU General Public License along -+//with this program; if not, write to the Free Software Foundation, Inc., -+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+//(C) 2017 Red Hat, Inc. -+//All rights reserved. -+//--- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.common; -+ -+import java.net.URISyntaxException; -+ -+import javax.ws.rs.core.Response; -+ -+import com.netscape.certsrv.client.Client; -+import com.netscape.certsrv.client.PKIClient; -+ -+/** -+ * @author Ade Lee -+ */ -+public class CAInfoClient extends Client { -+ -+ public CAInfoResource resource; -+ -+ public CAInfoClient(PKIClient client, String subsystem) throws URISyntaxException { -+ super(client, subsystem, "info"); -+ init(); -+ } -+ -+ public void init() throws URISyntaxException { -+ resource = createProxy(CAInfoResource.class); -+ } -+ -+ public CAInfo getInfo() throws Exception { -+ Response response = resource.getInfo(); -+ return client.getEntity(response, CAInfo.class); -+ } -+} -+ -diff --git a/base/common/src/org/dogtagpki/common/CAInfoResource.java b/base/common/src/org/dogtagpki/common/CAInfoResource.java -new file mode 100644 -index 0000000..6c18cd5 ---- /dev/null -+++ b/base/common/src/org/dogtagpki/common/CAInfoResource.java -@@ -0,0 +1,37 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.common; -+ -+import javax.ws.rs.GET; -+import javax.ws.rs.Path; -+import javax.ws.rs.core.Response; -+ -+import org.jboss.resteasy.annotations.ClientResponseType; -+ -+/** -+ * @author Ade Lee -+ */ -+@Path("info") -+public interface CAInfoResource { -+ -+ @GET -+ @ClientResponseType(entityType=CAInfo.class) -+ public Response getInfo() throws Exception; -+} -+ -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -new file mode 100644 -index 0000000..975ad61 ---- /dev/null -+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -@@ -0,0 +1,64 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.server.rest; -+ -+import javax.servlet.http.HttpSession; -+import javax.ws.rs.core.Response; -+ -+import org.dogtagpki.common.CAInfo; -+import org.dogtagpki.common.CAInfoResource; -+import org.slf4j.Logger; -+import org.slf4j.LoggerFactory; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.cms.servlet.base.PKIService; -+ -+/** -+ * @author Ade Lee -+ */ -+public class CAInfoService extends PKIService implements CAInfoResource { -+ -+ private static Logger logger = LoggerFactory.getLogger(InfoService.class); -+ -+ @Override -+ public Response getInfo() throws Exception { -+ -+ HttpSession session = servletRequest.getSession(); -+ logger.debug("CAInfoService.getInfo(): session: " + session.getId()); -+ -+ CAInfo info = new CAInfo(); -+ String archivalMechanism = getArchivalMechanism(); -+ -+ if (archivalMechanism != null) -+ info.setArchivalMechanism(getArchivalMechanism()); -+ -+ return createOKResponse(info); -+ } -+ -+ String getArchivalMechanism() throws EBaseException { -+ IConfigStore cs = CMS.getConfigStore(); -+ boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); -+ if (!kra_present) return null; -+ -+ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); -+ return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM; -+ } -+} --- -1.8.3.1 - - -From 2a73c978784d58b11375aa724cbd2c04607eafc1 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 01:51:40 +0200 -Subject: [PATCH 40/59] Added audit event constants for SSL session. - -Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f ---- - .../src/com/netscape/certsrv/logging/AuditEvent.java | 14 ++++++++++---- - base/server/cms/src/com/netscape/cms/logging/LogFile.java | 4 +--- - .../src/org/dogtagpki/server/PKIServerSocketListener.java | 9 +++++---- - 3 files changed, 16 insertions(+), 11 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 8ae5cd6..b409a12 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,10 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -- /** -- * -- */ -+ public final static String ACCESS_SESSION_ESTABLISH_FAILURE = -+ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE"; -+ public final static String ACCESS_SESSION_ESTABLISH_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS"; -+ public final static String ACCESS_SESSION_TERMINATED = -+ "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED"; -+ public final static String AUDIT_LOG_SIGNING = -+ "LOGGING_SIGNED_AUDIT_SIGNING_3"; -+ - private static final long serialVersionUID = -844306657733902324L; -+ private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6"; - - protected Object mParams[] = null; - -@@ -54,7 +61,6 @@ public class AuditEvent implements IBundleLogEvent { - * The bundle name for this event. - */ - private String mBundleName = LogResources.class.getName(); -- private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6"; - - /** - * Constructs a message event -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index 9d19edd..fdf3f83 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -104,8 +104,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - - private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP = - "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2"; -- private final static String LOGGING_SIGNED_AUDIT_SIGNING = -- "LOGGING_SIGNED_AUDIT_SIGNING_3"; - private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN = - "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2"; - private final static String LOG_SIGNED_AUDIT_EXCEPTION = -@@ -723,7 +721,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - // so as to avoid infinite recursiveness of calling - // the log() method - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SIGNING, -+ AuditEvent.AUDIT_LOG_SIGNING, - ILogger.SYSTEM_UID, - ILogger.SUCCESS, - base64Encode(sigBytes)); -diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -index adba676..7016bc8 100644 ---- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -@@ -33,6 +33,7 @@ import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.IAuditor; - - public class PKIServerSocketListener implements SSLSocketListener { -@@ -66,7 +67,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - IAuditor auditor = CMS.getAuditor(); - - String auditMessage = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", -+ AuditEvent.ACCESS_SESSION_TERMINATED, - clientIP, - serverIP, - subjectID, -@@ -108,7 +109,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { - - String auditMessage = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED", -+ AuditEvent.ACCESS_SESSION_TERMINATED, - clientIP, - serverIP, - subjectID, -@@ -119,7 +120,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - } else { - - String auditMessage = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE", -+ AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE, - clientIP, - serverIP, - subjectID, -@@ -157,7 +158,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - IAuditor auditor = CMS.getAuditor(); - - String auditMessage = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS", -+ AuditEvent.ACCESS_SESSION_ESTABLISH_SUCCESS, - clientIP, - serverIP, - subjectID); --- -1.8.3.1 - - -From e22d0e99aa33bccc3e4041f5ed501fedf0dcae49 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 02:28:31 +0200 -Subject: [PATCH 41/59] Added audit event constants for TPS. - -Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb ---- - .../dogtagpki/server/ca/rest/AuthorityService.java | 7 +-- - .../com/netscape/certsrv/logging/AuditEvent.java | 51 ++++++++++++++++++++++ - .../cms/servlet/base/SubsystemService.java | 3 +- - .../server/tps/processor/TPSEnrollProcessor.java | 15 +++++----- - .../server/tps/processor/TPSPinResetProcessor.java | 5 ++- - .../server/tps/processor/TPSProcessor.java | 23 ++++++------ - .../server/tps/rest/AuthenticatorService.java | 3 +- - .../server/tps/rest/ConnectorService.java | 3 +- - .../server/tps/rest/ProfileMappingService.java | 3 +- - .../dogtagpki/server/tps/rest/ProfileService.java | 3 +- - .../dogtagpki/server/tps/rest/TokenService.java | 5 ++- - 11 files changed, 86 insertions(+), 35 deletions(-) - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java -index 215d0fa..7ba9596 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java -@@ -55,6 +55,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.ca.IssuerUnavailableException; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.SubsystemService; - import com.netscape.cmsutil.util.Utils; -@@ -70,10 +71,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou - hostCA = (ICertificateAuthority) CMS.getSubsystem("ca"); - } - -- private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG = -- "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3"; -- -- - @Override - public Response listCAs() { - List results = new ArrayList<>(); -@@ -373,7 +370,7 @@ public class AuthorityService extends SubsystemService implements AuthorityResou - String status, String op, String id, - Map params) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG, -+ AuditEvent.AUTHORITY_CONFIG, - auditor.getSubjectID(), - status, - auditor.getParamString(ScopeDef.SC_AUTHORITY, op, id, params)); -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index b409a12..abe16b6 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,57 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String TOKEN_CERT_ENROLLMENT = -+ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; -+ public final static String TOKEN_CERT_RENEWAL = -+ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9"; -+ public final static String TOKEN_CERT_RETRIEVAL = -+ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9"; -+ public final static String TOKEN_KEY_RECOVERY = -+ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10"; -+ public final static String TOKEN_CERT_STATUS_CHANGE_REQUEST = -+ "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10"; -+ public final static String TOKEN_PIN_RESET_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6"; -+ public final static String TOKEN_PIN_RESET_FAILURE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6"; -+ public final static String TOKEN_OP_REQUEST = -+ "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6"; -+ public final static String TOKEN_FORMAT_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9"; -+ public final static String TOKEN_FORMAT_FAILURE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; -+ public final static String TOKEN_APPLET_UPGRADE_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9"; -+ public final static String TOKEN_APPLET_UPGRADE_FAILURE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9"; -+ public final static String TOKEN_KEY_CHANGEOVER_REQUIRED = -+ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; -+ public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10"; -+ public final static String TOKEN_KEY_CHANGEOVER_FAILURE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10"; -+ public final static String TOKEN_AUTH_FAILURE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9"; -+ public final static String TOKEN_AUTH_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9"; -+ public final static String CONFIG_TOKEN_GENERAL = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5"; -+ public final static String CONFIG_TOKEN_PROFILE = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6"; -+ public final static String CONFIG_TOKEN_MAPPING_RESOLVER = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6"; -+ public final static String CONFIG_TOKEN_AUTHENTICATOR = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6"; -+ public final static String CONFIG_TOKEN_CONNECTOR = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6"; -+ public final static String CONFIG_TOKEN_RECORD = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6"; -+ public final static String TOKEN_STATE_CHANGE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8"; -+ public final static String AUTHORITY_CONFIG = -+ "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3"; -+ - public final static String ACCESS_SESSION_ESTABLISH_FAILURE = - "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE"; - public final static String ACCESS_SESSION_ESTABLISH_SUCCESS = -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java -index 48c985c..30d6b9c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java -@@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authorization.IAuthzSubsystem; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; - -@@ -94,7 +95,7 @@ public class SubsystemService extends PKIService { - public void auditConfigTokenGeneral(String status, String service, Map params, String info) { - - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5", -+ AuditEvent.CONFIG_TOKEN_GENERAL, - servletRequest.getUserPrincipal().getName(), - status, - service, -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java -index 672f53d..118bf50 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java -@@ -15,12 +15,6 @@ import java.util.Map; - import java.util.Random; - import java.util.zip.DataFormatException; - --import netscape.security.provider.RSAPublicKey; --//import org.mozilla.jss.pkcs11.PK11ECPublicKey; --import netscape.security.util.BigInt; --import netscape.security.x509.RevocationReason; --import netscape.security.x509.X509CertImpl; -- - import org.dogtagpki.server.tps.TPSSession; - import org.dogtagpki.server.tps.TPSSubsystem; - import org.dogtagpki.server.tps.TPSTokenPolicy; -@@ -59,20 +60,21 @@ import org.mozilla.jss.pkcs11.PK11PubKey; - import org.mozilla.jss.pkcs11.PK11RSAPublicKey; - import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.EPropertyNotFound; - import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.tps.token.TokenStatus; - import com.netscape.cmsutil.util.Utils; - - import netscape.security.provider.RSAPublicKey; - //import org.mozilla.jss.pkcs11.PK11ECPublicKey; - import netscape.security.util.BigInt; - import netscape.security.x509.RevocationReason; - import netscape.security.x509.X509CertImpl; - import sun.security.pkcs11.wrapper.PKCS11Constants; - - public class TPSEnrollProcessor extends TPSProcessor { - - public TPSEnrollProcessor(TPSSession session) { -@@ -3688,13 +3688,13 @@ public class TPSEnrollProcessor extends TPSProcessor { - String auditType = ""; - switch (op) { - case "retrieval": -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9"; -+ auditType = AuditEvent.TOKEN_CERT_RETRIEVAL; - break; - case "renewal": -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9"; -+ auditType = AuditEvent.TOKEN_CERT_RENEWAL; - break; - default: -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; -+ auditType = AuditEvent.TOKEN_CERT_ENROLLMENT; - } - - String auditMessage = CMS.getLogMessage( -@@ -3724,7 +3724,7 @@ public class TPSEnrollProcessor extends TPSProcessor { - serialNum = serial.toString(); - - String auditMessage = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10", -+ AuditEvent.TOKEN_KEY_RECOVERY, - (session != null) ? session.getIpAddress() : null, - subjectID, - aInfo.getCUIDhexStringPlain(), -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java -index fe3f801..b309657 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java -@@ -33,6 +33,7 @@ import org.dogtagpki.tps.msg.BeginOpMsg; - import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus; - - import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.tps.token.TokenStatus; - - public class TPSPinResetProcessor extends TPSProcessor { -@@ -197,10 +198,10 @@ public class TPSPinResetProcessor extends TPSProcessor { - String auditType = ""; - switch (status) { - case "success": -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6"; -+ auditType = AuditEvent.TOKEN_PIN_RESET_SUCCESS; - break; - default: -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6"; -+ auditType = AuditEvent.TOKEN_PIN_RESET_FAILURE; - } - - String auditMessage = CMS.getLogMessage( -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index 7d17f36..910a263 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -93,14 +93,15 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.EPropertyNotFound; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.common.Constants; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.tps.token.TokenStatus; - import com.netscape.cms.servlet.tks.SecureChannelProtocol; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.symkey.SessionKey; - - import netscape.security.x509.RevocationReason; - - public class TPSProcessor { - - public static final int RESULT_NO_ERROR = 0; -@@ -4054,9 +4055,9 @@ public class TPSProcessor { - String status, - String authMgrId) { - -- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9"; -+ String auditType = AuditEvent.TOKEN_AUTH_FAILURE; - if (status.equals("success")) -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9"; -+ auditType = AuditEvent.TOKEN_AUTH_SUCCESS; - - String auditMessage = CMS.getLogMessage( - auditType, -@@ -4078,7 +4079,7 @@ public class TPSProcessor { - protected void auditOpRequest(String op, AppletInfo aInfo, - String status, - String info) { -- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6"; -+ String auditType = AuditEvent.TOKEN_OP_REQUEST; - - String auditMessage = CMS.getLogMessage( - auditType, -@@ -4100,10 +4101,10 @@ public class TPSProcessor { - String auditType = ""; - switch (status) { - case "success": -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9"; -+ auditType = AuditEvent.TOKEN_FORMAT_SUCCESS; - break; - default: -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; -+ auditType = AuditEvent.TOKEN_FORMAT_FAILURE; - } - - String auditMessage = CMS.getLogMessage( -@@ -4129,10 +4130,10 @@ public class TPSProcessor { - String auditType = ""; - switch (status) { - case "success": -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9"; -+ auditType = AuditEvent.TOKEN_APPLET_UPGRADE_SUCCESS; - break; - default: -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9"; -+ auditType = AuditEvent.TOKEN_APPLET_UPGRADE_FAILURE; - } - - String auditMessage = CMS.getLogMessage( -@@ -4154,7 +4155,7 @@ public class TPSProcessor { - String newKeyVersion, - String info) { - -- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; -+ String auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_REQUIRED; - - String auditMessage = CMS.getLogMessage( - auditType, -@@ -4180,10 +4181,10 @@ public class TPSProcessor { - String auditType = ""; - switch (status) { - case "success": -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10"; -+ auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_SUCCESS; - break; - default: -- auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10"; -+ auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_FAILURE; - } - - String auditMessage = CMS.getLogMessage( -@@ -4212,7 +4213,7 @@ public class TPSProcessor { - String caConnId, - String info) { - -- String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10"; -+ String auditType = AuditEvent.TOKEN_CERT_STATUS_CHANGE_REQUEST; - /* - * requestType is "revoke", "on-hold", or "off-hold" - */ -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java -index 50453ee..6efe4cb 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java -@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; - import com.netscape.certsrv.base.ForbiddenException; - import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.common.Constants; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.tps.authenticator.AuthenticatorCollection; - import com.netscape.certsrv.tps.authenticator.AuthenticatorData; -@@ -474,7 +475,7 @@ public class AuthenticatorService extends SubsystemService implements Authentica - Map params, String info) { - - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6", -+ AuditEvent.CONFIG_TOKEN_AUTHENTICATOR, - servletRequest.getUserPrincipal().getName(), - status, - service, -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java -index 01bc132..3e1e5df 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java -@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; - import com.netscape.certsrv.base.ForbiddenException; - import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.common.Constants; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.tps.connector.ConnectorCollection; - import com.netscape.certsrv.tps.connector.ConnectorData; -@@ -471,7 +472,7 @@ public class ConnectorService extends SubsystemService implements ConnectorResou - String info) { - - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6", -+ AuditEvent.CONFIG_TOKEN_CONNECTOR, - servletRequest.getUserPrincipal().getName(), - status, - service, -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java -index 2c070c0..9bbb616 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java -@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; - import com.netscape.certsrv.base.ForbiddenException; - import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.common.Constants; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.tps.profile.ProfileMappingCollection; - import com.netscape.certsrv.tps.profile.ProfileMappingData; -@@ -448,7 +449,7 @@ public class ProfileMappingService extends SubsystemService implements ProfileMa - public void auditMappingResolverChange(String status, String service, String resolverID, Map params, - String info) { - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6", -+ AuditEvent.CONFIG_TOKEN_MAPPING_RESOLVER, - servletRequest.getUserPrincipal().getName(), - status, - service, -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java -index 8058caf..43e14be 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java -@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException; - import com.netscape.certsrv.base.ForbiddenException; - import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.common.Constants; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.tps.profile.ProfileCollection; - import com.netscape.certsrv.tps.profile.ProfileData; -@@ -470,7 +471,7 @@ public class ProfileService extends SubsystemService implements ProfileResource - String info) { - - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6", -+ AuditEvent.CONFIG_TOKEN_PROFILE, - servletRequest.getUserPrincipal().getName(), - status, - service, -diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java -index f3d0d80..73d0a64 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java -+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java -@@ -44,6 +44,7 @@ import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.dbs.EDBException; - import com.netscape.certsrv.dbs.IDBVirtualList; - import com.netscape.certsrv.ldap.LDAPExceptionConverter; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.tps.token.TokenCollection; - import com.netscape.certsrv.tps.token.TokenData; -@@ -814,7 +815,7 @@ public class TokenService extends SubsystemService implements TokenResource { - String info) { - - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6", -+ AuditEvent.CONFIG_TOKEN_RECORD, - servletRequest.getUserPrincipal().getName(), - status, - service, -@@ -832,7 +833,7 @@ public class TokenService extends SubsystemService implements TokenResource { - String newReason, Map params, String info) { - - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8", -+ AuditEvent.TOKEN_STATE_CHANGE, - servletRequest.getUserPrincipal().getName(), - status, - oldState.toString(), --- -1.8.3.1 - - -From d2838897eb2ef43f538a1c57e6195292237aa28c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 02:46:49 +0200 -Subject: [PATCH 42/59] Reorganized audit event constants for KRA. - -Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 28 ++++++++++++++++++++++ - .../src/com/netscape/kra/AsymKeyGenService.java | 5 ++-- - .../com/netscape/kra/SecurityDataProcessor.java | 12 +++------- - .../kra/src/com/netscape/kra/SymKeyGenService.java | 6 ++--- - .../server/kra/rest/KeyRequestService.java | 26 +++++--------------- - .../org/dogtagpki/server/kra/rest/KeyService.java | 10 +++----- - .../servlet/csadmin/SecurityDomainProcessor.java | 8 +++---- - .../cms/servlet/csadmin/UpdateDomainXML.java | 7 +++--- - .../cms/servlet/csadmin/UpdateNumberRange.java | 9 ++++--- - .../com/netscape/cmscore/session/SessionTimer.java | 6 ++--- - 10 files changed, 56 insertions(+), 61 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index abe16b6..dc632c3 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,34 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String SECURITY_DOMAIN_UPDATE = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; -+ public final static String CONFIG_SERIAL_NUMBER = -+ "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; -+ -+ public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; -+ public static final String SECURITY_DATA_ARCHIVAL_REQUEST = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; -+ public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; -+ public static final String SECURITY_DATA_RECOVERY_REQUEST = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; -+ public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; -+ public final static String SECURITY_DATA_RETRIEVE_KEY = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; -+ public final static String KEY_STATUS_CHANGE = -+ "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; -+ public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6"; -+ public static final String SYMKEY_GENERATION_REQUEST = -+ "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; -+ public static final String ASYMKEY_GENERATION_REQUEST = -+ "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4"; -+ public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; -+ - public final static String TOKEN_CERT_ENROLLMENT = - "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; - public final static String TOKEN_CERT_RENEWAL = -diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -index a731fb1..75e340c 100644 ---- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -@@ -35,6 +35,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.key.AsymKeyGenerationRequest; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -@@ -63,8 +64,6 @@ public class AsymKeyGenService implements IService { - private IKeyRecoveryAuthority kra = null; - private IStorageKeyUnit storageUnit = null; - private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); -- private final static String LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; - - public AsymKeyGenService(IKeyRecoveryAuthority kra) { - this.kra = kra; -@@ -233,7 +232,7 @@ public class AsymKeyGenService implements IService { - String clientKeyID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED, -+ AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED, - subjectID, - status, - requestID.toString(), -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 3475eae..78d64c5 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -38,6 +38,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; -@@ -65,13 +66,6 @@ public class SecurityDataProcessor { - private static boolean allowEncDecrypt_archival = false; - private static boolean allowEncDecrypt_recovery = false; - -- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; -- -- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; -- -- - public SecurityDataProcessor(IKeyRecoveryAuthority kra) { - this.kra = kra; - transportUnit = kra.getTransportKeyUnit(); -@@ -779,7 +773,7 @@ public class SecurityDataProcessor { - private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, - subjectID, - status, - requestID.toString(), -@@ -791,7 +785,7 @@ public class SecurityDataProcessor { - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, -+ AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, - subjectID, - status, - requestID.toString(), -diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java -index 9c50eb3..f700a79 100644 ---- a/base/kra/src/com/netscape/kra/SymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java -@@ -34,6 +34,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.key.SymKeyGenerationRequest; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -@@ -60,9 +61,6 @@ public class SymKeyGenService implements IService { - private IStorageKeyUnit mStorageUnit = null; - private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); - -- private final static String LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6"; -- - public SymKeyGenService(IKeyRecoveryAuthority kra) { - mKRA = kra; - mStorageUnit = kra.getStorageKeyUnit(); -@@ -252,7 +250,7 @@ public class SymKeyGenService implements IService { - private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED, -+ AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED, - subjectID, - status, - requestID.toString(), -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -index e0c4ca9..38f7e93 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -@@ -48,6 +48,7 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.key.KeyRequestResponse; - import com.netscape.certsrv.key.SymKeyGenerationRequest; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestNotFoundException; -@@ -62,21 +63,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil; - */ - public class KeyRequestService extends SubsystemService implements KeyRequestResource { - -- private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; -- -- private static final String LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST = -- "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; -- -- private static final String LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST = -- "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4"; -- -- private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; -- -- private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; -- - public static final int DEFAULT_START = 0; - public static final int DEFAULT_PAGESIZE = 20; - public static final int DEFAULT_MAXRESULTS = 100; -@@ -349,7 +335,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - - public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, -+ AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, - getRequestor(), - status, - requestId.toString(), -@@ -359,7 +345,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - - public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST, -+ AuditEvent.SECURITY_DATA_RECOVERY_REQUEST, - getRequestor(), - status, - requestId != null? requestId.toString(): "null", -@@ -369,7 +355,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - - public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST, -+ AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST, - getRequestor(), - status, - requestId != null? requestId.toString(): "null", -@@ -379,7 +365,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - - public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST, -+ AuditEvent.SYMKEY_GENERATION_REQUEST, - getRequestor(), - status, - requestId != null ? requestId.toString() : "null", -@@ -389,7 +375,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - - public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST, -+ AuditEvent.ASYMKEY_GENERATION_REQUEST, - getRequestor(), - status, - requestId != null ? requestId.toString() : "null", -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -index e15b263..7a21971 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -@@ -60,6 +60,7 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; - import com.netscape.certsrv.key.KeyResource; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.kra.IKeyService; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -77,11 +78,6 @@ import com.netscape.cmsutil.util.Utils; - */ - public class KeyService extends SubsystemService implements KeyResource { - -- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; -- private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE = -- "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; -- - public static final int DEFAULT_MAXRESULTS = 100; - public static final int DEFAULT_MAXTIME = 10; - public static final String ATTR_SERIALNO = "serialNumber"; -@@ -606,7 +602,7 @@ public class KeyService extends SubsystemService implements KeyResource { - - public void auditRetrieveKey(String status, String reason) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY, -+ AuditEvent.SECURITY_DATA_RETRIEVE_KEY, - servletRequest.getUserPrincipal().getName(), - status, - requestId != null ? requestId.toString(): "null", -@@ -628,7 +624,7 @@ public class KeyService extends SubsystemService implements KeyResource { - public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, - String newKeyStatus, String info) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE, -+ AuditEvent.KEY_STATUS_CHANGE, - servletRequest.getUserPrincipal().getName(), - status, - keyID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -index 3a2b694..69e76fc 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -@@ -43,6 +43,7 @@ import com.netscape.certsrv.base.ISecurityDomainSessionTable; - import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.base.UnauthorizedException; - import com.netscape.certsrv.ldap.ILdapConnFactory; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.system.DomainInfo; - import com.netscape.certsrv.system.InstallToken; -@@ -64,9 +65,6 @@ import netscape.ldap.LDAPSearchResults; - */ - public class SecurityDomainProcessor extends CAProcessor { - -- public final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE = -- "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; -- - public final static String[] TYPES = { "CA", "KRA", "OCSP", "TKS", "RA", "TPS" }; - - Random random = new Random(); -@@ -128,7 +126,7 @@ public class SecurityDomainProcessor extends CAProcessor { - - if (status == ISecurityDomainSessionTable.SUCCESS) { - message = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, -+ AuditEvent.SECURITY_DOMAIN_UPDATE, - user, - ILogger.SUCCESS, - auditParams); -@@ -136,7 +134,7 @@ public class SecurityDomainProcessor extends CAProcessor { - - } else { - message = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, -+ AuditEvent.SECURITY_DOMAIN_UPDATE, - user, - ILogger.FAILURE, - auditParams); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -index 1a23823..bed4357 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -@@ -47,6 +47,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.ldap.ILdapConnFactory; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.base.UserInfo; -@@ -62,8 +63,6 @@ public class UpdateDomainXML extends CMSServlet { - private static final long serialVersionUID = 4059169588555717548L; - private final static String SUCCESS = "0"; - private final static String FAILED = "1"; -- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE = -- "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; - private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = - "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; - -@@ -501,14 +500,14 @@ public class UpdateDomainXML extends CMSServlet { - - if (status.equals(SUCCESS)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, -+ AuditEvent.SECURITY_DOMAIN_UPDATE, - auditSubjectID, - ILogger.SUCCESS, - auditParams); - } else { - // what if already exists or already deleted - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, -+ AuditEvent.SECURITY_DOMAIN_UPDATE, - auditSubjectID, - ILogger.FAILURE, - auditParams); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java -index e068bd4..2586da2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java -@@ -37,6 +37,7 @@ import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.dbs.repository.IRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.base.UserInfo; -@@ -52,8 +53,6 @@ public class UpdateNumberRange extends CMSServlet { - private static final long serialVersionUID = -1584171713024263331L; - private final static String SUCCESS = "0"; - private final static String AUTH_FAILURE = "2"; -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER = -- "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - - public UpdateNumberRange() { - super(); -@@ -208,7 +207,7 @@ public class UpdateNumberRange extends CMSServlet { - CMS.debug("UpdateNumberRange::process() - " + - "beginNum is null!"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER, -+ AuditEvent.CONFIG_SERIAL_NUMBER, - auditSubjectID, - ILogger.FAILURE, - auditParams); -@@ -240,7 +239,7 @@ public class UpdateNumberRange extends CMSServlet { - "+endNumber;;" + endNum.toString(radix); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER, -+ AuditEvent.CONFIG_SERIAL_NUMBER, - auditSubjectID, - ILogger.SUCCESS, - auditParams); -@@ -251,7 +250,7 @@ public class UpdateNumberRange extends CMSServlet { - CMS.debug(e); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER, -+ AuditEvent.CONFIG_SERIAL_NUMBER, - auditSubjectID, - ILogger.FAILURE, - auditParams); -diff --git a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java -index 0f79fc4..c6db131 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java -@@ -23,14 +23,12 @@ import java.util.TimerTask; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.ISecurityDomainSessionTable; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - - public class SessionTimer extends TimerTask { - private ISecurityDomainSessionTable m_sessiontable = null; - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -- private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE = -- "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; -- - public SessionTimer(ISecurityDomainSessionTable table) { - super(); - m_sessiontable = table; -@@ -61,7 +59,7 @@ public class SessionTimer extends TimerTask { - // audit message - String auditParams = "operation;;expire_token+token;;" + sessionId; - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, -+ AuditEvent.SECURITY_DOMAIN_UPDATE, - "system", - ILogger.SUCCESS, - auditParams); --- -1.8.3.1 - - -From f0eedf609ef2042915556738dafba0fa9d8da6cc Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 03:11:51 +0200 -Subject: [PATCH 43/59] Reorganized audit event constants for TKS. - -Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7 ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 25 ++++++++ - .../com/netscape/cms/servlet/tks/TokenServlet.java | 73 ++++++---------------- - 2 files changed, 44 insertions(+), 54 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index dc632c3..8abb9a5 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,31 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String COMPUTE_RANDOM_DATA_REQUEST = -+ "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; -+ public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3"; -+ public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE = -+ "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4"; -+ public final static String COMPUTE_SESSION_KEY_REQUEST = -+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. -+ public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -+ public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = -+ "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -+ public final static String DIVERSIFY_KEY_REQUEST = -+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. -+ public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -+ public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = -+ "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -+ public final static String ENCRYPT_DATA_REQUEST = -+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. -+ public final static String ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12"; -+ public final static String ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE = -+ "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13"; -+ - public final static String SECURITY_DOMAIN_UPDATE = - "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; - public final static String CONFIG_SERIAL_NUMBER = -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -index 6a17466..3915b73 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.IPrettyPrintFormat; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; -@@ -75,42 +76,6 @@ public class TokenServlet extends CMSServlet { - String mCurrentUID = null; - IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); - -- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST = -- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. -- -- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -- -- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -- -- private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST = -- "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. -- -- private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -- -- private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. -- -- private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST = -- "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. -- -- private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12"; -- -- private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13"; -- -- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST = -- "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; -- -- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3"; -- -- private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4"; -- - // Derivation Constants for SCP02 - public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; - public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; -@@ -404,7 +369,7 @@ public class TokenServlet extends CMSServlet { - } - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, -+ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, -@@ -834,7 +799,7 @@ public class TokenServlet extends CMSServlet { - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, - logParams); - - } else { -@@ -854,7 +819,7 @@ public class TokenServlet extends CMSServlet { - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, - logParams); - } - -@@ -922,7 +887,7 @@ public class TokenServlet extends CMSServlet { - - // AC: KDF SPEC CHANGE: Need to log both KDD and CUID - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, -+ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, -@@ -1492,7 +1457,7 @@ public class TokenServlet extends CMSServlet { - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, - logParams); - - } else { -@@ -1514,7 +1479,7 @@ public class TokenServlet extends CMSServlet { - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, - logParams); - - } -@@ -1635,7 +1600,7 @@ public class TokenServlet extends CMSServlet { - - // AC: KDF SPEC CHANGE: Need to log both KDD and CUID - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST, -+ AuditEvent.DIVERSIFY_KEY_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, -@@ -1924,7 +1889,7 @@ public class TokenServlet extends CMSServlet { - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); -+ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); - } else { - // AC: KDF SPEC CHANGE - Log both CUID and KDD - // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -@@ -1946,7 +1911,7 @@ public class TokenServlet extends CMSServlet { - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); -+ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); - } - - audit(auditMessage); -@@ -2011,7 +1976,7 @@ public class TokenServlet extends CMSServlet { - - // AC: KDF SPEC CHANGE: Need to log both KDD and CUID - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST, -+ AuditEvent.ENCRYPT_DATA_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, -@@ -2262,7 +2227,7 @@ public class TokenServlet extends CMSServlet { - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); -+ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); - } else { - // AC: KDF SPEC CHANGE - Log both CUID and KDD - // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -@@ -2281,7 +2246,7 @@ public class TokenServlet extends CMSServlet { - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); -+ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); - } - - audit(auditMessage); -@@ -2344,7 +2309,7 @@ public class TokenServlet extends CMSServlet { - CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); - - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST, -+ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, - ILogger.SUCCESS, - agentId); - -@@ -2403,13 +2368,13 @@ public class TokenServlet extends CMSServlet { - - if (status.equals("0")) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, -+ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, - ILogger.SUCCESS, - status, - agentId); - } else { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, -+ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, - ILogger.FAILURE, - status, - agentId, -@@ -2533,7 +2498,7 @@ public class TokenServlet extends CMSServlet { - } - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, -+ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, - rCUID, - rKDD, - ILogger.SUCCESS, -@@ -2956,7 +2921,7 @@ public class TokenServlet extends CMSServlet { - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, - logParams); - - } else { -@@ -2973,7 +2938,7 @@ public class TokenServlet extends CMSServlet { - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - errorMsg // Error - }; -- auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, - logParams); - - } --- -1.8.3.1 - - -From e770f3a4ff34c27bc698d47aedc518a7ae6b31f9 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 03:54:29 +0200 -Subject: [PATCH 44/59] Reorganized audit event constants for OCSP. - -Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288 ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 17 ++++++++++++ - .../com/netscape/cms/authentication/CMCAuth.java | 25 +++++++++--------- - .../netscape/cms/servlet/ocsp/AddCAServlet.java | 22 +++++++--------- - .../netscape/cms/servlet/ocsp/AddCRLServlet.java | 30 ++++++++++------------ - .../netscape/cms/servlet/ocsp/RemoveCAServlet.java | 17 ++++-------- - 5 files changed, 56 insertions(+), 55 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 8abb9a5..bc892a9 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,23 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String CRL_RETRIEVAL = -+ "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; -+ public final static String CRL_VALIDATION = -+ "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2"; -+ public final static String OCSP_ADD_CA_REQUEST = -+ "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3"; -+ public final static String OCSP_ADD_CA_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3"; -+ public final static String OCSP_REMOVE_CA_REQUEST = -+ "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3"; -+ public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3"; -+ public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE = -+ "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; -+ public final static String CMC_SIGNED_REQUEST_SIG_VERIFY = -+ "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; -+ - public final static String COMPUTE_RANDOM_DATA_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; - public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS = -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index 8523189..02aceb4 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -79,6 +79,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.IExtendedPluginInfo; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IProfile; -@@ -181,8 +182,6 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - "enrollment"; - private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = - "revocation"; -- private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY = -- "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; - - ///////////////////// - // default methods // -@@ -266,7 +265,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -285,7 +284,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -334,7 +333,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - !cmcReq.hasContent()) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -380,7 +379,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - !ci.hasContent()) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -561,7 +560,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -615,7 +614,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -640,7 +639,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -656,7 +655,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.SUCCESS, - auditReqType, -@@ -669,7 +668,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } catch (EMissingCredential eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -683,7 +682,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } catch (EInvalidCredentials eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -@@ -697,7 +696,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } catch (EBaseException eAudit3) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, - auditSubjectID, - ILogger.FAILURE, - auditReqType, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java -index f19a9d6..0088e92 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java -@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.ocsp.IDefStore; -@@ -69,11 +70,6 @@ public class AddCAServlet extends CMSServlet { - private String mFormPath = null; - private IOCSPAuthority mOCSPAuthority = null; - -- private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST = -- "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3"; -- private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3"; -- - public AddCAServlet() { - super(); - } -@@ -162,7 +158,7 @@ public class AddCAServlet extends CMSServlet { - - if (b64 == null) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST, -+ AuditEvent.OCSP_ADD_CA_REQUEST, - auditSubjectID, - ILogger.FAILURE, - ILogger.SIGNED_AUDIT_EMPTY_VALUE); -@@ -175,7 +171,7 @@ public class AddCAServlet extends CMSServlet { - auditCA = Cert.normalizeCertStr(Cert.stripCertBrackets(b64.trim())); - // record the fact that a request to add CA is made - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST, -+ AuditEvent.OCSP_ADD_CA_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditCA); -@@ -184,7 +180,7 @@ public class AddCAServlet extends CMSServlet { - - if (b64.indexOf(BEGIN_HEADER) == -1) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, -+ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditCASubjectDN); -@@ -195,7 +191,7 @@ public class AddCAServlet extends CMSServlet { - } - if (b64.indexOf(END_HEADER) == -1) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, -+ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditCASubjectDN); -@@ -216,7 +212,7 @@ public class AddCAServlet extends CMSServlet { - if (cert == null) { - CMS.debug("AddCAServlet::process() - cert is null!"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, -+ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditCASubjectDN); -@@ -245,7 +241,7 @@ public class AddCAServlet extends CMSServlet { - auditCASubjectDN = leafCert.getSubjectDN().getName(); - } catch (Exception e) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, -+ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditCASubjectDN); -@@ -270,7 +266,7 @@ public class AddCAServlet extends CMSServlet { - rec.set(ICRLIssuingPointRecord.ATTR_CA_CERT, leafCert.getEncoded()); - } catch (Exception e) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, -+ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditCASubjectDN); -@@ -282,7 +278,7 @@ public class AddCAServlet extends CMSServlet { - defStore.addCRLIssuingPoint(leafCert.getSubjectDN().getName(), rec); - log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Added CA certificate " + leafCert.getSubjectDN().getName()); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED, -+ AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditCASubjectDN); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java -index 386ce93..5b4f624 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java -@@ -40,6 +40,7 @@ import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; - import com.netscape.certsrv.dbs.repository.IRepositoryRecord; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.ocsp.IDefStore; -@@ -77,11 +78,6 @@ public class AddCRLServlet extends CMSServlet { - private String mFormPath = null; - private IOCSPAuthority mOCSPAuthority = null; - -- private final static String LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL = -- "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; -- private final static String LOGGING_SIGNED_AUDIT_CRL_VALIDATION = -- "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2"; -- - public AddCRLServlet() { - super(); - } -@@ -153,7 +149,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.FAILURE, - auditCRLNum); -@@ -181,7 +177,7 @@ public class AddCRLServlet extends CMSServlet { - if (b64 == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.FAILURE, - auditCRLNum); -@@ -216,7 +212,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.FAILURE, - auditCRLNum); -@@ -237,7 +233,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.FAILURE, - auditCRLNum); -@@ -253,7 +249,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.FAILURE, - auditCRLNum); -@@ -290,7 +286,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.SUCCESS, - auditCRLNum); -@@ -304,7 +300,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.FAILURE, - auditCRLNum); -@@ -329,7 +325,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, -+ AuditEvent.CRL_VALIDATION, - auditSubjectID, - ILogger.FAILURE); - -@@ -383,7 +379,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, -+ AuditEvent.CRL_VALIDATION, - auditSubjectID, - ILogger.SUCCESS); - -@@ -400,7 +396,7 @@ public class AddCRLServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, -+ AuditEvent.CRL_VALIDATION, - auditSubjectID, - ILogger.FAILURE); - -@@ -547,7 +543,7 @@ public class AddCRLServlet extends CMSServlet { - if (!CRLFetched) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL, -+ AuditEvent.CRL_RETRIEVAL, - auditSubjectID, - ILogger.FAILURE, - auditCRLNum); -@@ -557,7 +553,7 @@ public class AddCRLServlet extends CMSServlet { - if (!CRLValidated) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CRL_VALIDATION, -+ AuditEvent.CRL_VALIDATION, - auditSubjectID, - ILogger.FAILURE); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java -index 55f688a..b6352a1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java -@@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.common.ICMSRequest; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.ocsp.IDefStore; - import com.netscape.certsrv.ocsp.IOCSPAuthority; -@@ -56,14 +57,6 @@ public class RemoveCAServlet extends CMSServlet { - private String mFormPath = null; - private IOCSPAuthority mOCSPAuthority = null; - -- private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST = -- "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3"; -- private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3"; -- -- private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; -- - public RemoveCAServlet() { - super(); - } -@@ -151,7 +144,7 @@ public class RemoveCAServlet extends CMSServlet { - - if (caID == null) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, -+ AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, - auditSubjectID, - ILogger.FAILURE, - ILogger.SIGNED_AUDIT_EMPTY_VALUE); -@@ -160,7 +153,7 @@ public class RemoveCAServlet extends CMSServlet { - } - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST, -+ AuditEvent.OCSP_REMOVE_CA_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - caID); -@@ -175,7 +168,7 @@ public class RemoveCAServlet extends CMSServlet { - } catch (EBaseException e) { - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, -+ AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE, - auditSubjectID, - ILogger.FAILURE, - caID); -@@ -188,7 +181,7 @@ public class RemoveCAServlet extends CMSServlet { - CMS.debug("RemoveCAServlet::process: CRL IssuingPoint for CA successfully removed: " + caID); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS, -+ AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - caID); --- -1.8.3.1 - - -From 0afe49b7b758d46f8bc0ca87cf2124e90084ebce Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 04:13:14 +0200 -Subject: [PATCH 45/59] Reorganized audit event constants for authentication. - -Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049 ---- - .../dogtagpki/server/ca/rest/ProfileService.java | 5 +-- - .../com/netscape/certsrv/logging/AuditEvent.java | 19 ++++++++++ - .../netscape/cms/profile/common/EnrollProfile.java | 8 ++-- - .../netscape/cms/profile/input/EnrollInput.java | 8 ++-- - .../cms/src/com/netscape/cms/realm/PKIRealm.java | 14 +++---- - .../netscape/cms/servlet/admin/AdminServlet.java | 43 +++++++++------------- - .../com/netscape/cms/servlet/base/CMSServlet.java | 27 +++++--------- - .../cms/servlet/connector/ConnectorServlet.java | 19 +++++----- - .../cms/servlet/processors/CAProcessor.java | 31 ++++++---------- - .../cms/servlet/processors/CRMFProcessor.java | 12 +++--- - .../cms/servlet/profile/ProfileApproveServlet.java | 21 +++++------ - .../org/dogtagpki/server/rest/ACLInterceptor.java | 24 +++++------- - 12 files changed, 106 insertions(+), 125 deletions(-) - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -index 694fb92..eae68ef 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.UnauthorizedException; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IProfile; -@@ -89,8 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource - private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID); - private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); - -- private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL = -- "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; - private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE = - "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; - -@@ -1189,7 +1188,7 @@ public class ProfileService extends SubsystemService implements ProfileResource - - public void auditProfileChangeState(String profileId, String op, String status) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditor.getSubjectID(), - status, - profileId, -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index bc892a9..82cb77f 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,25 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String AUTHZ_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; -+ public final static String AUTHZ_SUCCESS_INFO = -+ "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5"; -+ public final static String AUTHZ_FAIL = -+ "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; -+ public final static String AUTHZ_FAIL_INFO = -+ "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5"; -+ public final static String INTER_BOUNDARY = -+ "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; -+ public final static String AUTH_FAIL = -+ "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; -+ public final static String AUTH_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; -+ public final static String CERT_PROFILE_APPROVAL = -+ "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; -+ public final static String PROOF_OF_POSSESSION = -+ "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; -+ - public final static String CRL_RETRIEVAL = - "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; - public final static String CRL_VALIDATION = -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index f4a59d2..0ec3c94 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -76,6 +76,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.EPropertyNotFound; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.ca.ICertificateAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; -@@ -121,9 +122,6 @@ public abstract class EnrollProfile extends BasicProfile - - private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = - "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; -- private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = -- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; -- - private PKIData mCMCData; - - public EnrollProfile() { -@@ -2073,7 +2071,7 @@ public abstract class EnrollProfile extends BasicProfile - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.SUCCESS); - audit(auditMessage); -@@ -2093,7 +2091,7 @@ public abstract class EnrollProfile extends BasicProfile - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.FAILURE); - -diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -index f246951..81e71c4 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -+++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -@@ -30,6 +30,7 @@ import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IProfile; -@@ -48,9 +49,6 @@ import com.netscape.cmsutil.crypto.CryptoUtil; - */ - public abstract class EnrollInput implements IProfileInput { - -- private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = -- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; -- - protected IConfigStore mConfig = null; - protected Vector mValueNames = new Vector(); - protected Vector mConfigNames = new Vector(); -@@ -219,7 +217,7 @@ public abstract class EnrollInput implements IProfileInput { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.SUCCESS); - audit(auditMessage); -@@ -230,7 +228,7 @@ public abstract class EnrollInput implements IProfileInput { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.FAILURE); - -diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -index 1933601..28fb0b9 100644 ---- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -@@ -16,6 +16,7 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authentication.ICertUserDBAuthentication; - import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IGroup; -@@ -35,11 +36,6 @@ import netscape.security.x509.X509CertImpl; - - public class PKIRealm extends RealmBase { - protected ILogger signedAuditLogger = CMS.getSignedAuditLogger(); -- private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; -- private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; -- - @Override - protected String getName() { - return "PKIRealm"; -@@ -66,7 +62,7 @@ public class PKIRealm extends RealmBase { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, -+ AuditEvent.AUTH_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); -@@ -77,7 +73,7 @@ public class PKIRealm extends RealmBase { - } catch (Throwable e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - auditSubjectID, - ILogger.FAILURE, - IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID, -@@ -126,7 +122,7 @@ public class PKIRealm extends RealmBase { - CMS.debug("PKIRealm: User ID: " + username); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, -+ AuditEvent.AUTH_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); -@@ -137,7 +133,7 @@ public class PKIRealm extends RealmBase { - } catch (Throwable e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - auditSubjectID, - ILogger.FAILURE, - IAuthSubsystem.CERTUSERDB_AUTHMGR_ID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index ab7af9e..0350e38 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.IExtendedPluginInfo; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.usrgrp.EUsrGrpException; -@@ -121,14 +122,6 @@ public class AdminServlet extends HttpServlet { - public static final String CERT_ATTR = - "javax.servlet.request.X509Certificate"; - -- private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; -- private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; -- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; -- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; - private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = - "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; - private final static String CERTUSERDB = -@@ -307,7 +300,7 @@ public class AdminServlet extends HttpServlet { - if (allCerts == null || allCerts.length == 0) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -@@ -399,7 +392,7 @@ public class AdminServlet extends HttpServlet { - if (authType.equals("sslclientauth")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -@@ -409,7 +402,7 @@ public class AdminServlet extends HttpServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -@@ -433,7 +426,7 @@ public class AdminServlet extends HttpServlet { - if (authType.equals("sslclientauth")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -@@ -443,7 +436,7 @@ public class AdminServlet extends HttpServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -@@ -469,7 +462,7 @@ public class AdminServlet extends HttpServlet { - if (authType.equals("sslclientauth")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -@@ -479,7 +472,7 @@ public class AdminServlet extends HttpServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -@@ -505,7 +498,7 @@ public class AdminServlet extends HttpServlet { - if (authType.equals("sslclientauth")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -@@ -515,7 +508,7 @@ public class AdminServlet extends HttpServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -@@ -535,7 +528,7 @@ public class AdminServlet extends HttpServlet { - if (authType.equals("sslclientauth")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, -+ AuditEvent.AUTH_SUCCESS, - auditSubjectID(), - ILogger.SUCCESS, - CERTUSERDB); -@@ -544,7 +537,7 @@ public class AdminServlet extends HttpServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, -+ AuditEvent.AUTH_SUCCESS, - auditSubjectID(), - ILogger.SUCCESS, - PASSWDUSERDB); -@@ -555,7 +548,7 @@ public class AdminServlet extends HttpServlet { - if (authType.equals("sslclientauth")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -@@ -565,7 +558,7 @@ public class AdminServlet extends HttpServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -@@ -654,7 +647,7 @@ public class AdminServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -677,7 +670,7 @@ public class AdminServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -698,7 +691,7 @@ public class AdminServlet extends HttpServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -720,7 +713,7 @@ public class AdminServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index ab9b936..01f9f07 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -64,6 +64,7 @@ import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.request.IRequest; -@@ -244,14 +245,6 @@ public abstract class CMSServlet extends HttpServlet { - private IUGSubsystem mUG = (IUGSubsystem) - CMS.getSubsystem(CMS.SUBSYSTEM_UG); - -- private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; -- private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; -- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; -- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; - private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = - "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; - -@@ -1801,7 +1794,7 @@ public abstract class CMSServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, -+ AuditEvent.AUTH_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditAuthMgrID); -@@ -1812,7 +1805,7 @@ public abstract class CMSServlet extends HttpServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditAuthMgrID, -@@ -1837,7 +1830,7 @@ public abstract class CMSServlet extends HttpServlet { - authzToken = mAuthz.authorize(authzMgrName, authToken, exp); - if (authzToken != null) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -@@ -1855,7 +1848,7 @@ public abstract class CMSServlet extends HttpServlet { - audit(auditMessage); - } else { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -1874,7 +1867,7 @@ public abstract class CMSServlet extends HttpServlet { - return authzToken; - } catch (Exception e) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -1971,7 +1964,7 @@ public abstract class CMSServlet extends HttpServlet { - if (authzTok != null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -@@ -1990,7 +1983,7 @@ public abstract class CMSServlet extends HttpServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -2012,7 +2005,7 @@ public abstract class CMSServlet extends HttpServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -2033,7 +2026,7 @@ public abstract class CMSServlet extends HttpServlet { - } catch (Exception eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index e6dfbc4..014db79 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.connector.IPKIMessage; - import com.netscape.certsrv.connector.IRequestEncoder; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; -@@ -97,8 +98,6 @@ public class ConnectorServlet extends CMSServlet { - - protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl"; -- private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS = -- "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; - private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = - "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; - private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = -@@ -479,7 +478,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, -@@ -501,7 +500,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.SUCCESS, - auditProtectionMethod, -@@ -699,7 +698,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.SUCCESS, - auditProtectionMethod, -@@ -921,7 +920,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.SUCCESS, - auditProtectionMethod, -@@ -934,7 +933,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, -@@ -947,7 +946,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, -@@ -960,7 +959,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, -@@ -980,7 +979,7 @@ public class ConnectorServlet extends CMSServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS, -+ AuditEvent.INTER_BOUNDARY, - auditSubjectID, - ILogger.FAILURE, - auditProtectionMethod, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 62b9a7c..d5a9c4d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.profile.IProfile; -@@ -118,14 +119,6 @@ public class CAProcessor extends Processor { - - public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; -- public final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; -- public final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; -- public final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; -- public final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; - public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = - "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; - public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = -@@ -498,7 +491,7 @@ public class CAProcessor extends Processor { - - authSubjectID += " : " + uid_cred; - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - authSubjectID, - ILogger.FAILURE, - authMgrID, -@@ -512,7 +505,7 @@ public class CAProcessor extends Processor { - - authSubjectID += " : " + uid_cred; - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - authSubjectID, - ILogger.FAILURE, - authMgrID, -@@ -534,7 +527,7 @@ public class CAProcessor extends Processor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, -+ AuditEvent.AUTH_SUCCESS, - authSubjectID, - ILogger.SUCCESS, - authMgrID); -@@ -669,7 +662,7 @@ public class CAProcessor extends Processor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, -+ AuditEvent.AUTH_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditAuthMgrID); -@@ -680,7 +673,7 @@ public class CAProcessor extends Processor { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTH_FAIL, -+ AuditEvent.AUTH_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditAuthMgrID, -@@ -730,7 +723,7 @@ public class CAProcessor extends Processor { - authzToken = authz.authorize(authzMgrName, authToken, exp); - if (authzToken != null) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -@@ -748,7 +741,7 @@ public class CAProcessor extends Processor { - audit(auditMessage); - } else { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -767,7 +760,7 @@ public class CAProcessor extends Processor { - return authzToken; - } catch (EBaseException e) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -863,7 +856,7 @@ public class CAProcessor extends Processor { - if (authzTok != null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -@@ -882,7 +875,7 @@ public class CAProcessor extends Processor { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -@@ -904,7 +897,7 @@ public class CAProcessor extends Processor { - } catch (Exception eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL, - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java -index 1da0cf3..70a4a42 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java -@@ -50,6 +50,7 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.common.ICMSRequest; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; - import com.netscape.cms.servlet.base.CMSServlet; -@@ -68,9 +69,6 @@ public class CRMFProcessor extends PKIProcessor { - - private boolean enforcePop = false; - -- private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = -- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; -- - public CRMFProcessor() { - super(); - } -@@ -118,7 +116,7 @@ public class CRMFProcessor extends PKIProcessor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.SUCCESS); - -@@ -131,7 +129,7 @@ public class CRMFProcessor extends PKIProcessor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.FAILURE); - -@@ -148,7 +146,7 @@ public class CRMFProcessor extends PKIProcessor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.FAILURE); - -@@ -161,7 +159,7 @@ public class CRMFProcessor extends PKIProcessor { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, -+ AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, - ILogger.FAILURE); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java -index 89ba1bd..f56c378 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java -@@ -32,6 +32,7 @@ import com.netscape.certsrv.authority.IAuthority; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.authorization.EAuthzAccessDenied; - import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IPolicyConstraint; -@@ -60,8 +61,6 @@ public class ProfileApproveServlet extends ProfileServlet { - private static final String PROP_AUTHORITY_ID = "authorityId"; - private String mAuthorityId = null; - -- private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL = -- "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; - private final static String OP_APPROVE = "approve"; - private final static String OP_DISAPPROVE = "disapprove"; - -@@ -134,7 +133,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -@@ -168,7 +167,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -@@ -198,7 +197,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -@@ -222,7 +221,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -@@ -244,7 +243,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -@@ -277,7 +276,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -@@ -298,7 +297,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.SUCCESS, - auditProfileID, -@@ -316,7 +315,7 @@ public class ProfileApproveServlet extends ProfileServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -@@ -329,7 +328,7 @@ public class ProfileApproveServlet extends ProfileServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL, -+ AuditEvent.CERT_PROFILE_APPROVAL, - auditSubjectID, - ILogger.FAILURE, - auditProfileID, -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -index 8e02ec2..86996d5 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -@@ -45,6 +45,7 @@ import com.netscape.certsrv.authorization.EAuthzUnknownRealm; - import com.netscape.certsrv.authorization.IAuthzSubsystem; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.ForbiddenException; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.realm.PKIPrincipal; - -@@ -54,11 +55,6 @@ import com.netscape.cms.realm.PKIPrincipal; - @Provider - public class ACLInterceptor implements ContainerRequestFilter { - protected ILogger signedAuditLogger = CMS.getSignedAuditLogger(); -- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = -- "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5"; -- private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = -- "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5"; -- - private final static String LOGGING_ACL_PARSING_ERROR = "internal error: ACL parsing error"; - private final static String LOGGING_NO_ACL_ACCESS_ALLOWED = "no ACL configured; OK"; - private final static String LOGGING_MISSING_AUTH_TOKEN = "auth token not found"; -@@ -178,7 +174,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - // store a message in the signed audit log file - // although if it didn't pass authentication, it should not have gotten here - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL_INFO, - auditSubjectID, - ILogger.FAILURE, - null, // resource -@@ -195,7 +191,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - CMS.debug("ACLInterceptor: No ACL mapping; authz not required."); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS_INFO, - auditSubjectID, - ILogger.SUCCESS, - null, //resource -@@ -219,7 +215,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - } catch (IOException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL_INFO, - auditSubjectID, - ILogger.FAILURE, - null, //resource -@@ -236,7 +232,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - CMS.debug("ACLInterceptor: No ACL configuration."); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS_INFO, - auditSubjectID, - ILogger.SUCCESS, - null, //resource -@@ -252,7 +248,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - CMS.debug("ACLInterceptor: Invalid ACL mapping."); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL_INFO, - auditSubjectID, - ILogger.FAILURE, - null, //resource -@@ -279,7 +275,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - CMS.debug("ACLInterceptor: " + info); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL_INFO, - auditSubjectID, - ILogger.FAILURE, - values[0], // resource -@@ -296,7 +292,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - CMS.debug("ACLInterceptor: " + info); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL_INFO, - auditSubjectID, - ILogger.FAILURE, - values[0], // resource -@@ -309,7 +305,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - String info = e.getMessage(); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, -+ AuditEvent.AUTHZ_FAIL_INFO, - auditSubjectID, - ILogger.FAILURE, - values[0], // resource -@@ -323,7 +319,7 @@ public class ACLInterceptor implements ContainerRequestFilter { - // Allow request. - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, -+ AuditEvent.AUTHZ_SUCCESS_INFO, - auditSubjectID, - ILogger.SUCCESS, - values[0], // resource --- -1.8.3.1 - - -From 6b9aee2d0a37cb7e8b93614b693cda0e6c410d9b Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 04:33:11 +0200 -Subject: [PATCH 46/59] Reorganized audit event constants for CA. - -Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 11 +++ - .../netscape/cms/profile/common/EnrollProfile.java | 8 +- - .../cms/servlet/cert/CMCRevReqServlet.java | 26 +++---- - .../netscape/cms/servlet/cert/CertProcessor.java | 7 +- - .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 23 +++--- - .../netscape/cms/servlet/cert/DoUnrevokeTPS.java | 17 ++--- - .../netscape/cms/servlet/cert/EnrollServlet.java | 46 ++++++------ - .../cms/servlet/cert/RequestProcessor.java | 9 ++- - .../cms/servlet/cert/RevocationProcessor.java | 10 +-- - .../cms/servlet/cert/scep/CRSEnrollment.java | 3 +- - .../cms/servlet/connector/ConnectorServlet.java | 15 ++-- - .../cms/servlet/processors/CAProcessor.java | 2 - - .../servlet/profile/ProfileSubmitCMCServlet.java | 12 ++- - .../cms/servlet/request/ProcessCertReq.java | 85 +++++++++++----------- - 14 files changed, 128 insertions(+), 146 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 82cb77f..39314df 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String NON_PROFILE_CERT_REQUEST = -+ "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; -+ public final static String PROFILE_CERT_REQUEST = -+ "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; -+ public final static String CERT_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; -+ public final static String CERT_STATUS_CHANGE_REQUEST = -+ "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; -+ public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; -+ - public final static String AUTHZ_SUCCESS = - "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; - public final static String AUTHZ_SUCCESS_INFO = -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 0ec3c94..370cc33 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -120,8 +120,6 @@ import netscape.security.x509.X509Key; - public abstract class EnrollProfile extends BasicProfile - implements IEnrollProfile { - -- private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = -- "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; - private PKIData mCMCData; - - public EnrollProfile() { -@@ -1915,7 +1913,7 @@ public abstract class EnrollProfile extends BasicProfile - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, -+ AuditEvent.PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1928,7 +1926,7 @@ public abstract class EnrollProfile extends BasicProfile - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, -+ AuditEvent.PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1941,7 +1939,7 @@ public abstract class EnrollProfile extends BasicProfile - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, -+ AuditEvent.PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -index 71c10ea..f4d7f8f 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -@@ -53,6 +53,7 @@ import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertRecordList; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.publish.IPublisherProcessor; -@@ -92,11 +93,6 @@ public class CMCRevReqServlet extends CMSServlet { - private final static String REVOKE = "revoke"; - private final static String ON_HOLD = "on-hold"; - private final static int ON_HOLD_REASON = 6; -- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; -- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; -- - // http params - public static final String SERIAL_NO = TOKEN_CERT_SERIAL; - public static final String REASON_CODE = "reasonCode"; -@@ -546,7 +542,7 @@ public class CMCRevReqServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -815,7 +811,7 @@ public class CMCRevReqServlet extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -832,7 +828,7 @@ public class CMCRevReqServlet extends CMSServlet { - // store a "CERT_STATUS_CHANGE_REQUEST" failure - // message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -849,7 +845,7 @@ public class CMCRevReqServlet extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -870,7 +866,7 @@ public class CMCRevReqServlet extends CMSServlet { - // store a "CERT_STATUS_CHANGE_REQUEST" failure - // message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -887,7 +883,7 @@ public class CMCRevReqServlet extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -909,7 +905,7 @@ public class CMCRevReqServlet extends CMSServlet { - // store a "CERT_STATUS_CHANGE_REQUEST" failure - // message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -926,7 +922,7 @@ public class CMCRevReqServlet extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -945,7 +941,7 @@ public class CMCRevReqServlet extends CMSServlet { - // store a "CERT_STATUS_CHANGE_REQUEST" failure - // message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -962,7 +958,7 @@ public class CMCRevReqServlet extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -index 47b5222..0534f90 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -@@ -30,6 +30,7 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.EPropertyNotFound; - import com.netscape.certsrv.cert.CertEnrollmentRequest; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.ERejectException; -@@ -230,7 +231,7 @@ public class CertProcessor extends CAProcessor { - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -266,7 +267,7 @@ public class CertProcessor extends CAProcessor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -284,7 +285,7 @@ public class CertProcessor extends CAProcessor { - req.setExtData(IRequest.ERROR_CODE, errorCode); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -index 79eba99..68ac6da 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -@@ -46,6 +46,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.publish.IPublisherProcessor; -@@ -89,10 +90,6 @@ public class DoRevokeTPS extends CMSServlet { - private final static String REVOKE = "revoke"; - private final static String ON_HOLD = "on-hold"; - private final static int ON_HOLD_REASON = 6; -- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; -- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; - - public DoRevokeTPS() { - super(); -@@ -433,7 +430,7 @@ public class DoRevokeTPS extends CMSServlet { - CMS.debug(method + "Only have previously revoked certs in the list."); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -450,7 +447,7 @@ public class DoRevokeTPS extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -475,7 +472,7 @@ public class DoRevokeTPS extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -561,7 +558,7 @@ public class DoRevokeTPS extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -752,7 +749,7 @@ public class DoRevokeTPS extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -770,7 +767,7 @@ public class DoRevokeTPS extends CMSServlet { - // store a "CERT_STATUS_CHANGE_REQUEST" failure - // message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -787,7 +784,7 @@ public class DoRevokeTPS extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -809,7 +806,7 @@ public class DoRevokeTPS extends CMSServlet { - // store a "CERT_STATUS_CHANGE_REQUEST" failure - // message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -826,7 +823,7 @@ public class DoRevokeTPS extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java -index 39ccb49..30bde76 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java -@@ -30,7 +30,7 @@ import javax.servlet.ServletException; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - --import netscape.security.x509.X509CertImpl; -+import org.dogtagpki.server.connector.IRemoteRequest; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; -@@ -43,6 +43,7 @@ import com.netscape.certsrv.ca.ICRLIssuingPoint; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.publish.IPublisherProcessor; -@@ -53,7 +54,7 @@ import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cms.servlet.common.ECMSGWException; - --import org.dogtagpki.server.connector.IRemoteRequest; -+import netscape.security.x509.X509CertImpl; - - /** - * 'Unrevoke' a certificate. (For certificates that are on-hold only, -@@ -78,10 +79,6 @@ public class DoUnrevokeTPS extends CMSServlet { - - private final static String OFF_HOLD = "off-hold"; - private final static int OFF_HOLD_REASON = 6; -- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; -- private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; - - public DoUnrevokeTPS() { - super(); -@@ -268,7 +265,7 @@ public class DoUnrevokeTPS extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -465,7 +462,7 @@ public class DoUnrevokeTPS extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -482,7 +479,7 @@ public class DoUnrevokeTPS extends CMSServlet { - // store a "CERT_STATUS_CHANGE_REQUEST" failure - // message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -499,7 +496,7 @@ public class DoUnrevokeTPS extends CMSServlet { - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -index 91caccf..3757967 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -@@ -58,6 +58,7 @@ import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertRecordList; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; -@@ -153,11 +154,6 @@ public class EnrollServlet extends CMSServlet { - + "indeterminate reason for inability to process " - + "cert request due to an EBaseException" - }; -- private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST = -- "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; -- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; -- - private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; - private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; - -@@ -766,7 +762,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -829,7 +825,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -872,7 +868,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -912,7 +908,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -969,7 +965,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1072,7 +1068,7 @@ public class EnrollServlet extends CMSServlet { - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1102,7 +1098,7 @@ public class EnrollServlet extends CMSServlet { - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1129,7 +1125,7 @@ public class EnrollServlet extends CMSServlet { - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1177,7 +1173,7 @@ public class EnrollServlet extends CMSServlet { - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1230,7 +1226,7 @@ public class EnrollServlet extends CMSServlet { - // certificate, an "agent" cert request for - // "bulk enrollment", or an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1279,7 +1275,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1322,7 +1318,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1337,7 +1333,7 @@ public class EnrollServlet extends CMSServlet { - // an "agent" cert request for "bulk enrollment", or - // an "EE" standard cert request) - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1374,7 +1370,7 @@ public class EnrollServlet extends CMSServlet { - // (automated "agent" cert request processed - // - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1388,7 +1384,7 @@ public class EnrollServlet extends CMSServlet { - - // (automated "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1408,7 +1404,7 @@ public class EnrollServlet extends CMSServlet { - if (completed == false) { - // (automated "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1464,7 +1460,7 @@ public class EnrollServlet extends CMSServlet { - for (int i = 0; i < issuedCerts.length; i++) { - // (automated "agent" cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1487,7 +1483,7 @@ public class EnrollServlet extends CMSServlet { - for (int i = 0; i < issuedCerts.length; i++) { - // (automated "agent" cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1504,7 +1500,7 @@ public class EnrollServlet extends CMSServlet { - - // (automated "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1520,7 +1516,7 @@ public class EnrollServlet extends CMSServlet { - // store a message in the signed audit log file - // (automated "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -index 436e7a9..474a2e5 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -@@ -40,6 +40,7 @@ import com.netscape.certsrv.ca.AuthorityID; - import com.netscape.certsrv.ca.CANotFoundException; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.cert.CertReviewResponse; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; -@@ -283,7 +284,7 @@ public class RequestProcessor extends CertProcessor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -319,7 +320,7 @@ public class RequestProcessor extends CertProcessor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -399,7 +400,7 @@ public class RequestProcessor extends CertProcessor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -411,7 +412,7 @@ public class RequestProcessor extends CertProcessor { - } catch (EProfileException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java -index ffcda63..b90966e 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.dbs.certdb.CertId; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.publish.IPublisherProcessor; -@@ -62,11 +63,6 @@ public class RevocationProcessor extends CertProcessor { - public final static String ON_HOLD = "on-hold"; - public final static String OFF_HOLD = "off-hold"; - -- public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; -- public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; -- - long startTime; - - ICertificateAuthority authority; -@@ -486,7 +482,7 @@ public class RevocationProcessor extends CertProcessor { - return; - - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST, - auditor.getSubjectID(), - status, - requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(), -@@ -510,7 +506,7 @@ public class RevocationProcessor extends CertProcessor { - || requestStatus == RequestStatus.CANCELED)) return; - - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, - auditor.getSubjectID(), - status, - requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(), -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java -index c2c6cde..150c36f 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java -@@ -73,6 +73,7 @@ import com.netscape.certsrv.base.ISubsystem; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.ldap.ILdapConnFactory; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; -@@ -1495,7 +1496,7 @@ public class CRSEnrollment extends HttpServlet { - - // perform audit log - String auditMessage = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5", -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - httpReq.getRemoteAddr(), - ILogger.FAILURE, - req.getTransactionID(), -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index 014db79..2299e60 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -98,11 +98,6 @@ public class ConnectorServlet extends CMSServlet { - - protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl"; -- private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = -- "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; -- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; -- - private final static byte EOL[] = { Character.LINE_SEPARATOR }; - - public ConnectorServlet() { -@@ -554,7 +549,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, -+ AuditEvent.PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -568,7 +563,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, -+ AuditEvent.PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -582,7 +577,7 @@ public class ConnectorServlet extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, -+ AuditEvent.PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -636,7 +631,7 @@ public class ConnectorServlet extends CMSServlet { - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -657,7 +652,7 @@ public class ConnectorServlet extends CMSServlet { - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index d5a9c4d..5669233 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -117,8 +117,6 @@ public class CAProcessor extends Processor { - public static final String ACL_INFO = "ACLinfo"; - public static final String PROFILE_SUB_ID = "profileSubId"; - -- public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; - public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = - "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; - public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index c233e41..fd155a6 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -44,6 +44,7 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; -@@ -83,9 +84,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - private String mProfileSubId = null; - private String requestB64 = null; - -- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; -- - public ProfileSubmitCMCServlet() { - } - -@@ -682,7 +680,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -738,7 +736,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - if (errorCode.equals("1")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -753,7 +751,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } else if (errorCode.equals("3")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -787,7 +785,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -index 367c558..d15774e 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -@@ -35,21 +35,6 @@ import javax.servlet.ServletOutputStream; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - --import netscape.security.extensions.NSCertTypeExtension; --import netscape.security.extensions.PresenceServerExtension; --import netscape.security.util.DerValue; --import netscape.security.x509.AlgorithmId; --import netscape.security.x509.BasicConstraintsExtension; --import netscape.security.x509.CertificateAlgorithmId; --import netscape.security.x509.CertificateExtensions; --import netscape.security.x509.CertificateSubjectName; --import netscape.security.x509.CertificateValidity; --import netscape.security.x509.CertificateVersion; --import netscape.security.x509.Extension; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509CertInfo; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.IAuthToken; -@@ -62,6 +47,7 @@ import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.ICMSRequest; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.publish.IPublisherProcessor; -@@ -80,6 +66,21 @@ import com.netscape.cms.servlet.common.CMSTemplateParams; - import com.netscape.cms.servlet.common.ECMSGWException; - import com.netscape.cmsutil.util.Utils; - -+import netscape.security.extensions.NSCertTypeExtension; -+import netscape.security.extensions.PresenceServerExtension; -+import netscape.security.util.DerValue; -+import netscape.security.x509.AlgorithmId; -+import netscape.security.x509.BasicConstraintsExtension; -+import netscape.security.x509.CertificateAlgorithmId; -+import netscape.security.x509.CertificateExtensions; -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.CertificateValidity; -+import netscape.security.x509.CertificateVersion; -+import netscape.security.x509.Extension; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509CertInfo; -+ - /** - * Agent operations on Certificate requests. This servlet is used - * by an Agent to approve, reject, reassign, or change a certificate -@@ -170,10 +171,6 @@ public class ProcessCertReq extends CMSServlet { - + "indeterminate reason for inability to process " - + "cert request due to a NoSuchAlgorithmException" - }; -- private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST = -- "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; -- private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; - - /** - * Process request. -@@ -457,7 +454,7 @@ public class ProcessCertReq extends CMSServlet { - if (toDo.equals(SIGNED_AUDIT_CLONING)) { - // ("agent" cert request for "cloning") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -468,7 +465,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -479,7 +476,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -490,7 +487,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -940,7 +937,7 @@ public class ProcessCertReq extends CMSServlet { - // (one for each manual "agent" - // cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -984,7 +981,7 @@ public class ProcessCertReq extends CMSServlet { - // (manual "agent" cert request processed - // - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1109,7 +1106,7 @@ public class ProcessCertReq extends CMSServlet { - // store a message in the signed audit log file - // (manual "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1171,7 +1168,7 @@ public class ProcessCertReq extends CMSServlet { - // store a message in the signed audit log file - // (manual "agent" cert request processed - "cancelled") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1238,7 +1235,7 @@ public class ProcessCertReq extends CMSServlet { - // store a message in the signed audit log file - // ("agent" cert request for "cloning") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -1271,7 +1268,7 @@ public class ProcessCertReq extends CMSServlet { - if (toDo.equals(SIGNED_AUDIT_CLONING)) { - // ("agent" cert request for "cloning") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1282,7 +1279,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1293,7 +1290,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1304,7 +1301,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1324,7 +1321,7 @@ public class ProcessCertReq extends CMSServlet { - if (toDo.equals(SIGNED_AUDIT_CLONING)) { - // ("agent" cert request for "cloning") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1335,7 +1332,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1346,7 +1343,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1357,7 +1354,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1378,7 +1375,7 @@ public class ProcessCertReq extends CMSServlet { - if (toDo.equals(SIGNED_AUDIT_CLONING)) { - // ("agent" cert request for "cloning") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1389,7 +1386,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1400,7 +1397,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1411,7 +1408,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1432,7 +1429,7 @@ public class ProcessCertReq extends CMSServlet { - if (toDo.equals(SIGNED_AUDIT_CLONING)) { - // ("agent" cert request for "cloning") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST, -+ AuditEvent.NON_PROFILE_CERT_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1443,7 +1440,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1454,7 +1451,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -1465,7 +1462,7 @@ public class ProcessCertReq extends CMSServlet { - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, -+ AuditEvent.CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, --- -1.8.3.1 - - -From e0b3e36b6737e872e479624780497373765600f4 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 04:58:25 +0200 -Subject: [PATCH 47/59] Reorganized additional audit event constants for KRA. - -Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8 ---- - base/ca/src/com/netscape/ca/CAService.java | 67 +++++++++++----------- - .../com/netscape/certsrv/logging/AuditEvent.java | 27 +++++++++ - .../src/com/netscape/kra/EnrollmentService.java | 32 +++++------ - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 42 +++++--------- - .../src/com/netscape/kra/NetkeyKeygenService.java | 31 +++------- - .../com/netscape/kra/TokenKeyRecoveryService.java | 36 ++++++------ - .../cms/profile/common/CAEnrollProfile.java | 12 ++-- - .../cms/servlet/admin/CMSAdminServlet.java | 11 ++-- - .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 11 +--- - .../src/com/netscape/cms/servlet/key/GetPk12.java | 11 +--- - .../cms/servlet/key/GrantAsyncRecovery.java | 10 ++-- - .../netscape/cms/servlet/key/GrantRecovery.java | 12 ++-- - 12 files changed, 138 insertions(+), 164 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java -index 31df153..5b364b8 100644 ---- a/base/ca/src/com/netscape/ca/CAService.java -+++ b/base/ca/src/com/netscape/ca/CAService.java -@@ -31,33 +31,6 @@ import java.util.Enumeration; - import java.util.Hashtable; - import java.util.Vector; - --import netscape.security.extensions.CertInfo; --import netscape.security.util.BigInt; --import netscape.security.util.DerValue; --import netscape.security.x509.AlgorithmId; --import netscape.security.x509.BasicConstraintsExtension; --import netscape.security.x509.CRLExtensions; --import netscape.security.x509.CRLReasonExtension; --import netscape.security.x509.CertificateAlgorithmId; --import netscape.security.x509.CertificateChain; --import netscape.security.x509.CertificateExtensions; --import netscape.security.x509.CertificateIssuerName; --import netscape.security.x509.CertificateSerialNumber; --import netscape.security.x509.CertificateSubjectName; --import netscape.security.x509.CertificateValidity; --import netscape.security.x509.Extension; --import netscape.security.x509.LdapV3DNStrConverter; --import netscape.security.x509.PKIXExtensions; --import netscape.security.x509.RevocationReason; --import netscape.security.x509.RevokedCertImpl; --import netscape.security.x509.SerialNumber; --import netscape.security.x509.X500Name; --import netscape.security.x509.X500NameAttrMap; --import netscape.security.x509.X509CRLImpl; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509CertInfo; --import netscape.security.x509.X509ExtensionException; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authority.IAuthority; - import com.netscape.certsrv.authority.ICertAuthority; -@@ -77,6 +50,7 @@ import com.netscape.certsrv.dbs.ModificationSet; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertRecordList; - import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IProfile; -@@ -95,6 +69,33 @@ import com.netscape.cmscore.dbs.RevocationInfo; - import com.netscape.cmscore.util.Debug; - import com.netscape.cmsutil.util.Utils; - -+import netscape.security.extensions.CertInfo; -+import netscape.security.util.BigInt; -+import netscape.security.util.DerValue; -+import netscape.security.x509.AlgorithmId; -+import netscape.security.x509.BasicConstraintsExtension; -+import netscape.security.x509.CRLExtensions; -+import netscape.security.x509.CRLReasonExtension; -+import netscape.security.x509.CertificateAlgorithmId; -+import netscape.security.x509.CertificateChain; -+import netscape.security.x509.CertificateExtensions; -+import netscape.security.x509.CertificateIssuerName; -+import netscape.security.x509.CertificateSerialNumber; -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.CertificateValidity; -+import netscape.security.x509.Extension; -+import netscape.security.x509.LdapV3DNStrConverter; -+import netscape.security.x509.PKIXExtensions; -+import netscape.security.x509.RevocationReason; -+import netscape.security.x509.RevokedCertImpl; -+import netscape.security.x509.SerialNumber; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X500NameAttrMap; -+import netscape.security.x509.X509CRLImpl; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509CertInfo; -+import netscape.security.x509.X509ExtensionException; -+ - /** - * Request Service for CertificateAuthority. - */ -@@ -115,8 +116,6 @@ public class CAService implements ICAService, IService { - private Hashtable mCRLIssuingPoints = new Hashtable(); - - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - - public CAService(ICertificateAuthority ca) { - mCA = ca; -@@ -422,7 +421,7 @@ public class CAService implements ICAService, IService { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -441,7 +440,7 @@ public class CAService implements ICAService, IService { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -459,7 +458,7 @@ public class CAService implements ICAService, IService { - if (request.getExtDataInString(IRequest.ERROR) != null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -486,7 +485,7 @@ public class CAService implements ICAService, IService { - if (!(type.equals(IRequest.REVOCATION_REQUEST) || - type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -506,7 +505,7 @@ public class CAService implements ICAService, IService { - type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 39314df..dc434fa 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,33 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String PRIVATE_KEY_ARCHIVE_REQUEST = -+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; -+ public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; -+ public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; -+ public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = -+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; -+ public final static String SERVER_SIDE_KEYGEN_REQUEST = -+ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; -+ public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; -+ public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = -+ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; -+ public final static String KEY_RECOVERY_REQUEST = -+ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; -+ public final static String KEY_RECOVERY_REQUEST_ASYNC = -+ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; -+ public final static String KEY_RECOVERY_AGENT_LOGIN = -+ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; -+ public final static String KEY_RECOVERY_REQUEST_PROCESSED = -+ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; -+ public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = -+ "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; -+ public final static String KEY_GEN_ASYMMETRIC = -+ "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; -+ - public final static String NON_PROFILE_CERT_REQUEST = - "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; - public final static String PROFILE_CERT_REQUEST = -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index 36a809b..d2748a2 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -48,6 +48,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.kra.ProofOfArchival; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.IEnrollProfile; -@@ -102,11 +103,6 @@ public class EnrollmentService implements IService { - private IStorageKeyUnit mStorageUnit = null; - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; -- - /** - * Constructs request processor. - *

-@@ -205,7 +201,7 @@ public class EnrollmentService implements IService { - } catch (IOException e) { - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -253,7 +249,7 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -289,7 +285,7 @@ public class EnrollmentService implements IService { - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -331,7 +327,7 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -352,7 +348,7 @@ public class EnrollmentService implements IService { - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -377,7 +373,7 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -412,7 +408,7 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -439,7 +435,7 @@ public class EnrollmentService implements IService { - } catch (InvalidKeyException e) { - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -489,7 +485,7 @@ public class EnrollmentService implements IService { - rec.getSerialNumber().toString())); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -511,7 +507,7 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); - // TODO(alee) Set correct audit message here - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -529,7 +525,7 @@ public class EnrollmentService implements IService { - CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -586,7 +582,7 @@ public class EnrollmentService implements IService { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -597,7 +593,7 @@ public class EnrollmentService implements IService { - // store a message in the signed audit log file - auditPublicKey = auditPublicKey(rec); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditPublicKey); -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index 64680ed..b6e4376 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -46,6 +46,7 @@ import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.kra.IKeyService; - import com.netscape.certsrv.listeners.EListenersException; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.ARequestNotifier; - import com.netscape.certsrv.request.IPolicy; -@@ -137,19 +138,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", "; -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; -- - /** - * Constructs an escrow authority. - *

-@@ -777,7 +765,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -787,7 +775,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -808,7 +796,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditPublicKey); -@@ -817,7 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditPublicKey); -@@ -859,7 +847,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, -+ AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -@@ -869,7 +857,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, -+ AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -1049,7 +1037,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, -+ AuditEvent.KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -@@ -1059,7 +1047,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, -+ AuditEvent.KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -1083,7 +1071,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -@@ -1097,7 +1085,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -1110,7 +1098,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -1178,7 +1166,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -@@ -1192,7 +1180,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -1205,7 +1193,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 3f5e32f..665ff19 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -55,6 +55,7 @@ import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -@@ -91,22 +92,6 @@ public class NetkeyKeygenService implements IService { - public final static String ATTR_PROOF_OF_ARCHIVAL = - "proofOfArchival"; - -- // private -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; -- // these need to be defined in LogMessages_en.properties later when we do this -- private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST = -- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; -- private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; -- private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; - private IKeyRecoveryAuthority mKRA = null; - private ITransportKeyUnit mTransportUnit = null; - private IStorageKeyUnit mStorageUnit = null; -@@ -384,7 +369,7 @@ public class NetkeyKeygenService implements IService { - } - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST, -+ AuditEvent.SERVER_SIDE_KEYGEN_REQUEST, - agentId, - ILogger.SUCCESS, - auditSubjectID); -@@ -455,7 +440,7 @@ public class NetkeyKeygenService implements IService { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, -+ AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, - agentId, - ILogger.FAILURE, - auditSubjectID); -@@ -487,7 +472,7 @@ public class NetkeyKeygenService implements IService { - } - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, -+ AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, - agentId, - ILogger.SUCCESS, - auditSubjectID, -@@ -550,7 +535,7 @@ public class NetkeyKeygenService implements IService { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, -+ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, - agentId, - ILogger.FAILURE, - auditSubjectID, -@@ -561,7 +546,7 @@ public class NetkeyKeygenService implements IService { - } else { - request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, -+ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, - agentId, - ILogger.SUCCESS, - auditSubjectID, -@@ -586,7 +571,7 @@ public class NetkeyKeygenService implements IService { - // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - agentId, - ILogger.SUCCESS, - auditSubjectID, -@@ -680,7 +665,7 @@ public class NetkeyKeygenService implements IService { - CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - agentId, - ILogger.SUCCESS, - PubKey); -diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -index b084964..b710291 100644 ---- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -@@ -89,11 +90,6 @@ public class TokenKeyRecoveryService implements IService { - private IStorageKeyUnit mStorageUnit = null; - private ITransportKeyUnit mTransportUnit = null; - -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; -- -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - - /** -@@ -271,7 +267,7 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("TokenKeyRecoveryService: not receive des key"); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -289,7 +285,7 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); - request.setExtData(IRequest.RESULT, Integer.valueOf(3)); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -310,7 +306,7 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("cert mapping failed"); - request.setExtData(IRequest.RESULT, Integer.valueOf(5)); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -323,7 +319,7 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("TokenKeyRecoveryService: mapCert failed"); - request.setExtData(IRequest.RESULT, Integer.valueOf(6)); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -362,7 +358,7 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("key record not found"); - request.setExtData(IRequest.RESULT, Integer.valueOf(8)); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -375,7 +371,7 @@ public class TokenKeyRecoveryService implements IService { - com.netscape.cmscore.util.Debug.printStackTrace(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(9)); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -409,7 +405,7 @@ public class TokenKeyRecoveryService implements IService { - if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -424,7 +420,7 @@ public class TokenKeyRecoveryService implements IService { - if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -447,7 +443,7 @@ public class TokenKeyRecoveryService implements IService { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -477,7 +473,7 @@ public class TokenKeyRecoveryService implements IService { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -503,7 +499,7 @@ public class TokenKeyRecoveryService implements IService { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -533,7 +529,7 @@ public class TokenKeyRecoveryService implements IService { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -561,7 +557,7 @@ public class TokenKeyRecoveryService implements IService { - } - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, -+ AuditEvent.KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -@@ -573,7 +569,7 @@ public class TokenKeyRecoveryService implements IService { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -588,7 +584,7 @@ public class TokenKeyRecoveryService implements IService { - } - request.setExtData("public_key", PubKey); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, -+ AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -index 44c1245..02aa8c8 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -@@ -29,6 +29,7 @@ import com.netscape.certsrv.ca.AuthorityID; - import com.netscape.certsrv.ca.ICAService; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.connector.IConnector; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; -@@ -49,9 +50,6 @@ import netscape.security.x509.X509CertInfo; - */ - public class CAEnrollProfile extends EnrollProfile { - -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; -- - public CAEnrollProfile() { - } - -@@ -120,7 +118,7 @@ public class CAEnrollProfile extends EnrollProfile { - "not configured"); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -135,7 +133,7 @@ public class CAEnrollProfile extends EnrollProfile { - // check response - if (!request.isSuccess()) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -@@ -153,7 +151,7 @@ public class CAEnrollProfile extends EnrollProfile { - } - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, -@@ -170,7 +168,7 @@ public class CAEnrollProfile extends EnrollProfile { - CMS.debug(e); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, -+ AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -index 2c3c6be..3e73dc6 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -@@ -60,6 +60,7 @@ import com.netscape.certsrv.common.ScopeDef; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.ocsp.IOCSPAuthority; - import com.netscape.certsrv.ra.IRegistrationAuthority; -@@ -109,8 +110,6 @@ public final class CMSAdminServlet extends AdminServlet { - "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; - private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY = - "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; -- private final static String LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC = -- "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; - private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = - "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; - private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = -@@ -1142,7 +1141,7 @@ public final class CMSAdminServlet extends AdminServlet { - if (nickname.equals("")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, -+ AuditEvent.KEY_GEN_ASYMMETRIC, - auditSubjectID, - ILogger.FAILURE, - auditPublicKey); -@@ -1205,7 +1204,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, -+ AuditEvent.KEY_GEN_ASYMMETRIC, - auditSubjectID, - ILogger.SUCCESS, - auditPublicKey); -@@ -1217,7 +1216,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, -+ AuditEvent.KEY_GEN_ASYMMETRIC, - auditSubjectID, - ILogger.FAILURE, - auditPublicKey); -@@ -1229,7 +1228,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, -+ AuditEvent.KEY_GEN_ASYMMETRIC, - auditSubjectID, - ILogger.FAILURE, - auditPublicKey); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java -index 773b91e..f0065e1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java -@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; -@@ -64,12 +65,6 @@ public class GetAsyncPk12 extends CMSServlet { - - private com.netscape.certsrv.kra.IKeyService mService = null; - -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; -- -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; -- - private String mFormPath = null; - - /** -@@ -213,7 +208,7 @@ public class GetAsyncPk12 extends CMSServlet { - mRenderResult = false; - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, -+ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, - agent, - ILogger.SUCCESS, - reqID, -@@ -239,7 +234,7 @@ public class GetAsyncPk12 extends CMSServlet { - - if ((agent != null) && (reqID != null)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, -+ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, - agent, - ILogger.FAILURE, - reqID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java -index c79a82f..9bb52cd 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; -@@ -63,12 +64,6 @@ public class GetPk12 extends CMSServlet { - - private com.netscape.certsrv.kra.IKeyService mService = null; - -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; -- -- private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; -- - private String mFormPath = null; - - /** -@@ -207,7 +202,7 @@ public class GetPk12 extends CMSServlet { - mRenderResult = false; - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, -+ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, - agent, - ILogger.SUCCESS, - recoveryID, -@@ -233,7 +228,7 @@ public class GetPk12 extends CMSServlet { - - if ((agent != null) && (recoveryID != null)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, -+ AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, - agent, - ILogger.FAILURE, - recoveryID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java -index 4100391..c410525 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java -@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.kra.IKeyService; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; -@@ -61,9 +62,6 @@ public class GrantAsyncRecovery extends CMSServlet { - private IKeyService mService = null; - private String mFormPath = null; - -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; -- - /** - * Constructs EA servlet. - */ -@@ -237,7 +235,7 @@ public class GrantAsyncRecovery extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, -+ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.SUCCESS, - auditRequestID, -@@ -250,7 +248,7 @@ public class GrantAsyncRecovery extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, -+ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.FAILURE, - auditRequestID, -@@ -262,7 +260,7 @@ public class GrantAsyncRecovery extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, -+ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.FAILURE, - auditRequestID, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java -index 9d57fbe..47054d9 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.kra.IKeyService; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; -@@ -64,9 +65,6 @@ public class GrantRecovery extends CMSServlet { - private IKeyService mService = null; - private String mFormPath = null; - -- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; -- - /** - * Constructs EA servlet. - */ -@@ -243,7 +241,7 @@ public class GrantRecovery extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, -+ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -266,7 +264,7 @@ public class GrantRecovery extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, -+ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -@@ -279,7 +277,7 @@ public class GrantRecovery extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, -+ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -@@ -291,7 +289,7 @@ public class GrantRecovery extends CMSServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN, -+ AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, --- -1.8.3.1 - - -From 20a307e4683e62b033f7662ed4aa2f18dfad6226 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 05:23:15 +0200 -Subject: [PATCH 48/59] Reorganized audit event constants for configuration. - -Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542 ---- - .../dogtagpki/server/ca/rest/ProfileService.java | 5 +- - .../com/netscape/certsrv/logging/AuditEvent.java | 37 ++++++ - .../src/com/netscape/certsrv/logging/IAuditor.java | 3 - - .../cms/src/com/netscape/cms/logging/LogFile.java | 10 +- - .../com/netscape/cms/logging/RollingLogFile.java | 8 +- - .../cms/profile/updater/SubsystemGroupUpdater.java | 14 +-- - .../cms/servlet/admin/ACLAdminServlet.java | 38 +++---- - .../netscape/cms/servlet/admin/AdminServlet.java | 10 +- - .../cms/servlet/admin/AuthAdminServlet.java | 96 ++++++++-------- - .../netscape/cms/servlet/admin/CAAdminServlet.java | 50 ++++----- - .../cms/servlet/admin/CMSAdminServlet.java | 86 +++++++------- - .../cms/servlet/admin/GroupMemberProcessor.java | 4 +- - .../cms/servlet/admin/KRAAdminServlet.java | 8 +- - .../cms/servlet/admin/LogAdminServlet.java | 113 +++++++++---------- - .../cms/servlet/admin/OCSPAdminServlet.java | 22 ++-- - .../cms/servlet/admin/PolicyAdminServlet.java | 62 +++++------ - .../cms/servlet/admin/ProfileAdminServlet.java | 124 ++++++++++----------- - .../cms/servlet/admin/UsrGrpAdminServlet.java | 120 ++++++++++---------- - .../com/netscape/cms/servlet/base/CMSServlet.java | 17 ++- - .../netscape/cms/servlet/csadmin/RegisterUser.java | 14 +-- - .../servlet/csadmin/SecurityDomainProcessor.java | 4 +- - .../cms/servlet/csadmin/UpdateDomainXML.java | 11 +- - .../cms/servlet/processors/CAProcessor.java | 14 +-- - .../org/dogtagpki/server/rest/AuditService.java | 3 +- - .../org/dogtagpki/server/rest/GroupService.java | 4 +- - .../src/org/dogtagpki/server/rest/UserService.java | 6 +- - .../src/com/netscape/cmscore/cert/CertUtils.java | 18 ++- - .../cmscore/selftests/SelfTestSubsystem.java | 9 +- - 28 files changed, 445 insertions(+), 465 deletions(-) - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -index eae68ef..be61892 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -@@ -90,9 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource - private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID); - private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE = -- "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; -- - @Override - public Response listProfiles(Integer start, Integer size) { - -@@ -1198,7 +1195,7 @@ public class ProfileService extends SubsystemService implements ProfileResource - - public void auditProfileChange(String scope, String type, String id, String status, Map params) { - String msg = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditor.getSubjectID(), - status, - auditor.getParamString(scope, type, id, params)); -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index dc434fa..716e0d4 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -35,6 +35,43 @@ import com.netscape.certsrv.base.MessageFormatter; - */ - public class AuditEvent implements IBundleLogEvent { - -+ public final static String AUDIT_LOG_STARTUP = -+ "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2"; -+ public final static String AUDIT_LOG_SHUTDOWN = -+ "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2"; -+ public final static String CIMC_CERT_VERIFICATION = -+ "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; -+ public final static String ROLE_ASSUME = -+ "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; -+ public final static String CONFIG_CERT_POLICY = -+ "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3"; -+ public final static String CONFIG_CERT_PROFILE = -+ "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; -+ public final static String CONFIG_CRL_PROFILE = -+ "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3"; -+ public final static String CONFIG_OCSP_PROFILE = -+ "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3"; -+ public final static String CONFIG_AUTH = -+ "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3"; -+ public final static String CONFIG_ROLE = -+ "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; -+ public final static String CONFIG_ACL = -+ "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3"; -+ public final static String CONFIG_SIGNED_AUDIT = -+ "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3"; -+ public final static String CONFIG_ENCRYPTION = -+ "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; -+ public final static String CONFIG_TRUSTED_PUBLIC_KEY = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; -+ public final static String CONFIG_DRM = -+ "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; -+ public final static String SELFTESTS_EXECUTION = -+ "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; -+ public final static String AUDIT_LOG_DELETE = -+ "LOGGING_SIGNED_AUDIT_LOG_DELETE_3"; -+ public final static String LOG_PATH_CHANGE = -+ "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; -+ - public final static String PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = -diff --git a/base/common/src/com/netscape/certsrv/logging/IAuditor.java b/base/common/src/com/netscape/certsrv/logging/IAuditor.java -index 1d31a8c..216015f 100644 ---- a/base/common/src/com/netscape/certsrv/logging/IAuditor.java -+++ b/base/common/src/com/netscape/certsrv/logging/IAuditor.java -@@ -25,9 +25,6 @@ import java.util.Map; - */ - public interface IAuditor { - -- public final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = -- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; -- - public final static String SIGNED_AUDIT_SCOPE = "Scope"; - public final static String SIGNED_AUDIT_OPERATION = "Operation"; - public final static String SIGNED_AUDIT_RESOURCE = "Resource"; -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index fdf3f83..989fece 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -102,10 +102,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - static final String PROP_BUFFER_SIZE = "bufferSize"; - static final String PROP_FLUSH_INTERVAL = "flushInterval"; - -- private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP = -- "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2"; -- private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN = -- "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2"; - private final static String LOG_SIGNED_AUDIT_EXCEPTION = - "LOG_SIGNED_AUDIT_EXCEPTION_1"; - -@@ -647,12 +643,12 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - try { - setupSigning(); - audit(CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP, -+ AuditEvent.AUDIT_LOG_STARTUP, - ILogger.SYSTEM_UID, - ILogger.SUCCESS)); - } catch (EBaseException e) { - audit(CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP, -+ AuditEvent.AUDIT_LOG_STARTUP, - ILogger.SYSTEM_UID, - ILogger.FAILURE)); - throw e; -@@ -872,7 +868,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - - // log signed audit shutdown success - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN, -+ AuditEvent.AUDIT_LOG_SHUTDOWN, - ILogger.SYSTEM_UID, - ILogger.SUCCESS); - -diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -index fb70f46..5d2cdd9 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.IExtendedPluginInfo; - import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ConsoleError; - import com.netscape.certsrv.logging.ELogException; - import com.netscape.certsrv.logging.ILogEvent; -@@ -95,9 +96,6 @@ public class RollingLogFile extends LogFile { - */ - private Object mExpLock = new Object(); - -- private final static String LOGGING_SIGNED_AUDIT_LOG_DELETE = -- "LOGGING_SIGNED_AUDIT_LOG_DELETE_3"; -- - /** - * Construct a RollingLogFile - */ -@@ -351,14 +349,14 @@ public class RollingLogFile extends LogFile { - if (file.exists()) { - // log failure in deleting an expired signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_DELETE, -+ AuditEvent.AUDIT_LOG_DELETE, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - fullname); - } else { - // log success in deleting an expired signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_DELETE, -+ AuditEvent.AUDIT_LOG_DELETE, - ILogger.SYSTEM_UID, - ILogger.SUCCESS, - fullname); -diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -index b1da188..2f47efa 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -+++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -@@ -28,6 +28,7 @@ import com.netscape.certsrv.base.ConflictingOperationException; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IEnrollProfile; -@@ -55,9 +56,6 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private Vector mConfigNames = new Vector(); - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = -- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; -- - public SubsystemGroupUpdater() { - } - -@@ -166,7 +164,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - system.addUser(user); - CMS.debug("SubsystemGroupUpdater update: successfully add the user"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams); -@@ -196,7 +194,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - system.addUserCert(user); - CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams); -@@ -209,7 +207,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - } catch (Exception e) { - CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString()); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams); -@@ -240,7 +238,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - system.modifyGroup(group); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams); -@@ -253,7 +251,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - } catch (Exception e) { - CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString()); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java -index 1244da1..8c5da18 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java -@@ -38,6 +38,7 @@ import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; - import com.netscape.certsrv.evaluators.IAccessEvaluator; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - - /** -@@ -55,9 +56,6 @@ public class ACLAdminServlet extends AdminServlet { - private final static String INFO = "ACLAdminServlet"; - private IAuthzManager mAuthzMgr = null; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ACL = -- "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3"; -- - /** - * initialize the servlet. - *

    -@@ -338,7 +336,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -363,7 +361,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -377,7 +375,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -404,7 +402,7 @@ public class ACLAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -502,7 +500,7 @@ public class ACLAdminServlet extends AdminServlet { - if (type == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -544,7 +542,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -567,7 +565,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -587,7 +585,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -612,7 +610,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -635,7 +633,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -660,7 +658,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -683,7 +681,7 @@ public class ACLAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -741,7 +739,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -762,7 +760,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -797,7 +795,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -812,7 +810,7 @@ public class ACLAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -836,7 +834,7 @@ public class ACLAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ACL, -+ AuditEvent.CONFIG_ACL, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index 0350e38..089fcbe 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -122,8 +122,6 @@ public class AdminServlet extends HttpServlet { - public static final String CERT_ATTR = - "javax.servlet.request.X509Certificate"; - -- private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = -- "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; - private final static String CERTUSERDB = - IAuthSubsystem.CERTUSERDB_AUTHMGR_ID; - private final static String PASSWDUSERDB = -@@ -657,7 +655,7 @@ public class AdminServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -@@ -680,7 +678,7 @@ public class AdminServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -@@ -701,7 +699,7 @@ public class AdminServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -@@ -723,7 +721,7 @@ public class AdminServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.SUCCESS, - auditGroups(auditSubjectID)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java -index 71cf8a2..253a9cd 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java -@@ -43,6 +43,7 @@ import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; - import com.netscape.certsrv.ldap.ILdapAuthInfo; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - - /** -@@ -66,9 +67,6 @@ public class AuthAdminServlet extends AdminServlet { - "PASSWORD_CACHE_ADD"; - private final static String EDIT = ";" + Constants.EDIT; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_AUTH = -- "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3"; -- - public AuthAdminServlet() { - super(); - } -@@ -382,7 +380,7 @@ public class AuthAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -399,7 +397,7 @@ public class AuthAdminServlet extends AdminServlet { - if (mAuths.getPlugins().containsKey(id)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -419,7 +417,7 @@ public class AuthAdminServlet extends AdminServlet { - if (classPath == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -436,7 +434,7 @@ public class AuthAdminServlet extends AdminServlet { - classPath.equals("com.netscape.cmscore.authentication.CertUserDBAuthentication")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -464,7 +462,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (ClassNotFoundException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -478,7 +476,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IllegalArgumentException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -496,7 +494,7 @@ public class AuthAdminServlet extends AdminServlet { - if (IAuthManager.class.isAssignableFrom(newImpl) == false) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -511,7 +509,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (NullPointerException e) { // unlikely, only if newImpl null. - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -534,7 +532,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -559,7 +557,7 @@ public class AuthAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -583,7 +581,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -638,7 +636,7 @@ public class AuthAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -655,7 +653,7 @@ public class AuthAdminServlet extends AdminServlet { - if (mAuths.getInstances().containsKey(id)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -676,7 +674,7 @@ public class AuthAdminServlet extends AdminServlet { - if (implname == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -703,7 +701,7 @@ public class AuthAdminServlet extends AdminServlet { - if (plugin == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -756,7 +754,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (ClassNotFoundException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -774,7 +772,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (InstantiationException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -791,7 +789,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IllegalAccessException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -813,7 +811,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -832,7 +830,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -859,7 +857,7 @@ public class AuthAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -871,7 +869,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -883,7 +881,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -986,7 +984,7 @@ public class AuthAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1011,7 +1009,7 @@ public class AuthAdminServlet extends AdminServlet { - if (mAuths.getPlugins().containsKey(id) == false) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1034,7 +1032,7 @@ public class AuthAdminServlet extends AdminServlet { - if (authMgr.getImplName() == id) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1063,7 +1061,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1078,7 +1076,7 @@ public class AuthAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1102,7 +1100,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1158,7 +1156,7 @@ public class AuthAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1183,7 +1181,7 @@ public class AuthAdminServlet extends AdminServlet { - if (mAuths.getInstances().containsKey(id) == false) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1216,7 +1214,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1238,7 +1236,7 @@ public class AuthAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1262,7 +1260,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1409,7 +1407,7 @@ public class AuthAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1434,7 +1432,7 @@ public class AuthAdminServlet extends AdminServlet { - if (!mAuths.getInstances().containsKey(id)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1453,7 +1451,7 @@ public class AuthAdminServlet extends AdminServlet { - if (implname == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1472,7 +1470,7 @@ public class AuthAdminServlet extends AdminServlet { - if (plugin == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1548,7 +1546,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (ClassNotFoundException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1566,7 +1564,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (InstantiationException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1583,7 +1581,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IllegalAccessException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1606,7 +1604,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1625,7 +1623,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1652,7 +1650,7 @@ public class AuthAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1664,7 +1662,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1676,7 +1674,7 @@ public class AuthAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_AUTH, -+ AuditEvent.CONFIG_AUTH, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java -index 09c77e5..5ece2c8 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java -@@ -39,6 +39,7 @@ import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequestListener; - import com.netscape.cmsutil.util.Utils; -@@ -62,9 +63,6 @@ public class CAAdminServlet extends AdminServlet { - - private final static String INFO = "CAAdminServlet"; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE = -- "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3"; -- - private ICertificateAuthority mCA = null; - protected static final String PROP_ENABLED = "enabled"; - -@@ -537,7 +535,7 @@ public class CAAdminServlet extends AdminServlet { - if (ipId == null || ipId.length() == 0) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -554,7 +552,7 @@ public class CAAdminServlet extends AdminServlet { - if (desc == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -587,7 +585,7 @@ public class CAAdminServlet extends AdminServlet { - if (ipId.equals(name)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -601,7 +599,7 @@ public class CAAdminServlet extends AdminServlet { - if (!mCA.addCRLIssuingPoint(crlSubStore, ipId, enable, desc)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -615,7 +613,7 @@ public class CAAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -626,7 +624,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -638,7 +636,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -693,7 +691,7 @@ public class CAAdminServlet extends AdminServlet { - if (ipId == null || ipId.length() == 0) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -710,7 +708,7 @@ public class CAAdminServlet extends AdminServlet { - if (desc == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -762,7 +760,7 @@ public class CAAdminServlet extends AdminServlet { - if (!done) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -776,7 +774,7 @@ public class CAAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -787,7 +785,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -799,7 +797,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -869,7 +867,7 @@ public class CAAdminServlet extends AdminServlet { - if (!done) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -884,7 +882,7 @@ public class CAAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -895,7 +893,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -907,7 +905,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1039,7 +1037,7 @@ public class CAAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1050,7 +1048,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1062,7 +1060,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1246,7 +1244,7 @@ public class CAAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1260,7 +1258,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1272,7 +1270,7 @@ public class CAAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, -+ AuditEvent.CONFIG_CRL_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -index 3e73dc6..229c377 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -@@ -106,14 +106,6 @@ public final class CMSAdminServlet extends AdminServlet { - - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static byte EOL[] = { Character.LINE_SEPARATOR }; -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION = -- "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY = -- "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; -- private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = -- "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; -- private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = -- "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; - - // CMS must be instantiated before this admin servlet. - -@@ -574,7 +566,7 @@ public final class CMSAdminServlet extends AdminServlet { - if (tokenizer.countTokens() != 2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, -+ AuditEvent.CONFIG_ENCRYPTION, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -599,7 +591,7 @@ public final class CMSAdminServlet extends AdminServlet { - } else - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, -+ AuditEvent.CONFIG_ENCRYPTION, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -636,7 +628,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, -+ AuditEvent.CONFIG_ENCRYPTION, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -648,7 +640,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, -+ AuditEvent.CONFIG_ENCRYPTION, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -660,7 +652,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, -+ AuditEvent.CONFIG_ENCRYPTION, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1494,7 +1486,7 @@ public final class CMSAdminServlet extends AdminServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1514,7 +1506,7 @@ public final class CMSAdminServlet extends AdminServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1534,7 +1526,7 @@ public final class CMSAdminServlet extends AdminServlet { - if (nickname.equals("")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1781,7 +1773,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1794,7 +1786,7 @@ public final class CMSAdminServlet extends AdminServlet { - CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString()); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1807,7 +1799,7 @@ public final class CMSAdminServlet extends AdminServlet { - CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString()); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1900,7 +1892,7 @@ public final class CMSAdminServlet extends AdminServlet { - if (certpath == null || certpath.equals("")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1934,7 +1926,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException ee) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1964,7 +1956,7 @@ public final class CMSAdminServlet extends AdminServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2193,7 +2185,7 @@ public final class CMSAdminServlet extends AdminServlet { - verified = true; - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - auditSubjectID, - ILogger.SUCCESS, - nickname); -@@ -2203,7 +2195,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (Exception e) { - CMS.debug(e); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - auditSubjectID, - ILogger.FAILURE, - nickname); -@@ -2213,7 +2205,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -2230,7 +2222,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2242,7 +2234,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2319,7 +2311,7 @@ public final class CMSAdminServlet extends AdminServlet { - if (certpath == null || certpath.equals("")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2352,7 +2344,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException ee) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2386,7 +2378,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2405,7 +2397,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2426,7 +2418,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -2437,7 +2429,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2449,7 +2441,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2952,7 +2944,7 @@ public final class CMSAdminServlet extends AdminServlet { - jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust); - } catch (EBaseException e) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2964,7 +2956,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -3020,7 +3012,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -3032,7 +3024,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -3044,7 +3036,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, -+ AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -3132,7 +3124,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.FAILURE); - -@@ -3185,7 +3177,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.FAILURE); - -@@ -3215,7 +3207,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.FAILURE); - -@@ -3268,7 +3260,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.FAILURE); - -@@ -3316,7 +3308,7 @@ public final class CMSAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.SUCCESS); - -@@ -3336,7 +3328,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (EMissingSelfTestException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.FAILURE); - -@@ -3347,7 +3339,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (ESelfTestException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.FAILURE); - -@@ -3358,7 +3350,7 @@ public final class CMSAdminServlet extends AdminServlet { - } catch (IOException eAudit3) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - auditSubjectID, - ILogger.FAILURE); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java -index f974db4..00f960e 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java -@@ -43,8 +43,8 @@ import com.netscape.certsrv.group.GroupMemberCollection; - import com.netscape.certsrv.group.GroupMemberData; - import com.netscape.certsrv.group.GroupNotFoundException; - import com.netscape.certsrv.group.GroupResource; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; --import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.usrgrp.IGroup; - import com.netscape.certsrv.usrgrp.IUGSubsystem; -@@ -388,6 +388,6 @@ public class GroupMemberProcessor extends Processor { - } - - public void audit(String type, String id, Map params, String status) { -- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status); -+ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status); - } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java -index 3f9f558..5583d12 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java -@@ -32,6 +32,7 @@ import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - - /** -@@ -54,9 +55,6 @@ public class KRAAdminServlet extends AdminServlet { - - private IKeyRecoveryAuthority mKRA = null; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_DRM = -- "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; -- - /** - * Constructs KRA servlet. - */ -@@ -204,7 +202,7 @@ public class KRAAdminServlet extends AdminServlet { - mKRA.setNoOfRequiredAgents(number); - } catch (NumberFormatException e) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_DRM, -+ AuditEvent.CONFIG_DRM, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -218,7 +216,7 @@ public class KRAAdminServlet extends AdminServlet { - commit(true); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_DRM, -+ AuditEvent.CONFIG_DRM, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -index 13ba52c..c424520 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ELogException; - import com.netscape.certsrv.logging.ELogNotFound; - import com.netscape.certsrv.logging.ELogPluginNotFound; -@@ -64,10 +65,6 @@ public class LogAdminServlet extends AdminServlet { - private ILogSubsystem mSys = null; - - private final static String SIGNED_AUDIT_LOG_TYPE = "SignedAudit"; -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT = -- "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3"; -- private final static String LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE = -- "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - - /** - * Constructs Log servlet. -@@ -439,7 +436,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -458,7 +455,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -479,7 +476,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -508,7 +505,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -524,7 +521,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -544,7 +541,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -561,7 +558,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -588,7 +585,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -612,7 +609,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -637,7 +634,7 @@ public class LogAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -709,7 +706,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -727,7 +724,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -744,7 +741,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -766,7 +763,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -789,7 +786,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -849,7 +846,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -868,7 +865,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -887,7 +884,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -912,7 +909,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -928,7 +925,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -950,7 +947,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -974,7 +971,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -999,7 +996,7 @@ public class LogAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1103,7 +1100,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1122,7 +1119,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1158,7 +1155,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1175,7 +1172,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1200,7 +1197,7 @@ public class LogAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1265,7 +1262,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1283,7 +1280,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1308,7 +1305,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1339,7 +1336,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1356,7 +1353,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1381,7 +1378,7 @@ public class LogAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1472,7 +1469,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1491,7 +1488,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1512,7 +1509,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1534,7 +1531,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1673,7 +1670,7 @@ public class LogAdminServlet extends AdminServlet { - // file (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.FAILURE, - logType, -@@ -1686,7 +1683,7 @@ public class LogAdminServlet extends AdminServlet { - // file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1775,7 +1772,7 @@ public class LogAdminServlet extends AdminServlet { - // (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.FAILURE, - logType, -@@ -1801,7 +1798,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1827,7 +1824,7 @@ public class LogAdminServlet extends AdminServlet { - // (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.FAILURE, - logType, -@@ -1852,7 +1849,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1878,7 +1875,7 @@ public class LogAdminServlet extends AdminServlet { - // (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.FAILURE, - logType, -@@ -1903,7 +1900,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1937,7 +1934,7 @@ public class LogAdminServlet extends AdminServlet { - // (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.FAILURE, - logType, -@@ -1962,7 +1959,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1996,7 +1993,7 @@ public class LogAdminServlet extends AdminServlet { - // (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.SUCCESS, - logType, -@@ -2021,7 +2018,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -2042,7 +2039,7 @@ public class LogAdminServlet extends AdminServlet { - // (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.FAILURE, - logType, -@@ -2067,7 +2064,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2088,7 +2085,7 @@ public class LogAdminServlet extends AdminServlet { - // (regardless of logType) - if (!(newLogPath.equals(origLogPath))) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, -+ AuditEvent.LOG_PATH_CHANGE, - auditSubjectID, - ILogger.FAILURE, - logType, -@@ -2113,7 +2110,7 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, -+ AuditEvent.CONFIG_SIGNED_AUDIT, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java -index a7ff922..ee1c3a2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java -@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.ocsp.IOCSPAuthority; - import com.netscape.certsrv.ocsp.IOCSPStore; -@@ -57,9 +58,6 @@ public class OCSPAdminServlet extends AdminServlet { - - private final static String INFO = "OCSPAdminServlet"; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE = -- "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3"; -- - private IOCSPAuthority mOCSP = null; - - public OCSPAdminServlet() { -@@ -256,7 +254,7 @@ public class OCSPAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -267,7 +265,7 @@ public class OCSPAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -279,7 +277,7 @@ public class OCSPAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -368,7 +366,7 @@ public class OCSPAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -379,7 +377,7 @@ public class OCSPAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -391,7 +389,7 @@ public class OCSPAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -503,7 +501,7 @@ public class OCSPAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -514,7 +512,7 @@ public class OCSPAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -526,7 +524,7 @@ public class OCSPAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, -+ AuditEvent.CONFIG_OCSP_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java -index 1fe9c87..7a09e83 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java -@@ -41,6 +41,7 @@ import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.ra.IRegistrationAuthority; - -@@ -83,9 +84,6 @@ public class PolicyAdminServlet extends AdminServlet { - public static String COMMA = ","; - public static String MISSING_POLICY_ORDERING = "Missing policy ordering"; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY = -- "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3"; -- - /** - * Constructs administration servlet. - */ -@@ -506,7 +504,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -522,7 +520,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -535,7 +533,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -547,7 +545,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -628,7 +626,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -644,7 +642,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (classPath == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -659,7 +657,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -670,7 +668,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -682,7 +680,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -735,7 +733,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -751,7 +749,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -764,7 +762,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -776,7 +774,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -875,7 +873,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -892,7 +890,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (implName == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -925,7 +923,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -956,7 +954,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -967,7 +965,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -979,7 +977,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1032,7 +1030,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (policyOrder == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1047,7 +1045,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1058,7 +1056,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1070,7 +1068,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1123,7 +1121,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1140,7 +1138,7 @@ public class PolicyAdminServlet extends AdminServlet { - if (implName == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1172,7 +1170,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1208,7 +1206,7 @@ public class PolicyAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1219,7 +1217,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1231,7 +1229,7 @@ public class PolicyAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, -+ AuditEvent.CONFIG_CERT_POLICY, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java -index b418baf..c4b40c0 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java -@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IPolicyConstraint; -@@ -88,9 +89,6 @@ public class ProfileAdminServlet extends AdminServlet { - public static String MISSING_POLICY_ORDERING = "Missing policy ordering"; - public static String BAD_CONFIGURATION_VAL = "Invalid configuration value."; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE = -- "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; -- - /** - * Constructs administration servlet. - */ -@@ -425,7 +423,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -475,7 +473,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -492,7 +490,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -503,7 +501,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -566,7 +564,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -599,7 +597,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -617,7 +615,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -628,7 +626,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -691,7 +689,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -725,7 +723,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -743,7 +741,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -754,7 +752,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -826,7 +824,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -848,7 +846,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -863,7 +861,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -874,7 +872,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -948,7 +946,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -965,7 +963,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (EBaseException e1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -980,7 +978,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -991,7 +989,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1065,7 +1063,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1082,7 +1080,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (EBaseException e1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1097,7 +1095,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1108,7 +1106,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1170,7 +1168,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1219,7 +1217,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1233,7 +1231,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1244,7 +1242,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1306,7 +1304,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1356,7 +1354,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1371,7 +1369,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1382,7 +1380,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1444,7 +1442,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1488,7 +1486,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1502,7 +1500,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1513,7 +1511,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1575,7 +1573,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1607,7 +1605,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1621,7 +1619,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1632,7 +1630,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1694,7 +1692,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1727,7 +1725,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1741,7 +1739,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1752,7 +1750,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1814,7 +1812,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1861,7 +1859,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1876,7 +1874,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1887,7 +1885,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2278,7 +2276,7 @@ public class ProfileAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2294,7 +2292,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (EProfileException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2307,7 +2305,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -2318,7 +2316,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2391,7 +2389,7 @@ public class ProfileAdminServlet extends AdminServlet { - if (id == null || id.trim().equals("") || !isValidId(id)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2441,7 +2439,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2480,7 +2478,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2493,7 +2491,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -2504,7 +2502,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2563,7 +2561,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2591,7 +2589,7 @@ public class ProfileAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -2607,7 +2605,7 @@ public class ProfileAdminServlet extends AdminServlet { - } catch (IOException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, -+ AuditEvent.CONFIG_CERT_PROFILE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java -index cce1ce3..1c38b88 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java -@@ -48,6 +48,7 @@ import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.password.IPasswordCheck; -@@ -87,9 +88,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - - private final static String BACK_SLASH = "\\"; - -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = -- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; -- - private IUGSubsystem mMgr = null; - - private static String[] mMultiRoleGroupEnforceList = null; -@@ -682,7 +680,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -701,7 +699,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -720,7 +718,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -743,7 +741,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -770,7 +768,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (!passwdCheck.isGoodPassword(pword)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -823,7 +821,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -846,7 +844,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -872,7 +870,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -886,7 +884,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -907,7 +905,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -921,7 +919,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -933,7 +931,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -993,7 +991,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1016,7 +1014,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1056,7 +1054,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (p7certs.length == 0) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1091,7 +1089,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1157,7 +1155,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1173,7 +1171,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1195,7 +1193,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1211,7 +1209,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1227,7 +1225,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1241,7 +1239,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (ConflictingOperationException e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1257,7 +1255,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1283,7 +1281,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1346,7 +1344,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1368,7 +1366,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1386,7 +1384,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1400,7 +1398,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1426,7 +1424,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1497,7 +1495,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1519,7 +1517,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1539,7 +1537,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1561,7 +1559,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1573,7 +1571,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception ex) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1587,7 +1585,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1599,7 +1597,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1660,7 +1658,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1698,7 +1696,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1710,7 +1708,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception e) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1725,7 +1723,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1737,7 +1735,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1798,7 +1796,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1817,7 +1815,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1828,7 +1826,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1840,7 +1838,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1903,7 +1901,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1956,7 +1954,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -1980,7 +1978,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -1993,7 +1991,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2008,7 +2006,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2020,7 +2018,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2152,7 +2150,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2176,7 +2174,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2201,7 +2199,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (!passwdCheck.isGoodPassword(pword)) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2232,7 +2230,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams(req)); -@@ -2246,7 +2244,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2260,7 +2258,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -@@ -2272,7 +2270,7 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (IOException eAudit2) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index 01f9f07..c7fc03b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -245,9 +245,6 @@ public abstract class CMSServlet extends HttpServlet { - private IUGSubsystem mUG = (IUGSubsystem) - CMS.getSubsystem(CMS.SUBSYSTEM_UG); - -- private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = -- "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; -- - public CMSServlet() { - } - -@@ -1840,7 +1837,7 @@ public abstract class CMSServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.SUCCESS, - auditGroupID); -@@ -1857,7 +1854,7 @@ public abstract class CMSServlet extends HttpServlet { - audit(auditMessage); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroupID); -@@ -1876,7 +1873,7 @@ public abstract class CMSServlet extends HttpServlet { - audit(auditMessage); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroupID); -@@ -1974,7 +1971,7 @@ public abstract class CMSServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditID, - ILogger.SUCCESS, - auditGroups(auditSubjectID)); -@@ -1993,7 +1990,7 @@ public abstract class CMSServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -@@ -2015,7 +2012,7 @@ public abstract class CMSServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -@@ -2036,7 +2033,7 @@ public abstract class CMSServlet extends HttpServlet { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -index 74197a4..f02932e 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.authorization.EAuthzAccessDenied; - import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.usrgrp.ICertUserLocator; - import com.netscape.certsrv.usrgrp.IGroup; -@@ -65,9 +66,6 @@ public class RegisterUser extends CMSServlet { - private final static String SUCCESS = "0"; - private final static String AUTH_FAILURE = "2"; - private String mGroupName = null; -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = -- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; -- - public RegisterUser() { - super(); - } -@@ -202,7 +200,7 @@ public class RegisterUser extends CMSServlet { - ugsys.addUser(user); - CMS.debug("RegisterUser created user " + uid); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams); -@@ -227,7 +225,7 @@ public class RegisterUser extends CMSServlet { - ugsys.addUserCert(user); - CMS.debug("RegisterUser added user certificate"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams); -@@ -237,7 +235,7 @@ public class RegisterUser extends CMSServlet { - } catch (Exception eee) { - CMS.debug("RegisterUser error " + eee.toString()); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams); -@@ -270,7 +268,7 @@ public class RegisterUser extends CMSServlet { - CMS.debug("RegisterUser modified group"); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - auditParams); -@@ -279,7 +277,7 @@ public class RegisterUser extends CMSServlet { - } - } catch (Exception e) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -index 69e76fc..cd769db 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -@@ -90,7 +90,7 @@ public class SecurityDomainProcessor extends CAProcessor { - - if (!ugSubsystem.isMemberOf(user, group)) { - String message = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - user, - ILogger.FAILURE, - group); -@@ -100,7 +100,7 @@ public class SecurityDomainProcessor extends CAProcessor { - } - - String message = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - user, - ILogger.SUCCESS, - group); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -index bed4357..5872ab0 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -@@ -63,9 +63,6 @@ public class UpdateDomainXML extends CMSServlet { - private static final long serialVersionUID = 4059169588555717548L; - private final static String SUCCESS = "0"; - private final static String FAILED = "1"; -- private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = -- "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; -- - public UpdateDomainXML() { - super(); - } -@@ -372,7 +369,7 @@ public class UpdateDomainXML extends CMSServlet { - status2 = remove_from_ldap(adminUserDN); - if (status2.equals(SUCCESS)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - userAuditParams); -@@ -388,13 +385,13 @@ public class UpdateDomainXML extends CMSServlet { - status2 = modify_ldap(dn, mod); - if (status2.equals(SUCCESS)) { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.SUCCESS, - userAuditParams); - } else { - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - userAuditParams); -@@ -402,7 +399,7 @@ public class UpdateDomainXML extends CMSServlet { - audit(auditMessage); - } else { // error deleting user - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CONFIG_ROLE, -+ AuditEvent.CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - userAuditParams); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 5669233..ad79cbb 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -117,8 +117,6 @@ public class CAProcessor extends Processor { - public static final String ACL_INFO = "ACLinfo"; - public static final String PROFILE_SUB_ID = "profileSubId"; - -- public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = -- "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; - public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = - "requestNotes"; - -@@ -731,7 +729,7 @@ public class CAProcessor extends Processor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.SUCCESS, - auditGroupID); -@@ -748,7 +746,7 @@ public class CAProcessor extends Processor { - audit(auditMessage); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroupID); -@@ -767,7 +765,7 @@ public class CAProcessor extends Processor { - audit(auditMessage); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditSubjectID, - ILogger.FAILURE, - auditGroupID); -@@ -864,7 +862,7 @@ public class CAProcessor extends Processor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditID, - ILogger.SUCCESS, - auditGroups(auditSubjectID)); -@@ -883,7 +881,7 @@ public class CAProcessor extends Processor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -@@ -905,7 +903,7 @@ public class CAProcessor extends Processor { - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_ROLE_ASSUME, -+ AuditEvent.ROLE_ASSUME, - auditID, - ILogger.FAILURE, - auditGroups(auditSubjectID)); -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -index 7bb048f..2d5b371 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.base.ResourceNotFoundException; - import com.netscape.certsrv.logging.AuditConfig; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFile; - import com.netscape.certsrv.logging.AuditFileCollection; - import com.netscape.certsrv.logging.AuditResource; -@@ -412,7 +413,7 @@ public class AuditService extends SubsystemService implements AuditResource { - public void auditTPSConfigSignedAudit(String status, Map params) { - - String msg = CMS.getLogMessage( -- "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3", -+ AuditEvent.CONFIG_SIGNED_AUDIT, - servletRequest.getUserPrincipal().getName(), - status, - auditor.getParamString(null, params)); -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -index 4ee2810..4aa0209 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -@@ -40,7 +40,7 @@ import com.netscape.certsrv.group.GroupData; - import com.netscape.certsrv.group.GroupMemberData; - import com.netscape.certsrv.group.GroupNotFoundException; - import com.netscape.certsrv.group.GroupResource; --import com.netscape.certsrv.logging.IAuditor; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.usrgrp.IGroup; - import com.netscape.certsrv.usrgrp.IGroupConstants; -@@ -432,6 +432,6 @@ public class GroupService extends SubsystemService implements GroupResource { - } - - public void audit(String type, String id, Map params, String status) { -- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status); -+ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status); - } - } -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -index eeadba5..e10c4f5 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -@@ -52,7 +52,7 @@ import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; - import com.netscape.certsrv.dbs.certdb.CertId; - import com.netscape.certsrv.group.GroupMemberData; --import com.netscape.certsrv.logging.IAuditor; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.password.IPasswordCheck; - import com.netscape.certsrv.user.UserCertCollection; -@@ -1227,10 +1227,10 @@ public class UserService extends SubsystemService implements UserResource { - } - - public void auditUser(String type, String id, Map params, String status) { -- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status); -+ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status); - } - - public void auditUserCert(String type, String id, Map params, String status) { -- audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status); -+ audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status); - } - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -index 400ad0c..e1c4c76 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -@@ -41,6 +41,7 @@ import org.mozilla.jss.CryptoManager.CertificateUsage; - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.cmsutil.util.Utils; - -@@ -84,9 +85,6 @@ public class CertUtils { - "-----END CERTIFICATE REVOCATION LIST-----"; - - protected static ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -- private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = -- "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; -- - /** - * Remove the header and footer in the PKCS10 request. - */ -@@ -911,7 +909,7 @@ public class CertUtils { - if (subsysType == null) { - CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); -@@ -936,7 +934,7 @@ public class CertUtils { - verifySystemCertByNickname(nickname, certusage); - - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.SUCCESS, - nickname); -@@ -947,7 +945,7 @@ public class CertUtils { - CMS.debug("CertUtils: verifySystemCertsByTag() failed: " + - e.toString()); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); -@@ -1009,7 +1007,7 @@ public class CertUtils { - if (subsysType.equals("")) { - CMS.debug("CertUtils: verifySystemCerts() cs.type not defined in CS.cfg. System certificates verification not done"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); -@@ -1022,7 +1020,7 @@ public class CertUtils { - if (subsysType == null) { - CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); -@@ -1036,7 +1034,7 @@ public class CertUtils { - CMS.debug("CertUtils: verifySystemCerts() " - + subsysType + ".cert.list not defined in CS.cfg. System certificates verification not done"); - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); -@@ -1056,7 +1054,7 @@ public class CertUtils { - } catch (Exception e) { - // audit here - auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, -+ AuditEvent.CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); -diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -index 4ddb42c..95556b9 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -@@ -96,9 +96,6 @@ public class SelfTestSubsystem - private static final String ELEMENT_DELIMITER = ":"; - private static final String CRITICAL = "critical"; - -- private static final String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = -- "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; -- - ///////////////////// - // default methods // - ///////////////////// -@@ -1809,7 +1806,7 @@ public class SelfTestSubsystem - - // store a message in the signed audit log file - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - ILogger.SYSTEM_UID, - ILogger.SUCCESS); - -@@ -1819,7 +1816,7 @@ public class SelfTestSubsystem - - // store a message in the signed audit log file - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - ILogger.SYSTEM_UID, - ILogger.FAILURE); - -@@ -1832,7 +1829,7 @@ public class SelfTestSubsystem - - // store a message in the signed audit log file - String auditMessage = CMS.getLogMessage( -- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, -+ AuditEvent.SELFTESTS_EXECUTION, - ILogger.SYSTEM_UID, - ILogger.FAILURE); - --- -1.8.3.1 - - -From eb7c9139c1ab017a8749d87e163e9dcc42037fb2 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 11 Apr 2017 14:18:32 -0400 -Subject: [PATCH 49/59] Modified CRMFPopClient to use correct wrapping for - encrypt case - -When the server cannot do key wrapping using the AES KeyWrap, -probably because the backend HSM cannot do key wrapping, then -there is a setting to allow it to use encrypt/decrypt instead. - -If the key wrap algorithm is something simple like 3DES or AES-CBC, -then the client can just use key wrapping to wrap the key on its -token, and the server can use an encryption algorithm to decrypt. -The client does not need to know that the server cannot handle a -key wrap, because keywrapping and encryption are pretty much the -same mechanism - just either in server memory or not. - -When we do key wrapping using AES KeyWrap though, there is no -corresponding encryption algorithm used to decrypt. So the server -cannot simply decrypt a message wrapped with AES Keywrap (or at least -not in any obvious way). So in this case, the client needs to know -if the server can handle keywrap. - -The patch therefore does the following: -1. For CRMFPopClient, adds a command line option to specify if key - wrapping or encryption is required. -2. Reads an environment variable if no option is provided. -3. If encryption is specified, uses key wrapping using AES-CBC - which can be decrypted on the server side. -4. For cert-client, contacts the server to determine from the - CAInfoResource if keywrapping is supported. - -Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c ---- - .../src/com/netscape/certsrv/key/KeyClient.java | 3 ++ - .../netscape/certsrv/util/NSSCryptoProvider.java | 2 +- - .../src/com/netscape/cmstools/CRMFPopClient.java | 43 +++++++++++++++++++--- - .../cmstools/client/ClientCertRequestCLI.java | 28 ++++++++++++-- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 16 +------- - 5 files changed, 69 insertions(+), 23 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java -index 750d270..dea44b1 100644 ---- a/base/common/src/com/netscape/certsrv/key/KeyClient.java -+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java -@@ -27,6 +27,7 @@ import java.util.List; - import javax.ws.rs.core.Response; - - import org.dogtagpki.common.Info; -+import org.dogtagpki.common.KRAInfoResource; - import org.dogtagpki.common.Version; - import org.mozilla.jss.crypto.EncryptionAlgorithm; - import org.mozilla.jss.crypto.KeyWrapAlgorithm; -@@ -49,6 +50,7 @@ public class KeyClient extends Client { - - public KeyResource keyClient; - public KeyRequestResource keyRequestClient; -+ public KRAInfoResource kraInfoClient; - - private CryptoProvider crypto; - private String transportCert; -@@ -92,6 +94,7 @@ public class KeyClient extends Client { - public void init() throws URISyntaxException { - keyClient = createProxy(KeyResource.class); - keyRequestClient = createProxy(KeyRequestResource.class); -+ kraInfoClient = createProxy(KRAInfoResource.class); - } - - public CryptoProvider getCrypto() { -diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java -index 1d2edbc..be8dd24 100644 ---- a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java -+++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java -@@ -140,7 +140,7 @@ public class NSSCryptoProvider extends CryptoProvider { - if (token == null) { - throw new NotInitializedException(); - } -- return CryptoUtil.wrapPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm); -+ return CryptoUtil.encryptPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm); - } - - @Override -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 9d81a72..c5da9cf 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -40,6 +40,7 @@ import org.apache.http.HttpResponse; - import org.apache.http.client.methods.HttpGet; - import org.apache.http.impl.client.DefaultHttpClient; - import org.apache.http.util.EntityUtils; -+import org.dogtagpki.common.KRAInfoResource; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.ASN1Util; - import org.mozilla.jss.asn1.BIT_STRING; -@@ -182,6 +183,10 @@ public class CRMFPopClient { - option.setArgName("extractable"); - options.addOption(option); - -+ option = new Option("g", true, "KeyWrap"); -+ option.setArgName("keyWrap"); -+ options.addOption(option); -+ - options.addOption("v", "verbose", false, "Run in verbose mode."); - options.addOption(null, "help", false, "Show help message."); - -@@ -210,6 +215,9 @@ public class CRMFPopClient { - System.out.println(" - POP_NONE: without POP"); - System.out.println(" - POP_SUCCESS: with valid POP"); - System.out.println(" - POP_FAIL: with invalid POP (for testing)"); -+ System.out.println(" -g Use KeyWrapping to wrap private key (default: true)"); -+ System.out.println(" - true: use a key wrapping algorithm"); -+ System.out.println(" - false: use an encryption algorithm"); - System.out.println(" -b PEM transport certificate (default: transport.txt)"); - System.out.println(" -v, --verbose Run in verbose mode."); - System.out.println(" --help Show help message."); -@@ -302,6 +310,16 @@ public class CRMFPopClient { - int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); - int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); - -+ boolean keyWrap = true; -+ if (cmd.hasOption("g")) { -+ keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); -+ } else { -+ String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); -+ if (useKeyWrap != null) { -+ keyWrap = Boolean.parseBoolean(useKeyWrap); -+ } -+ } -+ - String output = cmd.getOptionValue("o"); - - String hostPort = cmd.getOptionValue("m"); -@@ -440,8 +458,11 @@ public class CRMFPopClient { - String kid = CryptoUtil.byte2string(id); - System.out.println("Keypair private key id: " + kid); - -+ String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : -+ KRAInfoResource.ENCRYPT_MECHANISM; - if (verbose) System.out.println("Creating certificate request"); -- CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject); -+ CertRequest certRequest = client.createCertRequest( -+ token, transportCert, algorithm, keyPair, subject, archivalMechanism); - - ProofOfPossession pop = null; - -@@ -550,7 +571,8 @@ public class CRMFPopClient { - X509Certificate transportCert, - String algorithm, - KeyPair keyPair, -- Name subject) throws Exception { -+ Name subject, -+ String archivalMechanism) throws Exception { - EncryptionAlgorithm encryptAlg = null; - String keyset = System.getenv("KEY_WRAP_PARAMETER_SET"); - -@@ -563,7 +585,7 @@ public class CRMFPopClient { - - byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); - AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); -- WrappingParams params = getWrappingParams(encryptAlg, iv); -+ WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism); - - PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( - token, -@@ -583,12 +605,23 @@ public class CRMFPopClient { - return new CertRequest(new INTEGER(1), certTemplate, seq); - } - -- private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception { -+ private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV, -+ String archivalMechanism) throws Exception { - if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) { -+ KeyWrapAlgorithm wrapAlg = null; -+ IVParameterSpec wrapIVS = null; -+ if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) { -+ // We will use AES_CBC_PAD as the a key wrap mechanism. This -+ // can be decrypted using the same mechanism on the server. -+ wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD; -+ wrapIVS = new IVParameterSpec(wrapIV); -+ } else { -+ wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; -+ } - return new WrappingParams( - SymmetricKey.AES, KeyGenAlgorithm.AES, 128, - KeyWrapAlgorithm.RSA, encryptAlg, -- KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null); -+ wrapAlg, wrapIVS, wrapIVS); - } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) { - return new WrappingParams( - SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -index 6562699..8ca857b 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -@@ -29,6 +29,8 @@ import java.util.Vector; - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; - import org.apache.commons.io.FileUtils; -+import org.dogtagpki.common.CAInfoClient; -+import org.dogtagpki.common.KRAInfoResource; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.Signature; -@@ -245,8 +247,26 @@ public class ClientCertRequestCLI extends CLI { - CryptoManager manager = CryptoManager.getInstance(); - X509Certificate transportCert = manager.importCACertPackage(transportCertData); - -+ // get archival mechanism -+ CAInfoClient infoClient = new CAInfoClient(client, "ca"); -+ String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -+ try { -+ archivalMechanism = infoClient.getInfo().getArchivalMechanism(); -+ } catch (Exception e) { -+ // this could be an older server, check for environment variable. -+ String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); -+ if (useKeyWrapping != null) { -+ if (Boolean.parseBoolean(useKeyWrapping)) { -+ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -+ } else { -+ archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM; -+ } -+ } -+ } -+ - csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, -- algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop); -+ algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, -+ archivalMechanism); - - } else { - throw new Exception("Unknown request type: " + requestType); -@@ -387,7 +407,8 @@ public class ClientCertRequestCLI extends CLI { - boolean temporary, - int sensitive, - int extractable, -- boolean withPop -+ boolean withPop, -+ String archivalMechanism - ) throws Exception { - - CryptoManager manager = CryptoManager.getInstance(); -@@ -408,7 +429,8 @@ public class ClientCertRequestCLI extends CLI { - throw new Exception("Unknown algorithm: " + algorithm); - } - -- CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject); -+ CertRequest certRequest = client.createCertRequest( -+ token, transportCert, algorithm, keyPair, subject, archivalMechanism); - - ProofOfPossession pop = null; - if (withPop) { -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 3588852..d22856d 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -1962,7 +1962,7 @@ public class CryptoUtil { - return decodedData; - } - -- public static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, -+ public static byte[] encryptPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, - EncryptionAlgorithm alg) - throws NoSuchAlgorithmException, TokenException, InvalidKeyException, - InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, IOException { -@@ -2010,17 +2010,6 @@ public class CryptoUtil { - return encodePKIArchiveOptions(opts); - } - -- /* Used to create PKIArchiveOptions for wrapped symmetric key */ -- public static PKIArchiveOptions createPKIArchiveOptions( -- CryptoToken token, -- PublicKey wrappingKey, -- SymmetricKey data, -- WrappingParams params, -- AlgorithmIdentifier aid) throws Exception { -- return createPKIArchiveOptionsInternal( -- token, wrappingKey, null, null, data, params, aid); -- } -- - public static byte[] createEncodedPKIArchiveOptions( - CryptoToken token, - PublicKey wrappingKey, -@@ -2068,10 +2057,9 @@ public class CryptoUtil { - params.getSkLength(), - null, - false); -- - byte[] key_data; - if (passphraseData != null) { -- key_data = wrapPassphrase( -+ key_data = encryptPassphrase( - token, - passphraseData, - params.getPayloadEncryptionIV(), --- -1.8.3.1 - - -From d9d8b19bef7c91c2e3d33618869ea6426ecb4a36 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 21:44:31 +0200 -Subject: [PATCH 50/59] Updated CMS.getLogMessage(). - -The CMS.getLogMessage() has been generalized to take an array of -Objects instead of Strings. - -Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231 ---- - base/common/src/com/netscape/certsrv/apps/CMS.java | 2 +- - base/common/src/com/netscape/certsrv/apps/ICMSEngine.java | 2 +- - base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 2 +- - base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java -index d2210df..8f1d648 100644 ---- a/base/common/src/com/netscape/certsrv/apps/CMS.java -+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java -@@ -701,7 +701,7 @@ public final class CMS { - * @param p an array of parameters - * @return localized log message - */ -- public static String getLogMessage(String msgID, String p[]) { -+ public static String getLogMessage(String msgID, Object p[]) { - return _engine.getLogMessage(msgID, p); - } - -diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -index 97fc467..3655b03 100644 ---- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -@@ -334,7 +334,7 @@ public interface ICMSEngine extends ISubsystem { - * @param p an array of parameters - * @return localized log message - */ -- public String getLogMessage(String msgID, String p[]); -+ public String getLogMessage(String msgID, Object p[]); - - /** - * Retrieves the centralized log message from LogMessages.properties. -diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -index 90ee8b9..ef9a6a2 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -1583,7 +1583,7 @@ public class CMSEngine implements ICMSEngine { - return getUserMessage(locale, msgID, params); - } - -- public String getLogMessage(String msgID, String params[]) { -+ public String getLogMessage(String msgID, Object params[]) { - ResourceBundle rb = ResourceBundle.getBundle( - "LogMessages"); - String msg = rb.getString(msgID); -diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -index d6305cb..dd28adb 100644 ---- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -@@ -211,7 +211,7 @@ public class CMSEngineDefaultStub implements ICMSEngine { - return null; - } - -- public String getLogMessage(String msgID, String p[]) { -+ public String getLogMessage(String msgID, Object p[]) { - return null; - } - --- -1.8.3.1 - - -From 92b68d7ab3f58ad80a545f550f0598de2c43da2c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 13 Apr 2017 01:45:37 +0200 -Subject: [PATCH 51/59] Added methods to log AuditEvent object. - -New audit(AuditEvent) methods have been added alongside the -existing audit(String) methods. - -Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54 ---- - base/ca/src/com/netscape/ca/CAService.java | 10 ++++++++++ - .../src/com/netscape/kra/AsymKeyGenService.java | 10 ++++++++++ - .../src/com/netscape/kra/EnrollmentService.java | 10 ++++++++++ - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 10 ++++++++++ - .../src/com/netscape/kra/NetkeyKeygenService.java | 10 ++++++++++ - .../com/netscape/kra/SecurityDataProcessor.java | 10 ++++++++++ - .../kra/src/com/netscape/kra/SymKeyGenService.java | 10 ++++++++++ - .../com/netscape/kra/TokenKeyRecoveryService.java | 9 +++++++++ - .../com/netscape/cms/authentication/CMCAuth.java | 10 ++++++++++ - .../cms/src/com/netscape/cms/logging/LogFile.java | 10 ++++++++++ - .../netscape/cms/profile/common/BasicProfile.java | 11 +++++++++++ - .../netscape/cms/profile/input/EnrollInput.java | 10 ++++++++++ - .../cms/profile/updater/SubsystemGroupUpdater.java | 14 +++++++++++-- - .../cms/src/com/netscape/cms/realm/PKIRealm.java | 10 ++++++++++ - .../com/netscape/cms/servlet/base/CMSServlet.java | 10 ++++++++++ - .../cms/servlet/connector/ConnectorServlet.java | 10 ++++++++++ - .../cms/servlet/processors/CAProcessor.java | 10 ++++++++++ - .../cms/servlet/processors/PKIProcessor.java | 23 ++++++++++++++++------ - .../org/dogtagpki/server/rest/ACLInterceptor.java | 10 ++++++++++ - .../src/com/netscape/cmscore/cert/CertUtils.java | 10 ++++++++++ - .../src/com/netscape/cmscore/logging/Auditor.java | 11 +++++++++++ - .../cmscore/selftests/SelfTestSubsystem.java | 10 ++++++++++ - .../server/tps/processor/TPSProcessor.java | 10 ++++++++++ - 23 files changed, 240 insertions(+), 8 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java -index 5b364b8..2ad1967 100644 ---- a/base/ca/src/com/netscape/ca/CAService.java -+++ b/base/ca/src/com/netscape/ca/CAService.java -@@ -1177,6 +1177,16 @@ public class CAService implements ICAService, IService { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * -diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -index 75e340c..bd2be70 100644 ---- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -@@ -228,6 +228,16 @@ public class AsymKeyGenService implements IService { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, - String clientKeyID, - String keyID, String reason) { -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index d2748a2..7c179d4 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -1034,4 +1034,14 @@ public class EnrollmentService implements IService { - ILogger.LL_SECURITY, - msg); - } -+ -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } - } -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index b6e4376..1df04db 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -1570,6 +1570,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 665ff19..4926873 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -708,4 +708,14 @@ public class NetkeyKeygenService implements IService { - ILogger.LL_SECURITY, - msg); - } -+ -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } - } -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 78d64c5..05dccb9 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -770,6 +770,16 @@ public class SecurityDataProcessor { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( -diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java -index f700a79..0dfd3a2 100644 ---- a/base/kra/src/com/netscape/kra/SymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java -@@ -247,6 +247,16 @@ public class SymKeyGenService implements IService { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( -diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -index b710291..67f4dc6 100644 ---- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -@@ -733,4 +733,13 @@ public class TokenKeyRecoveryService implements IService { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } - } -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index 02aceb4..b898353 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -1073,6 +1073,16 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index 989fece..772607e 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -1541,4 +1541,14 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - ILogger.LL_SECURITY, - msg); - } -+ -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java -index ff97bfa..e6fc045 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java -@@ -30,6 +30,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.NameValuePairs; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.ERejectException; -@@ -1173,6 +1174,16 @@ public abstract class BasicProfile implements IProfile { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * -diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -index 81e71c4..84a6398 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -+++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -@@ -263,6 +263,16 @@ public abstract class EnrollInput implements IProfileInput { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * -diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -index 2f47efa..7daa8e4 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -+++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -@@ -21,8 +21,6 @@ import java.util.Enumeration; - import java.util.Locale; - import java.util.Vector; - --import netscape.security.x509.X509CertImpl; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.ConflictingOperationException; - import com.netscape.certsrv.base.EBaseException; -@@ -42,6 +40,8 @@ import com.netscape.certsrv.usrgrp.IGroup; - import com.netscape.certsrv.usrgrp.IUGSubsystem; - import com.netscape.certsrv.usrgrp.IUser; - -+import netscape.security.x509.X509CertImpl; -+ - /** - * This updater class will create the new user to the subsystem group and - * then add the subsystem certificate to the user. -@@ -279,6 +279,16 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - private String auditSubjectID() { - if (mSignedAuditLogger == null) { - return null; -diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -index 28fb0b9..bcd3ff8 100644 ---- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -@@ -227,4 +227,14 @@ public class PKIRealm extends RealmBase { - ILogger.LL_SECURITY, - msg); - } -+ -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index c7fc03b..a007a00 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -2068,6 +2068,16 @@ public abstract class CMSServlet extends HttpServlet { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index 2299e60..13c732b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -1025,6 +1025,16 @@ public class ConnectorServlet extends CMSServlet { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Profile ID - * -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index ad79cbb..8c4fef1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -945,6 +945,16 @@ public class CAProcessor extends Processor { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Requester ID - * -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java -index bea8993..e6ee2db 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java -@@ -23,12 +23,6 @@ import java.util.Date; - - import javax.servlet.http.HttpServletRequest; - --import netscape.security.x509.CertificateExtensions; --import netscape.security.x509.CertificateSubjectName; --import netscape.security.x509.CertificateValidity; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertInfo; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.IAuthToken; -@@ -36,11 +30,18 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.ICMSRequest; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.request.IRequest; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.ECMSGWException; - -+import netscape.security.x509.CertificateExtensions; -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.CertificateValidity; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertInfo; -+ - /** - * Process Certificate Requests - * -@@ -316,6 +317,16 @@ public class PKIProcessor implements IPKIProcessor { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -index 86996d5..331bae1 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -@@ -351,4 +351,14 @@ public class ACLInterceptor implements ContainerRequestFilter { - ILogger.LL_SECURITY, - msg); - } -+ -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -index e1c4c76..6691f7a 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java -@@ -1102,4 +1102,14 @@ public class CertUtils { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java -index 8c99e67..48dfe3a 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java -@@ -24,6 +24,7 @@ import java.util.Map; - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.Constants; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.usrgrp.IGroup; -@@ -218,4 +219,14 @@ public class Auditor implements IAuditor { - ILogger.LL_SECURITY, - message); - } -+ -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ log(message); -+ } - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -index 95556b9..6ee3176 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -@@ -127,6 +127,16 @@ public class SelfTestSubsystem - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * This helper method returns the "full" property name (the corresponding - * substore name prepended in front of the plugin/parameter name). This -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index 910a263..0cfac59 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -4264,6 +4264,16 @@ public class TPSProcessor { - msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - public static void main(String[] args) { - } - --- -1.8.3.1 - - -From 164087b1fc302dd8b125cd52e9e55f54ea97e09d Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Fri, 24 Mar 2017 15:56:17 -0700 -Subject: [PATCH 52/59] SCP03 support for g&d sc 7 card. - -This allows the use of the g&d 7 card. -This will require the following: - -1. An out of band method is needed to generate an AES based master key. -We do not as of yet have support with tkstool for this: - -Ex: - -/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16 - -2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards: - -Ex: - -tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings -tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. -tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset -tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. -tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. -tks.defKeySet._010=## -tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings -tks.defKeySet._013=## Smart Cafe 6 settings: -tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv -tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv -tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 -tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 -tks.defKeySet._018=##Smart Cafe 7 settings: -tks.defKeySet._019=## tks.defKeySet.prot3.divers=none -tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none -tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES -tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES -tks.defKeySet._023=## -tks.defKeySet._024=## ---- - .../src/com/netscape/cms/servlet/tks/GPParams.java | 21 ++++ - .../netscape/cms/servlet/tks/NistSP800_108KDF.java | 114 +++++---------------- - .../cms/servlet/tks/SecureChannelProtocol.java | 107 ++++++++++++++----- - .../com/netscape/cms/servlet/tks/TokenServlet.java | 20 ++++ - base/tks/shared/conf/CS.cfg | 24 +++++ - base/tps/shared/conf/CS.cfg | 2 +- - 6 files changed, 174 insertions(+), 114 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java -index f16481b..bda4e66 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java -@@ -30,6 +30,8 @@ public class GPParams { - public static String DIVER_NONE = "none"; - public static String DIVER_VISA2 = "visa2"; - public static String NIST_SP800 = "nistsp_800"; -+ public static String AES = "AES"; -+ public static String DES3 ="DES3"; - - public GPParams() { - } -@@ -39,6 +41,25 @@ public class GPParams { - //Diversification scheme for just version one or developer keys - private String version1DiversificationScheme; - -+ private String devKeyType; -+ private String masterKeyType; -+ -+ public String getDevKeyType() { -+ return devKeyType; -+ } -+ -+ public String getMasterKeyType() { -+ return masterKeyType; -+ } -+ -+ public void setDevKeyType(String newType) { -+ devKeyType = newType; -+ } -+ -+ public void setMasterKeyType(String newType) { -+ masterKeyType = newType; -+ } -+ - public boolean isDiversEmv() { - if (DIVER_EMV.equalsIgnoreCase(diversificationScheme)) - return true; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java -index ad4a370..1f2c1b5 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java -@@ -461,8 +461,8 @@ public class NistSP800_108KDF extends KDF { - // Collection of informal invocations of api used to create various session keys - // Done with test data. - public static void main(String[] args) { --/* -- Options options = new Options(); -+ -+ /* Options options = new Options(); - - options.addOption("d", true, "Directory for tokendb"); - -@@ -474,15 +474,20 @@ public class NistSP800_108KDF extends KDF { - (byte) 0x4f }; - - byte test_cuid[] = { (byte) 0x47,(byte) 0x90,(byte)0x50,(byte)0x37,(byte)0x72,(byte)0x71,(byte)0x97,(byte)0x00,(byte)0x74,(byte)0xA9 }; -- byte test_kdd[] = { (byte)0x00, (byte)0x00, (byte)0x50, (byte)0x24,(byte) 0x97,(byte) 0x00,(byte) 0x74, (byte) 0xA9, (byte)0x72,(byte)0x71 }; -+ byte test_kdd[] = { 0x00 ,0x00, 0x04 ,(byte)0x47 ,0x00 ,(byte)0x1F ,0x00 ,(byte)0x46 ,(byte)0xA7 ,0x02 }; -+ - -+ byte test_host_challenge[] = { (byte)0x2F ,(byte)0xB7 ,(byte)0x9F ,(byte)0xB7 ,(byte)0x04 ,(byte)0xFA ,(byte)0x60 ,(byte)0xE8 }; -+ byte test_card_challenge[] = { (byte)0xB9,(byte) 0x69 ,(byte)0xB0 ,(byte)0xCA ,(byte)0x37 ,(byte)0x27 ,(byte)0x2F ,(byte)0x89}; - -- byte test_host_challenge[] = { 0x06 ,(byte)0xA4 ,0x46 ,0x57 ,(byte) 0x8B ,0x65 ,0x48 ,0x51 }; -- byte test_card_challenge[] = { (byte) 0xAD ,(byte) 0x2E ,(byte)0xD0 ,0x1E ,0x7C ,0x2D ,0x0C ,0x6F}; -+ byte test_host_challenge_1[] = { (byte)0xD9 ,(byte)0xA0 ,(byte)0x0E ,(byte)0x36 ,(byte)0x69 ,(byte)0x67 ,(byte)0xFA ,(byte)0xFB }; -+ byte test_card_challenge_1[] = {(byte)0x08 ,(byte) 0xF3 ,(byte) 0xE2 ,(byte)0xC3 ,0x72 ,(byte)0xF0 ,(byte)0xBE ,0x26 }; - -- byte test_key_info[] = { (byte) 0x02,(byte) 03,(byte) 00 }; -+ byte test_key_info[] = { (byte) 0x01,(byte) 03,(byte) 70 }; - byte test_old_key_info[] = {0x01,0x03,0x00}; - -+ byte test_sequence_counter[] = { 0x00 ,0x00 ,0x06 }; -+ - try { - CommandLineParser parser = new DefaultParser(); - CommandLine cmd = parser.parse(options, args); -@@ -500,11 +505,6 @@ public class NistSP800_108KDF extends KDF { - SymmetricKey macKey = null; - SymmetricKey kekKey = null; - -- SymmetricKey putEncKey = null; -- SymmetricKey putMacKey = null; -- SymmetricKey putKekKey = null; -- -- SymmetricKey tempKey = null; - - try { - CryptoManager.initialize(db_dir); -@@ -512,113 +512,55 @@ public class NistSP800_108KDF extends KDF { - - CryptoToken token = cm.getInternalKeyStorageToken(); - -- KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.AES); -- -- SymmetricKey.Usage usages[] = new SymmetricKey.Usage[4]; -- usages[0] = SymmetricKey.Usage.WRAP; -- usages[1] = SymmetricKey.Usage.UNWRAP; -- usages[2] = SymmetricKey.Usage.ENCRYPT; -- usages[3] = SymmetricKey.Usage.DECRYPT; -- -- kg.setKeyUsages(usages); -- kg.temporaryKeys(true); -- kg.initialize(128); -- tempKey = kg.generate(); -- -- -- Cipher encryptor = token.getCipherContext(EncryptionAlgorithm.AES_128_CBC); -- -- int ivLength = EncryptionAlgorithm.AES_128_CBC.getIVLength(); -- byte[] iv = null; -- -- if (ivLength > 0) { -- iv = new byte[ivLength]; // all zeroes -- } -- -- encryptor.initEncrypt(tempKey, new IVParameterSpec(iv)); -- byte[] wrappedKey = encryptor.doFinal(devKey); -- -- KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.AES_CBC); -- keyWrap.initUnwrap(tempKey, new IVParameterSpec(iv)); -- -- encKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16); -- macKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16); -- kekKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16); -- - String transportName = "TPS-dhcp-16-206.sjc.redhat.com-8443 sharedSecret"; - SecureChannelProtocol prot = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); - - SymmetricKey masterKey = SecureChannelProtocol.getSymKeyByName(token,"new_master"); - - GPParams params = new GPParams(); -- params.setVersion1DiversificationScheme("visa2"); -- params.setDiversificationScheme("visa2"); -- -- putEncKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info, -- SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, null, null, -- transportName,params); -- -- putMacKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info, -- SecureChannelProtocol.macType, devKey, "defKeySet", test_cuid, test_kdd, null, null, -- transportName,params); -- -- putKekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info, -- SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, null, null, -- transportName,params); -+ params.setVersion1DiversificationScheme("emv"); -+ params.setDiversificationScheme("emv"); -+ params.setDevKeyType(GPParams.AES); -+ params.setMasterKeyType(GPParams.AES); - - //create test session keys -- encKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info, -- SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge, -+ encKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info, -+ SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1, - transportName,params); - -- macKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info, -- SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge, -+ macKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info, -+ SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1, - transportName,params); - -- kekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info, -- SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge, -+ kekKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info, -+ SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1, - transportName,params); - - System.out.println("masterKey: " + masterKey); - - System.out.println("\n"); - -- SecureChannelProtocol.debugByteArray(putEncKey.getKeyData(), " derived putEnc session key data: "); -- SecureChannelProtocol.debugByteArray(putMacKey.getKeyData(), " derived putMac session key data: "); -- SecureChannelProtocol.debugByteArray(putKekKey.getKeyData(), " derived putKek session key data: "); -- -- System.out.println("\n"); - - SecureChannelProtocol.debugByteArray(encKey.getKeyData(), " derived enc session key data: "); - SecureChannelProtocol.debugByteArray(macKey.getKeyData(), " derived mac session key data: "); - SecureChannelProtocol.debugByteArray(kekKey.getKeyData(), " derived kek session key data: "); - -- ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); -- try { -- contextStream.write(test_host_challenge); -- contextStream.write(test_card_challenge); -- } catch (IOException e) { -- } -- -- StandardKDF standard = new StandardKDF(prot); - - ByteArrayOutputStream testContext = new ByteArrayOutputStream(); - -- testContext.write(test_host_challenge); -- testContext.write(test_card_challenge); -+ testContext.write(test_host_challenge_1); -+ testContext.write(test_card_challenge_1); -+ -+ SecureChannelProtocol.debugByteArray(testContext.toByteArray(), "Test context bytes: "); - -- NistSP800_108KDF nistKdf = new NistSP800_108KDF(prot); - -- byte[] finalEncBytes = nistKdf.kdf_AES_CMAC_SCP03(encKey, testContext.toByteArray(), (byte) 0x04, 16); -- byte[] finalMacBytes = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), (byte) 0x06, 16); -+ NistSP800_108KDF nistKdf = new NistSP800_108KDF(prot); - -- SymmetricKey sEnc = prot.unwrapAESSymKeyOnToken(token, finalEncBytes, false); -- SymmetricKey sMac = macKey = prot.unwrapAESSymKeyOnToken(token, finalMacBytes, false); - -- byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8); -+ byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8); - SecureChannelProtocol.debugByteArray(cardCryptoVerify, " calculated card cryptogram"); - -- byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8); -+ byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8); - SecureChannelProtocol.debugByteArray(hostCrypto, " calculated host cryptogram"); - - } catch (AlreadyInitializedException e) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -index 371e734..ef0c61b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -@@ -36,6 +36,7 @@ public class SecureChannelProtocol { - static String sharedSecretKeyName = null; - static String masterKeyPrefix = null; - -+ static final int DEF_AES_KEYLENGTH = 16; - static final int KEYLENGTH = 16; - static final int PREFIXLENGHT = 128; - static final int DES2_LENGTH = 16; -@@ -288,7 +289,9 @@ public class SecureChannelProtocol { - - { - String finalKeyType = keyType; -- SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray); -+ String devKeyType = params.getDevKeyType(); -+ CMS.debug(method + " Developer key set case: incoming dev key type: " + devKeyType); -+ SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,devKeyType); - - StandardKDF standard = new StandardKDF(this); - SymmetricKey divKey = null; -@@ -297,22 +300,31 @@ public class SecureChannelProtocol { - - //Consult the config to determine with diversification method to use. - if (params.isVer1DiversNone()) { -+ CMS.debug(method + " No diversifcation requested. "); - noDivers = true; - } else if (params.isVer1DiversEmv()) { -+ CMS.debug(method + " EMV diversification requested. "); - keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType); - } else if (params.isVer1DiversVisa2()) { -+ CMS.debug(method + " Visa2 diversification requested."); - keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType); - } else { - throw new EBaseException(method + " Invalid diversification method!"); - } - - //Obtain the card key,it may just be the raw developer key -- if (noDivers == true) { -- divKey = unwrapAESSymKeyOnToken(token, devKeyArray, false); -+ if (noDivers == true || GPParams.AES.equalsIgnoreCase(devKeyType)) { -+ divKey = devSymKey; - } else { - - // The g&d calls for computing the aes card key with DES, it will then be treated as aes -- divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token); -+ // Right now if the dev key type is AES, we do not support any diversification -+ -+ if (GPParams.DES3.equalsIgnoreCase(devKeyType)) { -+ divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token); -+ } else { -+ throw new EBaseException(method + " Invalid devolper key type. Does not support diversification: "+ devKeyType); -+ } - } - - NistSP800_108KDF nistKdf = new NistSP800_108KDF(this); -@@ -338,22 +350,35 @@ public class SecureChannelProtocol { - - masterKey = getSymKeyByName(token, keyNameStr); - -+ String masterKeyType = params.getMasterKeyType(); -+ -+ CMS.debug(method + " Master key case: requested master key type: " + masterKeyType); -+ - StandardKDF standard = new StandardKDF(this); - - byte[] keyDiversified = null; - - if (params.isDiversNone()) { -- throw new EBaseException(method + " No diversification requested in master key mode. Aborting..."); -+ if (GPParams.AES.equalsIgnoreCase(masterKeyType)) { -+ CMS.debug(method + " Master key case: no diversification requested: With master key type of AES "); -+ } -+ else { -+ throw new EBaseException(method + " No diversification requested in master key mode. With master key type of DES3: Aborting..."); -+ } - } //Allow choice of emv or standard diversification - else if (params.isDiversEmv()) { - keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType); - } else if (params.isDiversVisa2()) { - keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType); - } -- - SymmetricKey divKey = null; - -- divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token); -+ if(GPParams.AES.equalsIgnoreCase(masterKeyType)) { -+ CMS.debug(method + " master key case with AES type."); -+ divKey = masterKey; -+ } else { -+ divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token); -+ } - - NistSP800_108KDF nistKdf = new NistSP800_108KDF(this); - // The kek session key does not call for derivation -@@ -488,11 +513,11 @@ public class SecureChannelProtocol { - - String finalKeyType = keyType; - -- SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray); -+ SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,"DES3"); - - // Create the auth with is the same as enc, might need it later. - if (keyType.equals(encType)) { -- returnDeveloperSymKey(token, authType, keySet, devKeyArray); -+ returnDeveloperSymKey(token, authType, keySet, devKeyArray,"DES3"); - } - - if (noDerive == true) { -@@ -672,14 +697,25 @@ public class SecureChannelProtocol { - From that point it is a simple matter of retrieving the desired key from the token. - No security advantage is implied or desired here. - */ -- public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray) -+ public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray, String keyAlg) - throws EBaseException { - - SymmetricKey devKey = null; - - String method = "SecureChannelProtocol.returnDeveloperSymKey:"; - -- String devKeyName = keySet + "-" + keyType + "Key"; -+ boolean isAES = false; -+ String finalAlg = null; -+ if(keyAlg == null) { -+ finalAlg = "DES3"; -+ } -+ -+ if(keyAlg.equalsIgnoreCase("AES")) { -+ isAES = true; -+ finalAlg = "AES"; -+ } -+ -+ String devKeyName = keySet + "-" + keyType + "Key" + "-" + finalAlg; - CMS.debug(method + " entering.. searching for key: " + devKeyName); - - if (token == null || keyType == null || keySet == null) { -@@ -706,22 +742,31 @@ public class SecureChannelProtocol { - - CMS.debug(method + " inputKeyArray.length: " + inputLen); - -- if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) { -- throw new EBaseException(method + "invalid input key length!"); -- } -+ if (!isAES) { -+ if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) { -+ throw new EBaseException(method + "invalid input key length!"); -+ } -+ -+ if (inputLen == DES2_LENGTH) { -+ des3InputKey = new byte[DES3_LENGTH]; -+ System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH); -+ System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES); -+ -+ } else { -+ System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH); -+ } -+ -+ SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": "); - -- if (inputLen == DES2_LENGTH) { -- des3InputKey = new byte[DES3_LENGTH]; -- System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH); -- System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES); -+ devKey = unwrapSymKeyOnToken(token, des3InputKey, true); - - } else { -- System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH); -- } - -- SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": "); -+ if(inputLen == DEF_AES_KEYLENGTH) { // support 128 bits for now -+ devKey = unwrapAESSymKeyOnToken(token, inputKeyArray, true); -+ } -+ } - -- devKey = unwrapSymKeyOnToken(token, des3InputKey, true); - devKey.setNickName(devKeyName); - } else { - CMS.debug(method + " Found sym key: " + devKeyName); -@@ -1823,9 +1868,9 @@ public class SecureChannelProtocol { - //This is the case where we revert to the original developer key set or key set 1 - if (protocol == PROTOCOL_ONE) { - CMS.debug(method + " Special case returning to the dev key set (1) for DiversifyKey, protocol 1!"); -- encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null); -- macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null); -- kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null); -+ encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null,"DES3"); -+ macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null,"DES3"); -+ kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null,"DES3"); - } else if (protocol == PROTOCOL_THREE) { - CMS.debug(method + " Special case or returning to the dev key set (or ver 1) for DiversifyKey, protocol 3!"); - encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, -@@ -1920,7 +1965,15 @@ public class SecureChannelProtocol { - - CMS.debug(method + " old kek sym key is null"); - -- old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray); -+ String devKeyType = null; -+ -+ if(protocol == PROTOCOL_THREE) { -+ devKeyType = params.getDevKeyType(); -+ } else { -+ devKeyType = "DES3"; -+ } -+ -+ old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray, devKeyType); - - output = createKeySetDataWithSymKeys(newKeyVersion, (byte[]) null, - old_kek_sym_key, -@@ -2070,7 +2123,7 @@ public class SecureChannelProtocol { - throw new EBaseException(method + " Can't compose final output byte array!"); - } - -- //SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: "); -+ SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: "); - CMS.debug(method + " returning output"); - - return output; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -index 3915b73..1377055 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -@@ -3184,6 +3184,26 @@ public class TokenServlet extends CMSServlet { - params.setVersion1DiversificationScheme(diversVer1Keys); - CMS.debug(method + " Version 1 keys Divers: " + divers); - -+ String keyType = null; -+ try { -+ keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); -+ } catch (EBaseException e) { -+ } -+ -+ CMS.debug(method + " devKeyType: " + keyType); -+ -+ params.setDevKeyType(keyType); -+ -+ try { -+ keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); -+ } catch (EBaseException e) { -+ } -+ -+ params.setMasterKeyType(keyType); -+ -+ CMS.debug(method + " masterKeyType: " + keyType); -+ -+ - return params; - } - -diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg -index 0eea3e9..45716d2 100644 ---- a/base/tks/shared/conf/CS.cfg -+++ b/base/tks/shared/conf/CS.cfg -@@ -340,11 +340,35 @@ tks.defKeySet._001=## Axalto default key set: - tks.defKeySet._002=## - tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=: - tks.defKeySet._004=## -+tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings -+tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. -+tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset -+tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. -+tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. -+tks.defKeySet._010=## -+tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings -+tks.defKeySet._013=## Smart Cafe 6 settings: -+tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv -+tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv -+tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 -+tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 -+tks.defKeySet._018=##Smart Cafe 7 settings: -+tks.defKeySet._019=## tks.defKeySet.prot3.divers=none -+tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none -+tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES -+tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES -+tks.defKeySet._023=## -+tks.defKeySet._024=## - tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f - tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f - tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f - tks.defKeySet.nistSP800-108KdfOnKeyVersion=00 - tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=false -+tks.defKeySet.prot3.divers=emv -+tks.defKeySet.prot3.diversVer1Keys=emv -+tks.defKeySet.prot3.devKeyType=DES3 -+tks.defKeySet.prot3.masterKeyType=DES3 -+ - tks.jForte._000=## - tks.jForte._001=## SAFLink's jForte default key set: - tks.jForte._002=## -diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg -index 8d667f5..2d9057a 100644 ---- a/base/tps/shared/conf/CS.cfg -+++ b/base/tps/shared/conf/CS.cfg -@@ -10,7 +10,7 @@ applet._001=# applet information - applet._002=# SAF Key: - applet._003=# applet.aid.cardmgr_instance=A0000001510000 - applet._004=# Stock RSA,KeyRecover applet : 1.4.58768072.ijc --applet._005=# Beta RSA/KeyRecovery/GP211/SCP02 applet : 1.5.558cdcff.ijc -+applet._005=# RSA/KeyRecovery/GP211/SCP02, SCP03 applet : 1.5.558cdcff.ijc - applet._006=# Use GP211 applet only with SCP02 card - applet._007=######################################### - applet.aid.cardmgr_instance=A0000000030000 --- -1.8.3.1 - - -From 7672b543f8c62da34f0bb11be17d5e6d336cb2da Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 11 Apr 2017 23:04:34 -0400 -Subject: [PATCH 53/59] Fix python issues identified in review - -subprocess returns bytes in Python 3. Make sure to -decode first when returning env variables. - -Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d ---- - base/common/python/pki/util.py | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 0de13fd..5832f55 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -258,10 +258,9 @@ def read_environment_files(env_file_list=None): - if env_file_list is None: - env_file_list = DEFAULT_PKI_ENV_LIST - -- file_command = '' -- for env_file in env_file_list: -- file_command += "source " + env_file + " && " -- file_command += "env" -+ file_command = ' && '.join( -+ 'source {}'.format(env_file) for env_file in env_file_list) -+ file_command += ' && env' - - command = [ - 'bash', -@@ -269,7 +268,7 @@ def read_environment_files(env_file_list=None): - file_command - ] - -- env_vals = subprocess.check_output(command).split('\n') -+ env_vals = subprocess.check_output(command).decode('utf-8').split('\n') - - for env_val in env_vals: - (key, _, value) = env_val.partition("=") --- -1.8.3.1 - - -From af1ad849c62fb76915142796ead7677abd5896f3 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 11 Apr 2017 09:28:15 +0200 -Subject: [PATCH 54/59] Add Travis CI to compose core RPM packages - -The command "./scripts/compose_pki_core_packages rpms" is tested on -Fedora 25, 26 and rawhide. On 25 and 26, the COPR @pki/10.4 is enabled -to provide additional build dependencies. - -Travis Ci is configured to use pre-populated Docker images from -https://github.com/dogtagpki/pki-ci-containers . The images contain -build dependencies. - -Signed-off-by: Christian Heimes ---- - .travis.test | 31 +++++++++++++++++++++++++++++++ - .travis.yml | 20 ++++++++++++++++++++ - 2 files changed, 51 insertions(+) - create mode 100755 .travis.test - create mode 100644 .travis.yml - -diff --git a/.travis.test b/.travis.test -new file mode 100755 -index 0000000..ca81022 ---- /dev/null -+++ b/.travis.test -@@ -0,0 +1,31 @@ -+#!/bin/bash -+set -ex -+ -+WORKDIR="${BUILDDIR:-/tmp/builddir}" -+BUILDUSER=builduser -+BUILDUSER_UID=${UID:-1000} -+BUILDUSER_GID=${GID:-1000} -+ -+. /etc/os-release -+ -+echo "$NAME $VERSION $1" -+ -+## compose_pki_core_packages doesn't run as root, create a build user -+groupadd --non-unique -g $BUILDUSER_GID ${BUILDUSER} -+useradd --non-unique -u $BUILDUSER_UID -g $BUILDUSER_GID ${BUILDUSER} -+ -+## chown workdir and enter pki dir -+chown ${BUILDUSER}:${BUILDUSER} ${WORKDIR} -+cd ${WORKDIR}/pki -+ -+## prepare additional build dependencies -+dnf copr -y enable @pki/10.4 -+dnf builddep -y ./specs/pki-core.spec -+ -+# update, container might be outdated -+dnf update -y -+ -+## run tox and build -+# run make with --quiet to reduce log verbosity. Travis CI has a log limit -+# of 10,000 lines. -+sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -s -- ./scripts/compose_pki_core_packages rpms -diff --git a/.travis.yml b/.travis.yml -new file mode 100644 -index 0000000..2e1a69f ---- /dev/null -+++ b/.travis.yml -@@ -0,0 +1,20 @@ -+sudo: required -+language: python -+ -+services: -+ - docker -+ -+env: -+ - CONTAINER=dogtagpki/pki-ci-containers:f25_104 -+ - CONTAINER=dogtagpki/pki-ci-containers:f26_104 -+ - CONTAINER=dogtagpki/pki-ci-containers:rawhide -+ -+script: -+ - docker pull $CONTAINER -+ - > -+ docker run -+ -v $(pwd):/tmp/workdir/pki -+ -e UID=$(id -u) -+ -e GID=$(id -g) -+ $CONTAINER -+ /tmp/workdir/pki/.travis.test $CONTAINER --- -1.8.3.1 - - -From c381566ddf1f4f05330063bb012d59e5c1753b13 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 13 Apr 2017 08:13:26 +0200 -Subject: [PATCH 55/59] Fixed ClientIP field in SSL session audit log. - -The PKIServerSocketListener has been fixed to obtain the correct -client IP address from SSL socket. - -https://pagure.io/dogtagpki/issue/2602 - -Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba ---- - .../cms/src/org/dogtagpki/server/PKIServerSocketListener.java | 11 +++-------- - 1 file changed, 3 insertions(+), 8 deletions(-) - -diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -index 7016bc8..093776f 100644 ---- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -@@ -18,8 +18,6 @@ - package org.dogtagpki.server; - - import java.net.InetAddress; --import java.net.InetSocketAddress; --import java.net.SocketAddress; - import java.security.Principal; - - import org.mozilla.jss.crypto.X509Certificate; -@@ -45,8 +43,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - try { - SSLSocket socket = event.getSocket(); - -- SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); -- InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); -+ InetAddress clientAddress = socket.getInetAddress(); - InetAddress serverAddress = socket.getLocalAddress(); - String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); - String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -@@ -85,8 +82,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - try { - SSLSocket socket = event.getSocket(); - -- SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); -- InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); -+ InetAddress clientAddress = socket.getInetAddress(); - InetAddress serverAddress = socket.getLocalAddress(); - String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); - String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -@@ -139,8 +135,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - try { - SSLSocket socket = event.getSocket(); - -- SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress(); -- InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress(); -+ InetAddress clientAddress = socket.getInetAddress(); - InetAddress serverAddress = socket.getLocalAddress(); - String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); - String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); --- -1.8.3.1 - - -From 716dca464943a22eb6588187fba9fad85e1c1345 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 6 Apr 2017 17:09:39 -0400 -Subject: [PATCH 56/59] Fix symkey retrieval in python client - -Keys (like symmetric keys and asymmetric keys) are returned -from the KRA either encrypted or key wrapped. Because the -AES keywrapping algorithm cannot be decrypted using AES CBC, -we need special logic to unwrap the keys. - -The flow here is as follows: -1. When a key retrieval request is sent to the server, - the client sends the encryption and key wrapping - algorithms it requires the key to be wrapped along - with the wrapping key. -2. If no encryption algorithm or key wrap algorithm is - recieved, the server assumes its talking to an old - client and uses DES3. -3. The key is retrieved and (on server's choice) is wrapped - or encrypted. The return package will have either - encryption or key wrap algorithm set (depending on how - the key was encrypted/wrapped.) -4. client uses that to determine how to unwrap key. - -This patch: -1. Makes sure the key wrap algorithm requested by client - is passed through and used to wrap the retrieved key. -2. Adds logic in the python client to unwrap/decrypt. -3. As python-cryptography does not yet support - AES KeyWrap with padding, the python client is configured - to request AES-CBC by default. - -Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1 ---- - base/common/python/pki/crypto.py | 51 +++++++++++++- - base/common/python/pki/key.py | 56 ++++++++++++--- - .../src/com/netscape/certsrv/key/KeyClient.java | 4 ++ - .../com/netscape/kra/SecurityDataProcessor.java | 79 ++++++++++++++++++---- - .../netscape/cms/servlet/key/KeyRequestDAO.java | 9 +++ - 5 files changed, 173 insertions(+), 26 deletions(-) - -diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py -index b767abd..0891acd 100644 ---- a/base/common/python/pki/crypto.py -+++ b/base/common/python/pki/crypto.py -@@ -34,10 +34,21 @@ from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives.ciphers import ( - Cipher, algorithms, modes - ) -+from cryptography.hazmat.primitives import keywrap - from cryptography.hazmat.primitives import padding - from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 - import cryptography.x509 - -+# encryption algorithms OIDs -+DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}" -+AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}" -+ -+# Wrap Algorithm names as defined by JSS. -+WRAP_AES_CBC_PAD = "AES/CBC/PKCS5Padding" -+WRAP_AES_KEY_WRAP = "AES KeyWrap" -+WRAP_AES_KEY_WRAP_PAD = "AES KeyWrap/Padding" -+WRAP_DES3_CBC_PAD = "DES3/CBC/Pad" -+ - - class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): - """ -@@ -96,7 +107,11 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)): - DES3 key. - """ - -- # abc.abstractmethod -+ @abc.abstractmethod -+ def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv): -+ """ Unwrap data that has been key wrapped using AES KeyWrap """ -+ -+ @abc.abstractmethod - def get_cert(self, cert_nick): - """ Get the certificate for the specified cert_nick. """ - -@@ -302,6 +317,18 @@ class NSSCryptoProvider(CryptoProvider): - public_key = wrapping_cert.subject_public_key_info.public_key - return nss.pub_wrap_sym_key(mechanism, public_key, data) - -+ def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv): -+ """ -+ :param mechanism Key wrapping mechanism -+ :param data: Data to be unwrapped -+ :param wrapping_key: Wrapping Key -+ :param nonce_iv Nonce data -+ :return: Unwrapped data -+ -+ Return unwrapped data for data wrapped using AES KeyWrap -+ """ -+ raise NotImplementedError() -+ - def get_cert(self, cert_nick): - """ - :param cert_nick Nickname for the certificate to be returned -@@ -461,6 +488,28 @@ class CryptographyCryptoProvider(CryptoProvider): - PKCS1v15() - ) - -+ def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv): -+ """ -+ :param mechanism key wrapping mechanism -+ :param data: data to unwrap -+ :param wrapping_key: AES key used to wrap data -+ :param nonce_iv Nonce data -+ :return: unwrapped data -+ -+ Unwrap the encrypted data which has been wrapped using a -+ KeyWrap mechanism. -+ """ -+ if mechanism == WRAP_AES_CBC_PAD or mechanism == WRAP_DES3_CBC_PAD: -+ return self.symmetric_unwrap( -+ data, -+ wrapping_key, -+ nonce_iv=nonce_iv) -+ -+ if mechanism == WRAP_AES_KEY_WRAP: -+ return keywrap.aes_key_unwrap(wrapping_key, data, self.backend) -+ -+ raise ValueError("Unsupported key wrap algorithm: " + mechanism) -+ - def get_cert(self, cert_nick): - """ - :param cert_nick Nickname for the certificate to be returned. -diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py -index 6c5641a..e782d54 100644 ---- a/base/common/python/pki/key.py -+++ b/base/common/python/pki/key.py -@@ -33,6 +33,7 @@ from six import iteritems - from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 - - import pki -+import pki.crypto - import pki.encoder as encoder - from pki.info import Version - import pki.util -@@ -459,10 +460,6 @@ class KeyClient(object): - RSA_ALGORITHM = "RSA" - DSA_ALGORITHM = "DSA" - -- # default session key wrapping algorithm -- DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}" -- AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}" -- - def __init__(self, connection, crypto, transport_cert_nick=None, - info_client=None): - """ Constructor """ -@@ -481,6 +478,7 @@ class KeyClient(object): - - self.info_client = info_client - self.encrypt_alg_oid = None -+ self.wrap_name = None - self.set_crypto_algorithms() - - def set_transport_cert(self, transport_cert_nick): -@@ -502,9 +500,14 @@ class KeyClient(object): - - # set keyset related constants needed in KeyClient - if keyset_id == 0: -- self.encrypt_alg_oid = self.DES_EDE3_CBC_OID -+ self.encrypt_alg_oid = pki.crypto.DES_EDE3_CBC_OID -+ self.wrap_name = pki.crypto.WRAP_DES3_CBC_PAD - else: -- self.encrypt_alg_oid = self.AES_128_CBC_OID -+ self.encrypt_alg_oid = pki.crypto.AES_128_CBC_OID -+ # Note: AES_KEY_WRAP_PAD is not yet supported by -+ # python cryptography. Therefore we will default -+ # to AES_CBC_PAD instead -+ self.wrap_name = pki.crypto.WRAP_AES_CBC_PAD - - def get_client_keyset(self): - # get client keyset -@@ -847,7 +850,7 @@ class KeyClient(object): - raise TypeError('Missing wrapped session key') - - if not algorithm_oid: -- algorithm_oid = KeyClient.AES_128_CBC_OID -+ algorithm_oid = pki.crypto.AES_128_CBC_OID - # algorithm_oid = KeyClient.DES_EDE3_CBC_OID - - if not nonce_iv: -@@ -1015,16 +1018,47 @@ class KeyClient(object): - request_id=request_id, - trans_wrapped_session_key=base64.b64encode( - trans_wrapped_session_key), -- payload_encryption_oid=self.encrypt_alg_oid -+ payload_encryption_oid=self.encrypt_alg_oid, -+ payload_wrapping_name=self.wrap_name - ) - - key = self.retrieve_key_data(request) - if not key_provided and key.encrypted_data is not None: -- key.data = self.crypto.symmetric_unwrap( -+ self.process_returned_key(key, session_key) -+ return key -+ -+ @pki.handle_exceptions() -+ def process_returned_key(self, key, session_key): -+ """ -+ Decrypt the returned key and place in key.data -+ -+ The data will either by encrypted using an encryption algorithm - -+ in which case, the key data will contain an encryption algorithm OID, -+ or it will be key wrapped - in which case, the key data will contain -+ a key wrap mechanism name. -+ -+ Only one of these should be present. If we are talking to an older -+ server, and none is present, we will assume encryption. -+ """ -+ if key.wrap_algorithm is not None: -+ if key.encrypt_algorithm_oid is not None: -+ raise ValueError( -+ "Both encryptOID and wrapping name have been set " + -+ "in server response" -+ ) -+ # do key unwrapping here -+ key.data = self.crypto.key_unwrap( -+ key.wrap_algorithm, - key.encrypted_data, - session_key, -- nonce_iv=key.nonce_data) -- return key -+ key.nonce_data) -+ return -+ -+ # do decryption -+ key.data = self.crypto.symmetric_unwrap( -+ key.encrypted_data, -+ session_key, -+ nonce_iv=key.nonce_data) - - @pki.handle_exceptions() - def retrieve_key_by_passphrase(self, key_id=None, request_id=None, -diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java -index dea44b1..2c99e1c 100644 ---- a/base/common/src/com/netscape/certsrv/key/KeyClient.java -+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java -@@ -465,6 +465,7 @@ public class KeyClient extends Client { - recoveryRequest.setRequestId(requestId); - recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); - recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID()); -+ recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString()); - - Key data = retrieveKeyData(recoveryRequest); - processKeyData(data, sessionKey); -@@ -503,6 +504,7 @@ public class KeyClient extends Client { - recoveryRequest.setKeyId(keyId); - recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); - recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID()); -+ recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString()); - - return retrieveKeyData(recoveryRequest); - } -@@ -562,6 +564,7 @@ public class KeyClient extends Client { - data.setSessionWrappedPassphrase(Utils.base64encode(sessionWrappedPassphrase)); - data.setNonceData(Utils.base64encode(nonceData)); - data.setPayloadEncryptionOID(getEncryptAlgorithmOID()); -+ data.setPayloadWrappingName(wrapAlgorithm.toString()); - - return retrieveKeyData(data); - } -@@ -610,6 +613,7 @@ public class KeyClient extends Client { - data.setKeyId(keyId); - data.setRequestId(requestId); - data.setPayloadEncryptionOID(getEncryptAlgorithmOID()); -+ data.setPayloadWrappingName(wrapAlgorithm.toString()); - - if (transWrappedSessionKey != null) { - data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 05dccb9..4659901 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -402,26 +402,34 @@ public class SecurityDataProcessor { - String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm(); - - byte[] iv = null; -+ byte[] iv_wrap = null; - try { -- iv = generate_iv(payloadEncryptOID, transportUnit.getOldWrappingParams()); -+ iv = generate_iv( -+ payloadEncryptOID, -+ transportUnit.getOldWrappingParams().getPayloadEncryptionAlgorithm()); -+ iv_wrap = generate_wrap_iv( -+ payloadWrapName, -+ transportUnit.getOldWrappingParams().getPayloadWrapAlgorithm()); - } catch (Exception e1) { - throw new EBaseException("Failed to generate IV when wrapping secret", e1); - } -- String ivStr = Utils.base64encode(iv); -+ String ivStr = iv != null? Utils.base64encode(iv): null; -+ String ivStr_wrap = iv_wrap != null ? Utils.base64encode(iv_wrap): null; - - WrappingParams wrapParams = null; - if (payloadEncryptOID == null) { -+ // talking to an old server, use 3DES - wrapParams = transportUnit.getOldWrappingParams(); - wrapParams.setPayloadEncryptionIV(new IVParameterSpec(iv)); -- wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv)); -+ wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv_wrap)); - } else { - try { - wrapParams = new WrappingParams( - payloadEncryptOID, - payloadWrapName, - transportKeyAlgo, -- new IVParameterSpec(iv), -- null); -+ iv != null? new IVParameterSpec(iv): null, -+ iv_wrap != null? new IVParameterSpec(iv_wrap): null); - } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), - "Cannot generate wrapping params"); -@@ -597,7 +605,7 @@ public class SecurityDataProcessor { - //secret has wrapped using a key wrapping algorithm - params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(true)); - if (wrapParams.getPayloadWrappingIV() != null) { -- params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr); -+ params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr_wrap); - } - } - -@@ -614,17 +622,60 @@ public class SecurityDataProcessor { - return false; //return true ? TODO - } - -- private byte[] generate_iv(String oid, WrappingParams old) throws Exception { -+ /*** -+ * This method returns an IV for the Encryption Algorithm referenced in OID. -+ * If the oid is null, we return an IV for the default encryption algorithm. -+ * The method checks to see if the encryption algorithm requires an IV by checking -+ * the parameterClasses() for the encryption algorithm. -+ * -+ * @param oid -- OID of encryption algorithm (as a string) -+ * @param defaultAlg -- default encryption algorithm -+ * @return -- initialization vector or null if none needed -+ * @throws Exception if algorithm is not found, or if default and OID are null. -+ * (ie. algorithm is unknown) -+ */ -+ private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception { - int numBytes = 0; -- if (oid != null) { -- numBytes = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)).getIVLength(); -- } else { -- // old client (OID not provided) -- numBytes = old.getPayloadEncryptionAlgorithm().getIVLength(); -+ EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)): -+ defaultAlg; -+ -+ if (alg == null) { -+ throw new EBaseException("Cannot determine encryption algorithm to generate IV"); -+ }; -+ -+ if (alg.getParameterClasses() == null) -+ return null; -+ -+ numBytes = alg.getIVLength(); -+ return (new SecureRandom()).generateSeed(numBytes); -+ } -+ -+ /*** -+ * This method returns an IV for the KeyWrap algorithm referenced in wrapName. -+ * If the wrapName is null, we return an IV for the default wrap algorithm. -+ * The method checks to see if the key wrap algorithm requires an IV by checking -+ * the parameterClasses() for the key wrap algorithm. -+ * -+ * @param wrapName -- name of the key wrap algorithm (as defined in JSS) -+ * @param defaultAlg -- default wrapping parameters -+ * @return -- initialization vector or null if none needed -+ * @throws Exception if algorithm is not found, or if default and OID are null. -+ * (ie. algorithm is unknown) -+ */ -+ private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception { -+ int numBytes = 0; -+ KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) : -+ defaultAlg; -+ -+ if (alg == null) { -+ throw new EBaseException("Cannot determine keywrap algorithm to generate IV"); - } - -- SecureRandom rnd = new SecureRandom(); -- return rnd.generateSeed(numBytes); -+ if (alg.getParameterClasses() == null) -+ return null; -+ -+ numBytes = alg.getBlockSize(); -+ return (new SecureRandom()).generateSeed(numBytes); - } - - public SymmetricKey recoverSymKey(KeyRecord keyRecord) -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java -index b2008f2..5ffb36b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java -@@ -283,6 +283,10 @@ public class KeyRequestDAO extends CMSRequestDAO { - if (encryptOID != null) - request.setExtData(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID); - -+ String wrapName = data.getPayloadWrappingName(); -+ if (wrapName != null) -+ request.setExtData(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName); -+ - return request; - } - -@@ -294,6 +298,7 @@ public class KeyRequestDAO extends CMSRequestDAO { - String wrappedPassPhraseStr = data.getSessionWrappedPassphrase(); - String nonceDataStr = data.getNonceData(); - String encryptOID = data.getPaylodEncryptionOID(); -+ String wrapName = data.getPayloadWrappingName(); - - if (wrappedPassPhraseStr != null) { - requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, wrappedPassPhraseStr); -@@ -310,6 +315,10 @@ public class KeyRequestDAO extends CMSRequestDAO { - if (encryptOID != null) { - requestParams.put(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID); - } -+ -+ if (wrapName != null) { -+ requestParams.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName); -+ } - } - - public Hashtable getTransientData(IRequest request) throws EBaseException { --- -1.8.3.1 - - -From 2d7ab34b812eb1cf28c7c53fb43bf595f94a806f Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 13 Apr 2017 14:54:38 -0400 -Subject: [PATCH 57/59] Add field to indicate if key was encrypted or wrapped - -Whether a secret was encrypted or wrapped in the storage unit -depends on a parameter in CS.cfg. If that parameter is changed, -the Storage unit may use the wrong mechanism to try to decrypt -the stored key. Thats ok for encrypt/wrap using DES or AES-CBC, -but not for AES KeyWrap. - -In this patch, we add a field in the Key record to specify whether -the secret was encrypted with stored (or keywrapped if false). - -A subsequent patch will change the logic when decrypting to use -this field. - -Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e ---- - base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java | 2 +- - base/kra/src/com/netscape/kra/AsymKeyGenService.java | 8 ++++++-- - base/kra/src/com/netscape/kra/EnrollmentService.java | 2 +- - base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 3 ++- - base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 5 ++++- - base/kra/src/com/netscape/kra/SymKeyGenService.java | 3 ++- - .../cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java | 1 + - base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java | 3 ++- - 8 files changed, 19 insertions(+), 8 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java -index aa4eb30..c947d3c 100644 ---- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java -+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java -@@ -170,7 +170,7 @@ public interface IKeyRecord { - */ - public String getRealm() throws EBaseException; - -- public void setWrappingParams(WrappingParams params) throws Exception; -+ public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception; - - public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception; - } -diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -index bd2be70..9528972 100644 ---- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -@@ -30,6 +30,7 @@ import org.mozilla.jss.crypto.TokenException; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.key.AsymKeyGenerationRequest; -@@ -72,7 +73,7 @@ public class AsymKeyGenService implements IService { - - @Override - public boolean serviceRequest(IRequest request) throws EBaseException { -- -+ IConfigStore cs = CMS.getConfigStore(); - String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); - String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM); - -@@ -81,6 +82,8 @@ public class AsymKeyGenService implements IService { - - String realm = request.getRealm(); - -+ boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); -+ - KeyPairGeneratorSpi.Usage[] usageList = null; - String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES); - if (usageStr != null) { -@@ -164,6 +167,7 @@ public class AsymKeyGenService implements IService { - WrappingParams params = null; - - try { -+ // TODO(alee) What happens if key wrap algorithm is not supported? - params = storageUnit.getWrappingParams(); - privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params); - } catch (Exception e) { -@@ -201,7 +205,7 @@ public class AsymKeyGenService implements IService { - } - - try { -- record.setWrappingParams(params); -+ record.setWrappingParams(params, false); - } catch (Exception e) { - auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), - clientKeyId, null, "Failed to store wrapping params"); -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index 7c179d4..381fee8 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -502,7 +502,7 @@ public class EnrollmentService implements IService { - } - - try { -- rec.setWrappingParams(params); -+ rec.setWrappingParams(params, allowEncDecrypt_archival); - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); - // TODO(alee) Set correct audit message here -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 4926873..e09eb42 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -584,6 +584,7 @@ public class NetkeyKeygenService implements IService { - WrappingParams params = null; - - try { -+ // TODO(alee) What happens if key wrap algorithm is not supported? - params = mStorageUnit.getWrappingParams(); - privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); - } catch (Exception e) { -@@ -656,7 +657,7 @@ public class NetkeyKeygenService implements IService { - return false; - } - -- rec.setWrappingParams(params); -+ rec.setWrappingParams(params, false); - - CMS.debug("NetkeyKeygenService: before addKeyRecord"); - rec.set(KeyRecord.ATTR_ID, serialNo); -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 4659901..4261833 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -214,6 +214,7 @@ public class SecurityDataProcessor { - - byte[] publicKey = null; - byte privateSecurityData[] = null; -+ boolean doEncrypt = false; - - try { - params = storageUnit.getWrappingParams(); -@@ -222,9 +223,11 @@ public class SecurityDataProcessor { - } else if (unwrapped != null && allowEncDecrypt_archival == true) { - privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped, params); - Arrays.fill(unwrapped, (byte)0); -+ doEncrypt = true; - CMS.debug("allowEncDecrypt_archival of symmetric key."); - } else if (securityData != null) { - privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params); -+ doEncrypt = true; - } else { // We have no data. - auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, - clientKeyId, null, "Failed to create security data to archive"); -@@ -282,7 +285,7 @@ public class SecurityDataProcessor { - } - - try { -- rec.setWrappingParams(params); -+ rec.setWrappingParams(params, doEncrypt); - } catch (Exception e) { - kra.log(ILogger.LL_FAILURE, - "Failed to store wrapping parameters: " + e); -diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java -index 0dfd3a2..c1830ec 100644 ---- a/base/kra/src/com/netscape/kra/SymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java -@@ -170,6 +170,7 @@ public class SymKeyGenService implements IService { - } - - try { -+ // TODO(alee) what happens if key wrap algorithm is not supported? - params = mStorageUnit.getWrappingParams(); - privateSecurityData = mStorageUnit.wrap(sk, params); - } catch (Exception e) { -@@ -215,7 +216,7 @@ public class SymKeyGenService implements IService { - } - - try { -- rec.setWrappingParams(params); -+ rec.setWrappingParams(params, false); - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, - "Failed to store wrapping parameters: " + e); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java -index b1e6cd6..f4e54c4 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java -@@ -60,6 +60,7 @@ public class KeyRecordParser { - public final static String OUT_PL_ENCRYPTION_IV = "payloadEncryptionIV"; - public final static String OUT_PL_ENCRYPTION_IV_LEN = "payloadEncryptionIVLen"; - public final static String OUT_PL_ENCRYPTION_OID = "payloadEncryptionOID"; -+ public static final String OUT_PL_ENCRYPTED = "payloadEncrypted"; - - /** - * Fills key record into argument block. -diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java -index 97f4942..b082165 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java -@@ -407,7 +407,7 @@ public class KeyRecord implements IDBObj, IKeyRecord { - return realm; - } - -- public void setWrappingParams(WrappingParams params) throws Exception { -+ public void setWrappingParams(WrappingParams params, boolean doEncrypt) throws Exception { - if (mMetaInfo == null) { - mMetaInfo = new MetaInfo(); - } -@@ -456,6 +456,7 @@ public class KeyRecord implements IDBObj, IKeyRecord { - ); - } - -+ mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTED, Boolean.toString(doEncrypt)); - } - - public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception { --- -1.8.3.1 - - -From b04739d364e7e220da29ce8d47654377999ad881 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 13 Apr 2017 16:53:58 -0700 -Subject: [PATCH 58/59] Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature - implementation This patch provides the feature for CMC on handling - id-cmc-popLinkWitnessV2 - ---- - .../src/com/netscape/cmstools/CMCRequest.java | 458 +++++++++++++++++++-- - .../src/com/netscape/cmstools/CRMFPopClient.java | 10 +- - .../src/com/netscape/cmstools/PKCS10Client.java | 22 +- - .../netscape/cms/profile/common/EnrollProfile.java | 421 ++++++++++++++----- - .../cms/servlet/common/CMCOutputTemplate.java | 12 + - base/server/cmsbundle/src/UserMessages.properties | 2 + - 6 files changed, 770 insertions(+), 155 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index a2aca8a..ac523ad 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -34,6 +34,7 @@ import java.security.NoSuchAlgorithmException; - import java.text.SimpleDateFormat; - import java.util.Arrays; - import java.util.Date; -+import java.util.Random; - import java.util.StringTokenizer; - - import org.mozilla.jss.CryptoManager; -@@ -53,10 +54,12 @@ import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.DigestAlgorithm; - import org.mozilla.jss.crypto.ObjectNotFoundException; - import org.mozilla.jss.crypto.PrivateKey; -+import org.mozilla.jss.crypto.Signature; - import org.mozilla.jss.crypto.SignatureAlgorithm; - import org.mozilla.jss.crypto.SymmetricKey; - import org.mozilla.jss.crypto.X509Certificate; - import org.mozilla.jss.pkcs10.CertificationRequest; -+import org.mozilla.jss.pkcs10.CertificationRequestInfo; - import org.mozilla.jss.pkix.cmc.CMCCertId; - import org.mozilla.jss.pkix.cmc.CMCStatusInfo; - import org.mozilla.jss.pkix.cmc.DecryptedPOP; -@@ -68,6 +71,7 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; - import org.mozilla.jss.pkix.cmc.OtherMsg; - import org.mozilla.jss.pkix.cmc.PKIData; - import org.mozilla.jss.pkix.cmc.PendInfo; -+import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2; - import org.mozilla.jss.pkix.cmc.ResponseBody; - import org.mozilla.jss.pkix.cmc.TaggedAttribute; - import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; -@@ -85,7 +89,11 @@ import org.mozilla.jss.pkix.cms.SignerInfo; - import org.mozilla.jss.pkix.crmf.CertReqMsg; - import org.mozilla.jss.pkix.crmf.CertRequest; - import org.mozilla.jss.pkix.crmf.CertTemplate; -+import org.mozilla.jss.pkix.crmf.POPOSigningKey; -+import org.mozilla.jss.pkix.crmf.ProofOfPossession; -+import org.mozilla.jss.pkix.primitive.AVA; - import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; -+import org.mozilla.jss.pkix.primitive.Attribute; - import org.mozilla.jss.pkix.primitive.Name; - import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; - import org.mozilla.jss.util.Password; -@@ -148,6 +156,43 @@ public class CMCRequest { - } - - /** -+ * getSigningAlgFromPrivate -+ * -+ */ -+ static SignatureAlgorithm getSigningAlgFromPrivate (java.security.PrivateKey privKey) { -+ String method = "getSigningAlgFromPrivate: "; -+ System.out.println(method + "begins."); -+ -+ if (privKey == null) { -+ System.out.println(method + "method param privKey cannot be null"); -+ System.exit(1); -+ } -+ -+ SignatureAlgorithm signAlg = null; -+ /* -+ org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = -+ ((org.mozilla.jss.crypto.PrivateKey) privKey) -+ .getType(); -+ */ -+ // TODO: allow more options later -+ String signingKeyType = privKey.getAlgorithm(); -+ System.out.println(method + "found signingKeyType=" + signingKeyType); -+ if (signingKeyType.equalsIgnoreCase("RSA")) { -+ signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; -+ } else if (signingKeyType.equalsIgnoreCase("EC")) { -+ signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; -+ } else { -+ System.out.println(method + "Algorithm not supported:" + -+ signingKeyType); -+ return null; -+ } -+ System.out.println(method + "using SignatureAlgorithm: " + -+ signAlg.toString()); -+ -+ return signAlg; -+ } -+ -+ /** - * signData signs the request PKIData - * - * @param signerCert the certificate of the authorized signer of the CMC revocation request. -@@ -190,17 +235,9 @@ public class CMCRequest { - - EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata); - DigestAlgorithm digestAlg = null; -- SignatureAlgorithm signAlg = null; -- org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey) -- .getType(); -- if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) { -- signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; -- } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) { -- signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; -- } else { -- System.out.println("Algorithm not supported"); -+ SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privKey); -+ if (signAlg == null) - return null; -- } - - MessageDigest SHADigest = null; - -@@ -292,9 +329,13 @@ public class CMCRequest { - String transactionMgtId, - String identificationEnable, String identification, - String identityProofEnable, String identityProofSharedSecret, -- String identityProofV2Enable, String witnessSharedSecret, -+ String witnessSharedSecret, -+ String identityProofV2Enable, - String identityProofV2hashAlg, String identityProofV2macAlg, -- SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid) { -+ String popLinkWitnessV2Enable, -+ String popLinkWitnessV2keyGenAlg, String popLinkWitnessV2macAlg, -+ SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid, -+ CryptoToken token, PrivateKey privk) { - - String method = "createPKIData: "; - -@@ -305,6 +346,26 @@ public class CMCRequest { - TaggedRequest trq = null; - PKCS10 pkcs = null; - CertReqMsg certReqMsg = null; -+ CertReqMsg new_certReqMsg = null; -+ CertRequest new_certreq = null; -+ -+ PopLinkWitnessV2 popLinkWitnessV2Control = null; -+ if (popLinkWitnessV2Enable.equals("true")) { -+ popLinkWitnessV2Control = -+ createPopLinkWitnessV2Attr( -+ bpid, -+ controlSeq, -+ witnessSharedSecret, -+ popLinkWitnessV2keyGenAlg, -+ popLinkWitnessV2macAlg, -+ (identificationEnable.equals("true")) ? -+ identification : null); -+ if (popLinkWitnessV2Control == null) { -+ System.out.println(method + -+ "createPopLinkWitnessV2Attr returned null...exit"); -+ System.exit(1); -+ } -+ } - - // create CMC req - SEQUENCE reqSequence = new SEQUENCE(); -@@ -325,9 +386,63 @@ public class CMCRequest { - System.exit(1); - } - certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0); -- trq = new TaggedRequest(TaggedRequest.CRMF, null, -- certReqMsg); -+ -+ if (popLinkWitnessV2Enable.equals("true")) { -+ System.out.println(method + -+ "popLinkWitnessV2 enabled. reconstructing crmf"); -+ //crmf reconstruction to include PopLinkWitnessV2 control -+ CertRequest certReq = certReqMsg.getCertReq(); -+ INTEGER certReqId = certReq.getCertReqId(); -+ CertTemplate certTemplate = certReq.getCertTemplate(); -+ SEQUENCE controls = certReq.getControls(); -+ controls.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2, -+ popLinkWitnessV2Control)); -+ new_certreq = new CertRequest(certReqId, certTemplate, controls); -+ -+ // recalculate signing POP, if it had one -+ ProofOfPossession new_pop = null; -+ if (certReqMsg.hasPop()) { -+ if (privk == null) { -+ System.out.println(method + -+ "privateKey not found; can't regenerate new POP"); -+ System.exit(1); -+ } -+ if (token == null) { -+ System.out.println(method + -+ "token not found; can't regenerate new POP"); -+ System.exit(1); -+ } -+ new_pop = createNewPOP( -+ certReqMsg, -+ new_certreq, -+ token, -+ privk); -+ } else { // !hasPop -+ System.out.println(method + -+ "old certReqMsg has no pop, so will the new certReqMsg"); -+ } -+ -+ new_certReqMsg = new CertReqMsg(new_certreq, new_pop, null); -+ SEQUENCE seq = new SEQUENCE(); -+ seq.addElement(new_certReqMsg); -+ -+ byte[] encodedNewCrmfMessage = ASN1Util.encode(seq); -+ String b64String = Utils.base64encode(encodedNewCrmfMessage); -+ System.out.println(method + "new CRMF b64encode completes."); -+ System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING); -+ System.out.println(b64String); -+ System.out.println(CryptoUtil.CERTREQ_END_HEADING); -+ System.out.println(""); -+ -+ trq = new TaggedRequest(TaggedRequest.CRMF, null, -+ new_certReqMsg); -+ -+ } else { // !popLinkWitnessV2Enable -+ trq = new TaggedRequest(TaggedRequest.CRMF, null, -+ certReqMsg); -+ } - } else if (format.equals("pkcs10")) { -+ System.out.println(method + " format: pkcs10"); - try { - pkcs = new PKCS10(decodedBytes, true); - } catch (Exception e2) { -@@ -338,9 +453,82 @@ public class CMCRequest { - pkcs.toByteArray()); - CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate() - .decode(crInputStream); -- TaggedCertificationRequest tcr = new TaggedCertificationRequest( -- new INTEGER(bpid++), cr); -- trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null); -+ if (popLinkWitnessV2Enable.equals("true")) { -+ System.out.println(method + -+ "popLinkWitnessV2 enabled. reconstructing pkcs#10"); -+ //pkcs#10 reconstruction to include PopLinkWitnessV2 control -+ -+ CertificationRequestInfo certReqInfo = cr.getInfo(); -+ -+ INTEGER version = certReqInfo.getVersion(); -+ Name subject = certReqInfo.getSubject(); -+ SubjectPublicKeyInfo spkInfo = certReqInfo.getSubjectPublicKeyInfo(); -+ /* -+ AlgorithmIdentifier alg = spkInfo.getAlgorithmIdentifier(); -+ SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(alg.getOID()); -+ if (signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest) { -+ System.out.println(method + -+ "signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest"); -+ } else { -+ System.out.println(method + -+ "signAlg == " + signAlg.toString()); -+ } -+ */ -+ -+ Attribute attr = new Attribute( -+ OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2, -+ popLinkWitnessV2Control); -+ SET attrs = certReqInfo.getAttributes(); -+ if (attrs == null) { -+ attrs = new SET(); -+ } -+ attrs.addElement(attr); -+ System.out.println(method + -+ " new pkcs#10 Attribute created for id_cmc_popLinkWitnessV2."); -+ -+ SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privk); -+ if (signAlg == null) { -+ System.out.println(method + -+ "signAlg not found"); -+ System.exit(1); -+ } -+ CertificationRequestInfo new_certReqInfo = new CertificationRequestInfo( -+ version, -+ subject, -+ spkInfo, -+ attrs); -+ System.out.println(method + -+ " new pkcs#10 CertificationRequestInfo created."); -+ -+ CertificationRequest new_certRequest = new CertificationRequest( -+ new_certReqInfo, -+ privk, -+ signAlg); -+ System.out.println(method + -+ "new pkcs#10 CertificationRequest created."); -+ -+ ByteArrayOutputStream bos = new ByteArrayOutputStream(); -+ new_certRequest.encode(bos); -+ byte[] bb = bos.toByteArray(); -+ -+ System.out.println(method + "calling Utils.b64encode."); -+ String b64String = Utils.base64encode(bb); -+ System.out.println(method + "new PKCS#10 b64encode completes."); -+ System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING); -+ System.out.println(b64String); -+ System.out.println(CryptoUtil.CERTREQ_END_HEADING); -+ System.out.println(""); -+ -+ TaggedCertificationRequest tcr = new TaggedCertificationRequest( -+ new INTEGER(bpid++), new_certRequest); -+ trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null); -+ -+ } else { // !popLinkWitnessV2Enable -+ -+ TaggedCertificationRequest tcr = new TaggedCertificationRequest( -+ new INTEGER(bpid++), cr); -+ trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null); -+ } - } else { - System.out.println(method + " Unrecognized request format: " + format); - System.exit(1); -@@ -348,7 +536,7 @@ public class CMCRequest { - reqSequence.addElement(trq); - } - } catch (Exception e) { -- System.out.println(method + " Exception:" + e.toString()); -+ System.out.println(method + " Exception:" + e); - System.exit(1); - } - -@@ -380,6 +568,63 @@ public class CMCRequest { - return pkidata; - } - -+ /** -+ * createNewPOP -+ * called in case of PopLinkwitnessV2 when pop exists, thus -+ * requiring recalculation due to changes in CertRequest controls -+ * -+ * @param old_certReqMsg, -+ * @param new_certReqMsg, -+ * @param token, -+ * @param privKey -+ * -+ * @author cfu -+ */ -+ static ProofOfPossession createNewPOP( -+ CertReqMsg old_certReqMsg, -+ CertRequest new_certReq, -+ CryptoToken token, -+ PrivateKey privKey) { -+ String method = "createNewPOP: "; -+ -+ System.out.println(method + "begins"); -+ if (old_certReqMsg == null || -+ new_certReq == null || -+ token == null || -+ privKey == null) { -+ System.out.println(method + "method params cannot be null."); -+ System.exit(1); -+ } -+ ProofOfPossession old_pop = old_certReqMsg.getPop(); -+ if (old_pop == null) { -+ System.out.println(method + "no pop in old_certReqMsg."); -+ System.exit(1); -+ } -+ -+ POPOSigningKey PopOfsignKey = old_pop.getSignature(); -+ AlgorithmIdentifier algId = PopOfsignKey.getAlgorithmIdentifier(); -+ -+ byte[] signature = null; -+ try { -+ SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(algId.getOID()); -+ Signature signer = token.getSignatureContext(signAlg); -+ signer.initSign(privKey); -+ ByteArrayOutputStream bo = new ByteArrayOutputStream(); -+ new_certReq.encode(bo); -+ signer.update(bo.toByteArray()); -+ signature = signer.sign(); -+ } catch (Exception e) { -+ System.out.println(method + e); -+ System.exit(1); -+ } -+ -+ System.out.println(method + "about to create POPOSigningKey"); -+ POPOSigningKey newPopOfSigningKey = new POPOSigningKey(null, algId, new BIT_STRING(signature, 0)); -+ -+ System.out.println(method + "creating and returning newPopOfSigningKey"); -+ return ProofOfPossession.createSignature(newPopOfSigningKey); -+ } -+ - static void printUsage() { - System.out.println(""); - System.out.println("Usage: CMCRequest "); -@@ -516,13 +761,29 @@ public class CMCRequest { - System.out.println("identityProofV2.hashAlg=SHA-256"); - System.out.println("identityProofV2.macAlg=SHA-256-HMAC"); - System.out.println(""); -+ System.out.println("#witness.sharedSecret works with identityProofV2 and popLinkWitnessV2"); - System.out.println("#witness.sharedSecret: Shared Secret"); - System.out.println("witness.sharedSecret=testing"); - System.out.println(""); -- System.out.println("#identification works with identityProofV2"); -+ System.out.println("#identification works with identityProofV2 and popLinkWitnessV2"); - System.out.println("identification.enable=false"); - System.out.println("identification=testuser"); - System.out.println(""); -+ System.out.println("#popLinkWitnessV2.enable: if true, then the underlying request will contain"); -+ System.out.println("#this control or attribute. Otherwise, false."); -+ System.out.println("#Supported keyGenAlg are:"); -+ System.out.println("# SHA-256, SHA-384, and SHA-512"); -+ System.out.println("#Supported macAlg are:"); -+ System.out.println("# SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC"); -+ System.out.println("popLinkWitnessV2.enable=false"); -+ System.out.println("popLinkWitnessV2.keyGenAlg=SHA-256"); -+ System.out.println("popLinkWitnessV2.macAlg=SHA-256-HMAC"); -+ System.out.println(""); -+ System.out.println(""); -+ System.out.println("###############################"); -+ System.out.println("Note: The following controls are outdated and replaced by newer"); -+ System.out.println(" controls above. They remain untouched, but also untested."); -+ System.out.println("###############################"); - System.out.println("#identityProof.enable: if true, then the request will contain"); - System.out.println("#this control. Otherwise, false."); - System.out.println("#Note that this control is updated by identityProofV2 above"); -@@ -879,7 +1140,7 @@ public class CMCRequest { - System.out.println(""); - seq.addElement(getCertControl); - } catch (Exception e) { -- System.out.println("Error in creating get certificate control. Check the parameters."); -+ System.out.println("Error in creating get certificate control. Check the parameters." + e); - System.exit(1); - } - -@@ -1023,6 +1284,118 @@ public class CMCRequest { - return bpid; - } - -+ /** -+ * createPopLinkWitnessV2Attr generates witness v2 -+ * -+ * @param -+ * @return PopLinkWitnessV2 -+ * -+ * @author cfu -+ */ -+ private static PopLinkWitnessV2 createPopLinkWitnessV2Attr( -+ int bpid, SEQUENCE controlSeq, -+ String sharedSecret, -+ String keyGenAlgString, -+ String macAlgString, -+ String ident) { -+ -+ String method = "createPopLinkWitnessV2Attr: "; -+ System.out.println(method + "begins"); -+ -+ if (sharedSecret == null) { -+ System.out.println(method + "method param sharedSecret cannot be null"); -+ System.exit(1); -+ } -+ -+ byte[] key = null; -+ byte[] finalDigest = null; -+ -+ // (1) generate a random byte-string R of 512 bits -+ Random random = new Random(); -+ byte[] random_R = new byte[64]; -+ random.nextBytes(random_R); -+ -+ // default to SHA256 if not specified -+ if (keyGenAlgString == null) { -+ keyGenAlgString = "SHA-256"; -+ } -+ if (macAlgString == null) { -+ macAlgString = "SHA-256-HMAC"; -+ } -+ System.out.println(method + "keyGenAlg=" + keyGenAlgString + -+ "; macAlg=" + macAlgString); -+ -+ String toBeDigested = sharedSecret; -+ if (ident != null) { -+ toBeDigested = sharedSecret + ident; -+ } -+ -+ // (2) compute key from sharedSecret + identity -+ try { -+ MessageDigest hash = MessageDigest.getInstance(keyGenAlgString); -+ key = hash.digest(toBeDigested.getBytes()); -+ } catch (NoSuchAlgorithmException ex) { -+ System.out.println(method + "No such algorithm!"); -+ return null; -+ } -+ -+ MessageDigest mac; -+ // (3) compute MAC over R from (1) using key from (2) -+ try { -+ mac = MessageDigest.getInstance( -+ CryptoUtil.getHMACtoMessageDigestName(macAlgString)); -+ HMACDigest hmacDigest = new HMACDigest(mac, key); -+ hmacDigest.update(random_R); -+ finalDigest = hmacDigest.digest(); -+ } catch (NoSuchAlgorithmException ex) { -+ System.out.println(method + "No such algorithm!"); -+ return null; -+ } -+ -+ // (4) encode R as the value of a POP Link Random control -+ TaggedAttribute idPOPLinkRandom = -+ new TaggedAttribute(new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom, -+ new OCTET_STRING(random_R)); -+ controlSeq.addElement(idPOPLinkRandom); -+ System.out.println(method + -+ "Successfully created id_cmc_idPOPLinkRandom control. bpid = " -+ + (bpid - 1)); -+ -+ AlgorithmIdentifier keyGenAlg; -+ try { -+ keyGenAlg = new AlgorithmIdentifier( -+ CryptoUtil.getHashAlgorithmOID(keyGenAlgString)); -+ } catch (NoSuchAlgorithmException ex) { -+ System.out.println(method + "No such hashing algorithm:" + keyGenAlgString); -+ return null; -+ } -+ AlgorithmIdentifier macAlg; -+ try { -+ macAlg = new AlgorithmIdentifier( -+ CryptoUtil.getHMACAlgorithmOID(macAlgString)); -+ } catch (NoSuchAlgorithmException ex) { -+ System.out.println(method + "No such HMAC algorithm:" + macAlgString); -+ return null; -+ } -+ -+ // (5) put MAC value from (3) in PopLinkWitnessV2 -+ PopLinkWitnessV2 popLinkWitnessV2 = -+ new PopLinkWitnessV2(keyGenAlg, macAlg, -+ new OCTET_STRING(finalDigest)); -+ /* -+ * for CRMF, needs to go into CRMF controls field of the CertRequest structure. -+ * for PKCS#10, needs to go into the aributes field of CertificationRequestInfo structure -+ * - return the PopLinkWitnessV2 for such surgical procedure -+ */ -+ System.out.println(method + "Successfully created PopLinkWitnessV2 control."); -+ -+ System.out.println(method + "returning..."); -+ System.out.println(""); -+ -+ return popLinkWitnessV2; -+ } -+ - private static int addPopLinkWitnessAttr(int bpid, SEQUENCE controlSeq) { - byte[] seed = - { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c, -@@ -1309,7 +1682,8 @@ public class CMCRequest { - String dbdir = null, nickname = null; - String tokenName = null; - String ifilename = null, ofilename = null, password = null, format = null; -- String decryptedPopEnable = "false", encryptedPopResponseFile=null, privKeyId = null, decryptedPopRequestFile= null; -+ String privKeyId = null; -+ String decryptedPopEnable = "false", encryptedPopResponseFile=null, decryptedPopRequestFile= null; - String confirmCertEnable = "false", confirmCertIssuer = null, confirmCertSerial = null; - String getCertEnable = "false", getCertIssuer = null, getCertSerial = null; - String dataReturnEnable = "false", dataReturnData = null; -@@ -1321,7 +1695,9 @@ public class CMCRequest { - String revRequestInvalidityDatePresent = "false"; - String identificationEnable = "false", identification = null; - String identityProofEnable = "false", identityProofSharedSecret = null; -- String identityProofV2Enable = "false", witnessSharedSecret = null, identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256"; -+ String identityProofV2Enable = "false", identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256"; -+ String witnessSharedSecret = null; //shared by identityProofV2 and popLinkWitnessV2 -+ String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256"; - String popLinkWitnessEnable = "false"; - String bodyPartIDs = null, lraPopWitnessEnable = "false"; - -@@ -1378,6 +1754,8 @@ public class CMCRequest { - ofilename = val; - } else if (name.equals("input")) { - ifilename = val; -+ } else if (name.equals("numRequests")) { -+ numRequests = val; - } else if (name.equals("decryptedPop.enable")) { - decryptedPopEnable = val; - } else if (name.equals("encryptedPopResponseFile")) { -@@ -1430,14 +1808,21 @@ public class CMCRequest { - identificationEnable = val; - } else if (name.equals("identification")) { - identification = val; -- } else if (name.equals("identityProofV2.enable")) { -- identityProofV2Enable = val; - } else if (name.equals("witness.sharedSecret")) { - witnessSharedSecret = val; -+ } else if (name.equals("identityProofV2.enable")) { -+ identityProofV2Enable = val; - } else if (name.equals("identityProofV2.hashAlg")) { - identityProofV2hashAlg = val; - } else if (name.equals("identityProofV2.macAlg")) { - identityProofV2macAlg = val; -+ } else if (name.equals("popLinkWitnessV2.enable")) { -+ popLinkWitnessV2Enable = val; -+ } else if (name.equals("popLinkWitnessV2.keyGenAlg")) { -+ popLinkWitnessV2keyGenAlg = val; -+ } else if (name.equals("popLinkWitnessV2.macAlg")) { -+ popLinkWitnessV2macAlg = val; -+ /* the following are outdated */ - } else if (name.equals("identityProof.enable")) { - identityProofEnable = val; - } else if (name.equals("identityProof.sharedSecret")) { -@@ -1448,8 +1833,6 @@ public class CMCRequest { - lraPopWitnessEnable = val; - } else if (name.equals("LraPopWitness.bodyPartIDs")) { - bodyPartIDs = val; -- } else if (name.equals("numRequests")) { -- numRequests = val; - } - } - } -@@ -1518,13 +1901,14 @@ public class CMCRequest { - //cfu - ContentInfo cmcblob = null; - PKIData pkidata = null; -- if (decryptedPopEnable.equalsIgnoreCase("true")) { -- PrivateKey privk = null; -+ PrivateKey privk = null; -+ if (decryptedPopEnable.equalsIgnoreCase("true") || -+ popLinkWitnessV2Enable.equalsIgnoreCase("true")) { - if (privKeyId == null) { -- System.out.println("ecryptedPop.enable = true, but privKeyId not specified."); -+ System.out.println("ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); - printUsage(); - } else { -- System.out.println("got privKeyId: " + privKeyId); -+ System.out.println("got request privKeyId: " + privKeyId); - - byte[] keyIDb = CryptoUtil.string2byte(privKeyId); - -@@ -1538,7 +1922,9 @@ public class CMCRequest { - System.exit(1); - } - } -+ } - -+ if (decryptedPopEnable.equalsIgnoreCase("true")) { - if (encryptedPopResponseFile == null) { - System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified."); - printUsage(); -@@ -1688,7 +2074,9 @@ public class CMCRequest { - if (senderNonceEnable.equalsIgnoreCase("true")) - bpid = addSenderNonceAttr(bpid, controlSeq, senderNonce); - -- if (popLinkWitnessEnable.equalsIgnoreCase("true")) -+ //popLinkWitnessV2 takes precedence -+ if (!popLinkWitnessV2Enable.equalsIgnoreCase("true") & -+ popLinkWitnessEnable.equalsIgnoreCase("true")) - bpid = addPopLinkWitnessAttr(bpid, controlSeq); - - SEQUENCE otherMsgSeq = new SEQUENCE(); -@@ -1711,9 +2099,13 @@ public class CMCRequest { - format, transactionMgtEnable, transactionMgtId, - identificationEnable, identification, - identityProofEnable, identityProofSharedSecret, -- identityProofV2Enable, witnessSharedSecret, -+ witnessSharedSecret, -+ identityProofV2Enable, - identityProofV2hashAlg, identityProofV2macAlg, -- controlSeq, otherMsgSeq, bpid); -+ popLinkWitnessV2Enable, -+ popLinkWitnessV2keyGenAlg, popLinkWitnessV2macAlg, -+ controlSeq, otherMsgSeq, bpid, -+ token, privk); - - if (pkidata == null) { - System.out.println("pkidata null after createPKIData(). Exiting with error"); -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index c5da9cf..5d9f7f1 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -599,8 +599,10 @@ public class CRMFPopClient { - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts)); - -+ /* - OCTET_STRING ostr = createIDPOPLinkWitness(); - seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); -+ */ - - return new CertRequest(new INTEGER(1), certTemplate, seq); - } -@@ -676,10 +678,10 @@ public class CRMFPopClient { - - Signature signer; - if (algorithm.equals("rsa")) { -- signer = token.getSignatureContext(SignatureAlgorithm.RSASignatureWithMD5Digest); -+ signer = token.getSignatureContext(SignatureAlgorithm.RSASignatureWithSHA256Digest); - - } else if (algorithm.equals("ec")) { -- signer = token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA1Digest); -+ signer = token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA256Digest); - - } else { - throw new Exception("Unknown algorithm: " + algorithm); -@@ -694,10 +696,10 @@ public class CRMFPopClient { - - AlgorithmIdentifier algorithmID; - if (algorithm.equals("rsa")) { -- algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithMD5Digest.toOID(), null); -+ algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithSHA256Digest.toOID(), null); - - } else if (algorithm.equals("ec")) { -- algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA1Digest.toOID(), null); -+ algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA256Digest.toOID(), null); - - } else { - throw new Exception("Unknown algorithm: " + algorithm); -diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -index 57f8792..fd1d087 100644 ---- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -@@ -22,14 +22,12 @@ import java.io.FileOutputStream; - import java.io.IOException; - import java.io.PrintStream; - import java.security.KeyPair; --import java.security.MessageDigest; - import java.security.PublicKey; - - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.BMPString; - import org.mozilla.jss.asn1.INTEGER; - import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; --import org.mozilla.jss.asn1.OCTET_STRING; - import org.mozilla.jss.asn1.PrintableString; - import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.asn1.TeletexString; -@@ -38,17 +36,16 @@ import org.mozilla.jss.asn1.UniversalString; - import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.KeyPairAlgorithm; - import org.mozilla.jss.crypto.KeyPairGenerator; -+import org.mozilla.jss.crypto.PrivateKey; - import org.mozilla.jss.crypto.SignatureAlgorithm; - import org.mozilla.jss.pkcs10.CertificationRequest; - import org.mozilla.jss.pkcs10.CertificationRequestInfo; - import org.mozilla.jss.pkix.primitive.AVA; --import org.mozilla.jss.pkix.primitive.Attribute; - import org.mozilla.jss.pkix.primitive.Name; - import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; - import org.mozilla.jss.util.Password; - - import com.netscape.cmsutil.crypto.CryptoUtil; --import com.netscape.cmsutil.util.HMACDigest; - import com.netscape.cmsutil.util.Utils; - - import netscape.security.pkcs.PKCS10; -@@ -248,6 +245,8 @@ public class PKCS10Client { - - System.out.println("PKCS10Client: key pair generated."); //key pair generated"); - -+ /*** leave out this test code; cmc can add popLinkwitnessV2; -+ - // Add idPOPLinkWitness control - String secretValue = "testing"; - byte[] key1 = null; -@@ -255,7 +254,7 @@ public class PKCS10Client { - MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); - key1 = SHA1Digest.digest(secretValue.getBytes()); - -- /* seed */ -+ // seed - byte[] b = - { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c, - 0x7a, 0x52, 0x54, 0x56, 0x71, 0x65, 0x66, 0x4c, -@@ -272,9 +271,10 @@ public class PKCS10Client { - - OCTET_STRING ostr = new OCTET_STRING(finalDigest); - Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr); -+ ***/ - - SET attributes = new SET(); -- attributes.addElement(attr); -+ //attributes.addElement(attr); - Name n = getJssName(enable_encoding, subjectName); - SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic()); - System.out.println("PKCS10Client: pair.getPublic() called."); -@@ -286,7 +286,7 @@ public class PKCS10Client { - if (alg.equals("rsa")) { - CertificationRequest certRequest = null; - certRequest = new CertificationRequest(certReqInfo, -- pair.getPrivate(), SignatureAlgorithm.RSASignatureWithMD5Digest); -+ pair.getPrivate(), SignatureAlgorithm.RSASignatureWithSHA256Digest); - System.out.println("PKCS10Client: CertificationRequest created."); - - ByteArrayOutputStream bos = new ByteArrayOutputStream(); -@@ -323,6 +323,14 @@ public class PKCS10Client { - b64E = CryptoUtil.base64Encode(certReqb); - } - -+ // print out keyid to be used in cmc popLinkWitnessV2 -+ PrivateKey privateKey = (PrivateKey) pair.getPrivate(); -+ @SuppressWarnings("deprecation") -+ byte id[] = privateKey.getUniqueID(); -+ String kid = CryptoUtil.byte2string(id); -+ System.out.println("Keypair private key id: " + kid); -+ System.out.println(""); -+ - System.out.println(RFC7468_HEADER); - System.out.println(b64E); - System.out.println(RFC7468_TRAILER); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 370cc33..5f7b0ef 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -55,6 +55,7 @@ import org.mozilla.jss.pkix.cmc.IdentityProofV2; - import org.mozilla.jss.pkix.cmc.LraPopWitness; - import org.mozilla.jss.pkix.cmc.OtherMsg; - import org.mozilla.jss.pkix.cmc.PKIData; -+import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2; - import org.mozilla.jss.pkix.cmc.TaggedAttribute; - import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; - import org.mozilla.jss.pkix.cmc.TaggedRequest; -@@ -64,6 +65,7 @@ import org.mozilla.jss.pkix.crmf.CertTemplate; - import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; - import org.mozilla.jss.pkix.crmf.ProofOfPossession; - import org.mozilla.jss.pkix.primitive.AVA; -+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; - import org.mozilla.jss.pkix.primitive.Attribute; - import org.mozilla.jss.pkix.primitive.Name; - import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; -@@ -73,7 +75,6 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.authority.IAuthority; - import com.netscape.certsrv.base.EBaseException; --import com.netscape.certsrv.base.EPropertyNotFound; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.logging.AuditEvent; -@@ -143,6 +144,9 @@ public abstract class EnrollProfile extends BasicProfile - */ - public IRequest[] createRequests(IProfileContext ctx, Locale locale) - throws EProfileException { -+ String method = "EnrollProfile: createRequests"; -+ CMS.debug(method + "begins"); -+ - // determine how many requests should be created - String cert_request_type = ctx.get(CTX_CERT_REQUEST_TYPE); - String cert_request = ctx.get(CTX_CERT_REQUEST); -@@ -151,7 +155,7 @@ public abstract class EnrollProfile extends BasicProfile - - /* cert_request_type can be null for the case of CMC */ - if (cert_request_type == null) { -- CMS.debug("EnrollProfile: request type is null"); -+ CMS.debug(method + " request type is null"); - } - - int num_requests = 1; // default to 1 request -@@ -174,10 +178,14 @@ public abstract class EnrollProfile extends BasicProfile - */ - // catch for invalid request - cmc_msgs = parseCMC(locale, cert_request); -- if (cmc_msgs == null) -+ if (cmc_msgs == null) { -+ CMS.debug(method + "parseCMC returns cmc_msgs null"); - return null; -- else -+ } else { - num_requests = cmc_msgs.length; -+ CMS.debug(method + "parseCMC returns cmc_msgs num_requests=" + -+ num_requests); -+ } - } - - // only 1 request for renewal -@@ -356,7 +364,6 @@ public abstract class EnrollProfile extends BasicProfile - throw new EBaseException(method + msg); - } - byte[] req_key_data = req.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); -- netscape.security.x509.CertificateX509Key pubKey = null; - if (req_key_data != null) { - CMS.debug(method + "found user public key in request"); - -@@ -511,6 +518,11 @@ public abstract class EnrollProfile extends BasicProfile - } - } - -+ /* -+ * parseCMC -+ * @throws EProfileException in case of error -+ * note: returing "null" doesn't mean failure -+ */ - public TaggedRequest[] parseCMC(Locale locale, String certreq) - throws EProfileException { - -@@ -553,6 +565,7 @@ public abstract class EnrollProfile extends BasicProfile - int numcontrols = controlSeq.size(); - SEQUENCE reqSeq = pkiData.getReqSequence(); - byte randomSeed[] = null; -+ UTF8String ident_s = null; - SessionContext context = SessionContext.getContext(); - if (!context.containsKey("numOfControls")) { - if (numcontrols > 0) { -@@ -588,6 +601,7 @@ public abstract class EnrollProfile extends BasicProfile - id_cmc_identityProof = true; - attr = attributes[i]; - } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) { -+ CMS.debug(method + "id_cmc_idPOPLinkRandom true"); - id_cmc_idPOPLinkRandom = true; - vals = attributes[i].getValues(); - } else { -@@ -621,23 +635,31 @@ public abstract class EnrollProfile extends BasicProfile - return null; - } - -- UTF8String ident_s = null; - if (id_cmc_identification) { - if (ident == null) { - msg = "id_cmc_identification contains null attribute value"; - CMS.debug(method + msg); - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identification", bpids); -- return null; -+ -+ msg = " id_cmc_identification attribute value not found in"; -+ CMS.debug(method + msg); -+ throw new EProfileException( -+ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + -+ msg); - } - ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), - ASN1Util.encode(ident.elementAt(0)))); - if (ident_s == null) { -- msg = "id_cmc_identification contains invalid content"; -+ msg = " id_cmc_identification contains invalid content"; - CMS.debug(method + msg); - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identification", bpids); -- return null; -+ -+ CMS.debug(method + msg); -+ throw new EProfileException( -+ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + -+ msg); - } - } - -@@ -646,7 +668,8 @@ public abstract class EnrollProfile extends BasicProfile - if (!id_cmc_identification) { - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identification", bpids); -- msg = "id_cmc_identityProofV2 must be accompanied by id_cmc_identification in this server"; -+ context.put("identityProofV2", bpids); -+ msg = "id_cmc_identityProofV2 missing id_cmc_identification"; - CMS.debug(method + msg); - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + -@@ -658,7 +681,11 @@ public abstract class EnrollProfile extends BasicProfile - if (!valid) { - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identityProofV2", bpids); -- return null; -+ -+ msg = " in verifyIdentityProofV2"; -+ CMS.debug(method + msg); -+ throw new EProfileException(CMS.getUserMessage(locale, -+ "CMS_POI_VERIFICATION_ERROR")+ msg); - } - } else if (id_cmc_identityProof && (attr != null)) { - boolean valid = verifyIdentityProof(attr, -@@ -666,14 +693,20 @@ public abstract class EnrollProfile extends BasicProfile - if (!valid) { - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identityProof", bpids); -- return null; -+ -+ msg = " in verifyIdentityProof"; -+ CMS.debug(method + msg); -+ throw new EProfileException(CMS.getUserMessage(locale, -+ "CMS_POI_VERIFICATION_ERROR")+ msg); - } - } - - if (id_cmc_idPOPLinkRandom && vals != null) { -- OCTET_STRING ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -+ OCTET_STRING ostr = -+ (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), - ASN1Util.encode(vals.elementAt(0)))); - randomSeed = ostr.toByteArray(); -+ CMS.debug(method + "got randomSeed"); - } - } // numcontrols > 0 - } -@@ -691,19 +724,55 @@ public abstract class EnrollProfile extends BasicProfile - - int nummsgs = reqSeq.size(); - if (nummsgs > 0) { -+ - msgs = new TaggedRequest[reqSeq.size()]; - SEQUENCE bpids = new SEQUENCE(); -+ -+ /* TODO: add this in CS.cfg later: cmc.popLinkWitnessRequired=true -+ // enforce popLinkWitness (or V2) -+ boolean popLinkWitnessRequired = true; -+ try { -+ String configName = "cmc.popLinkWitnessRequired"; -+ CMS.debug(method + "getting :" + configName); -+ popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, true); -+ CMS.debug(method + "cmc.popLinkWitnessRequired is " + popLinkWitnessRequired); -+ } catch (Exception e) { -+ // unlikely to get here -+ msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; -+ CMS.debug(msg); -+ throw new EProfileException(method + msg); -+ } -+*/ -+ - boolean valid = true; - for (int i = 0; i < nummsgs; i++) { - msgs[i] = (TaggedRequest) reqSeq.elementAt(i); -- if (!context.containsKey("POPLinkWitness")) { -+ if (!context.containsKey("POPLinkWitnessV2") && -+ !context.containsKey("POPLinkWitness")) { - if (randomSeed != null) { -- valid = verifyPOPLinkWitness(randomSeed, msgs[i], bpids); -- if (!valid || bpids.size() > 0) { -- context.put("POPLinkWitness", bpids); -- return null; -+ // verifyPOPLinkWitness() will determine if this is -+ // POPLinkWitnessV2 or POPLinkWitness -+ // If failure, context is set in verifyPOPLinkWitness -+ valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context); -+ if (valid == false) { -+ if (context.containsKey("POPLinkWitnessV2")) -+ msg = " in POPLinkWitnessV2"; -+ else if (context.containsKey("POPLinkWitness")) -+ msg = " in POPLinkWitness"; -+ else -+ msg = " unspecified failure from verifyPOPLinkWitness"; -+ -+ CMS.debug(method + msg); -+ throw new EProfileException(CMS.getUserMessage(locale, -+ "MS_POP_LINK_WITNESS_VERIFICATION_ERROR")+ msg); - } -- } -+ /* TODO: for next cmc ticket, eliminate the extra trip of parseCMC if possible, or figure a way out to bypass this on 2nd trip -+ } else if (popLinkWitnessRequired == true) { -+ //popLinkWitnessRequired == true, must have randomSeed -+ CMS.debug(method + "popLinkWitness(V2) required; no randomSeed found"); -+ context.put("POPLinkWitnessV2", bpids); -+ return null;*/ -+ } //randomSeed != null - } - } - } else -@@ -711,8 +780,10 @@ public abstract class EnrollProfile extends BasicProfile - - CMS.debug(method + "ends"); - return msgs; -+ } catch (EProfileException e) { -+ throw new EProfileException(e); - } catch (Exception e) { -- CMS.debug(method + "Unable to parse CMC request: " + e); -+ CMS.debug(method + e); - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); - } -@@ -778,9 +849,9 @@ public abstract class EnrollProfile extends BasicProfile - } - - byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST); -- if (pop_sysPubEncreyptedSession == null) { -+ if (cmc_msg == null) { - msg = method + -- "pop_sysPubEncreyptedSession not found in request:" + -+ "cmc_msg not found in request:" + - reqId.toString(); - CMS.debug(msg); - return null; -@@ -857,43 +928,125 @@ public abstract class EnrollProfile extends BasicProfile - return reqId; - } - -- private boolean verifyPOPLinkWitness(byte[] randomSeed, TaggedRequest req, -- SEQUENCE bpids) { -- ISharedToken tokenClass = null; -- boolean sharedSecretFound = true; -- String name = null; -+ /** -+ * getPopLinkWitnessV2control -+ * -+ * @author cfu -+ */ -+ protected PopLinkWitnessV2 getPopLinkWitnessV2control(ASN1Value value) { -+ String method = "EnrollProfile: getPopLinkWitnessV2control: "; -+ -+ ByteArrayInputStream bis = new ByteArrayInputStream( -+ ASN1Util.encode(value)); -+ PopLinkWitnessV2 popLinkWitnessV2 = null; -+ - try { -- name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); -- } catch (EPropertyNotFound e) { -- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); -- sharedSecretFound = false; -- } catch (EBaseException e) { -- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); -- sharedSecretFound = false; -+ popLinkWitnessV2 = (PopLinkWitnessV2) (new PopLinkWitnessV2.Template()).decode(bis); -+ } catch (Exception e) { -+ CMS.debug(method + e); -+ } -+ return popLinkWitnessV2; -+ } -+ -+ /** -+ * verifyPopLinkWitnessV2 -+ * -+ * @author cfu -+ */ -+ protected boolean verifyPopLinkWitnessV2( -+ PopLinkWitnessV2 popLinkWitnessV2, -+ byte[] randomSeed, -+ String sharedSecret, -+ String ident_string) { -+ String method = "EnrollProfile: verifyPopLinkWitnessV2: "; -+ -+ if ((popLinkWitnessV2 == null) || -+ (randomSeed == null) || -+ (sharedSecret == null)) { -+ CMS.debug(method + " method parameters cannot be null"); -+ return false; -+ } -+ AlgorithmIdentifier keyGenAlg = popLinkWitnessV2.getKeyGenAlgorithm(); -+ AlgorithmIdentifier macAlg = popLinkWitnessV2.getMacAlgorithm(); -+ OCTET_STRING witness = popLinkWitnessV2.getWitness(); -+ if (keyGenAlg == null) { -+ CMS.debug(method + " keyGenAlg reurned by popLinkWitnessV2.getWitness is null"); -+ return false; -+ } -+ if (macAlg == null) { -+ CMS.debug(method + " macAlg reurned by popLinkWitnessV2.getWitness is null"); -+ return false; -+ } -+ if (witness == null) { -+ CMS.debug(method + " witness reurned by popLinkWitnessV2.getWitness is null"); -+ return false; - } - - try { -- tokenClass = (ISharedToken) Class.forName(name).newInstance(); -- } catch (ClassNotFoundException e) { -- CMS.debug("EnrollProfile: Failed to find class name: " + name); -- sharedSecretFound = false; -- } catch (InstantiationException e) { -- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); -- sharedSecretFound = false; -- } catch (IllegalAccessException e) { -- CMS.debug("EnrollProfile: Illegal access: " + name); -+ DigestAlgorithm keyGenAlgID = DigestAlgorithm.fromOID(keyGenAlg.getOID()); -+ MessageDigest keyGenMDAlg = MessageDigest.getInstance(keyGenAlgID.toString()); -+ -+ HMACAlgorithm macAlgID = HMACAlgorithm.fromOID(macAlg.getOID()); -+ MessageDigest macMDAlg = MessageDigest -+ .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgID.toString())); -+ -+ byte[] witness_bytes = witness.toByteArray(); -+ return verifyDigest( -+ (ident_string != null) ? (sharedSecret + ident_string).getBytes() : sharedSecret.getBytes(), -+ randomSeed, -+ witness_bytes, -+ keyGenMDAlg, macMDAlg); -+ } catch (NoSuchAlgorithmException e) { -+ CMS.debug(method + e); -+ return false; -+ } catch (Exception e) { -+ CMS.debug(method + e); -+ return false; -+ } -+ } -+ -+ /* -+ * verifyPOPLinkWitness now handles POPLinkWitnessV2; -+ */ -+ private boolean verifyPOPLinkWitness( -+ UTF8String ident, byte[] randomSeed, TaggedRequest req, -+ SEQUENCE bpids, SessionContext context) { -+ String method = "EnrollProfile: verifyPOPLinkWitness: "; -+ CMS.debug(method + "begins."); -+ -+ String ident_string = null; -+ if (ident != null) { -+ ident_string = ident.toString(); -+ } -+ -+ boolean sharedSecretFound = true; -+ String configName = "cmc.sharedSecret.class"; -+ String sharedSecret = null; -+ ISharedToken tokenClass = getSharedTokenClass(configName); -+ if (tokenClass == null) { -+ CMS.debug(method + " Failed to retrieve shared secret plugin class"); - sharedSecretFound = false; -+ } else { -+ if (ident_string != null) { -+ sharedSecret = tokenClass.getSharedToken(ident_string); -+ } else { -+ sharedSecret = tokenClass.getSharedToken(mCMCData); -+ } -+ if (sharedSecret == null) -+ sharedSecretFound = false; - } - - INTEGER reqId = null; - byte[] bv = null; -- String sharedSecret = null; -- if (tokenClass != null) -- sharedSecret = tokenClass.getSharedToken(mCMCData); -+ - if (req.getType().equals(TaggedRequest.PKCS10)) { -+ String methodPos = method + "PKCS10: "; -+ CMS.debug(methodPos + "begins"); -+ - TaggedCertificationRequest tcr = req.getTcr(); - if (!sharedSecretFound) { - bpids.addElement(tcr.getBodyPartID()); -+ context.put("POPLinkWitness", bpids); - return false; - } else { - CertificationRequest creq = tcr.getCertificationRequest(); -@@ -901,13 +1054,42 @@ public abstract class EnrollProfile extends BasicProfile - SET attrs = cinfo.getAttributes(); - for (int j = 0; j < attrs.size(); j++) { - Attribute pkcs10Attr = (Attribute) attrs.elementAt(j); -- if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { -+ if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { -+ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); -+ if (ident_string == null) { -+ bpids.addElement(reqId); -+ context.put("identification", bpids); -+ context.put("POPLinkWitnessV2", bpids); -+ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; -+ CMS.debug(methodPos + msg); -+ return false; -+ } -+ -+ SET witnessVal = pkcs10Attr.getValues(); -+ if (witnessVal.size() > 0) { -+ try { -+ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(witnessVal.elementAt(0)); -+ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, -+ randomSeed, -+ sharedSecret, -+ ident_string); -+ if (!valid) { -+ bpids.addElement(reqId); -+ context.put("POPLinkWitnessV2", bpids); -+ return valid; -+ } -+ return true; -+ } catch (Exception ex) { -+ CMS.debug(methodPos + ex); -+ return false; -+ } -+ } -+ } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { - SET witnessVal = pkcs10Attr.getValues(); - if (witnessVal.size() > 0) { - try { -- OCTET_STRING str = -- (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -- ASN1Util.encode(witnessVal.elementAt(0)))); -+ OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -+ ASN1Util.encode(witnessVal.elementAt(0)))); - bv = str.toByteArray(); - return verifyDigest(sharedSecret.getBytes(), - randomSeed, bv); -@@ -921,27 +1103,55 @@ public abstract class EnrollProfile extends BasicProfile - return false; - } - } else if (req.getType().equals(TaggedRequest.CRMF)) { -+ String methodPos = method + "CRMF: "; -+ CMS.debug(methodPos + "begins"); -+ - CertReqMsg crm = req.getCrm(); - CertRequest certReq = crm.getCertReq(); - reqId = certReq.getCertReqId(); - if (!sharedSecretFound) { - bpids.addElement(reqId); -+ context.put("POPLinkWitness", bpids); - return false; - } else { - for (int i = 0; i < certReq.numControls(); i++) { - AVA ava = certReq.controlAt(i); - -- if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { -+ if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { -+ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); -+ if (ident_string == null) { -+ bpids.addElement(reqId); -+ context.put("identification", bpids); -+ context.put("POPLinkWitnessV2", bpids); -+ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; -+ CMS.debug(methodPos + msg); -+ return false; -+ } -+ -+ ASN1Value value = ava.getValue(); -+ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value); -+ -+ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, -+ randomSeed, -+ sharedSecret, -+ ident_string); -+ if (!valid) { -+ bpids.addElement(reqId); -+ context.put("POPLinkWitnessV2", bpids); -+ return valid; -+ } -+ } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { -+ CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness"); - ASN1Value value = ava.getValue(); - ByteArrayInputStream bis = new ByteArrayInputStream( - ASN1Util.encode(value)); - OCTET_STRING ostr = null; - try { -- ostr = (OCTET_STRING) -- (new OCTET_STRING.Template()).decode(bis); -+ ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis); - bv = ostr.toByteArray(); - } catch (Exception e) { - bpids.addElement(reqId); -+ context.put("POPLinkWitness", bpids); - return false; - } - -@@ -949,6 +1159,7 @@ public abstract class EnrollProfile extends BasicProfile - randomSeed, bv); - if (!valid) { - bpids.addElement(reqId); -+ context.put("POPLinkWitness", bpids); - return valid; - } - } -@@ -1002,10 +1213,7 @@ public abstract class EnrollProfile extends BasicProfile - byte[] finalDigest = null; - HMACDigest hmacDigest = new HMACDigest(macAlg, key); - hmacDigest.update(text); -- if (hmacDigest == null) { -- CMS.debug(method + " hmacDigest null after hmacDigest.update"); -- return false; -- } -+ - finalDigest = hmacDigest.digest(); - - if (finalDigest.length != bv.length) { -@@ -1041,6 +1249,40 @@ public abstract class EnrollProfile extends BasicProfile - return bpids; - } - -+ -+ ISharedToken getSharedTokenClass(String configName) { -+ String method = "EnrollProfile: getSharedTokenClass: "; -+ ISharedToken tokenClass = null; -+ -+ String name = null; -+ try { -+ CMS.debug(method + "getting :" + configName); -+ name = CMS.getConfigStore().getString(configName); -+ CMS.debug(method + "Shared Secret plugin class name retrieved:" + -+ name); -+ } catch (Exception e) { -+ CMS.debug(method + " Failed to retrieve shared secret plugin class name"); -+ return null; -+ } -+ -+ try { -+ tokenClass = (ISharedToken) Class.forName(name).newInstance(); -+ CMS.debug(method + "Shared Secret plugin class retrieved"); -+ } catch (ClassNotFoundException e) { -+ CMS.debug(method + " Failed to find class name: " + name); -+ return null; -+ } catch (InstantiationException e) { -+ CMS.debug("EnrollProfile: Failed to instantiate class: " + name); -+ return null; -+ } catch (IllegalAccessException e) { -+ CMS.debug(method + " Illegal access: " + name); -+ return null; -+ } -+ -+ return tokenClass; -+ } -+ -+ - /** - * verifyIdentityProofV2 handles IdentityProofV2 as defined by RFC5272 - * -@@ -1070,32 +1312,9 @@ public abstract class EnrollProfile extends BasicProfile - return false; - } - -- String name = null; -- try { -- String configName = "cmc.sharedSecret.class"; -- CMS.debug(method + "getting :" + configName); -- name = CMS.getConfigStore().getString(configName); -- CMS.debug(method + "Shared Secret plugin class name retrieved:" + -- name); -- } catch (Exception e) { -- CMS.debug(method + " Failed to retrieve shared secret plugin class name"); -- return false; -- } -+ String configName = "cmc.sharedSecret.class"; -+ ISharedToken tokenClass = getSharedTokenClass(configName); - -- ISharedToken tokenClass = null; -- try { -- tokenClass = (ISharedToken) Class.forName(name).newInstance(); -- CMS.debug(method + "Shared Secret plugin class retrieved"); -- } catch (ClassNotFoundException e) { -- CMS.debug(method + " Failed to find class name: " + name); -- return false; -- } catch (InstantiationException e) { -- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); -- return false; -- } catch (IllegalAccessException e) { -- CMS.debug(method + " Illegal access: " + name); -- return false; -- } - if (tokenClass == null) { - CMS.debug(method + " Failed to retrieve shared secret plugin class"); - return false; -@@ -1116,19 +1335,13 @@ public abstract class EnrollProfile extends BasicProfile - try { - IdentityProofV2 idV2val = (IdentityProofV2) (ASN1Util.decode(IdentityProofV2.getTemplate(), - ASN1Util.encode(vals.elementAt(0)))); -- /** -- * TODO: cfu: -- * phase2: getting configurable allowable hashing and mac algorithms -- */ - - DigestAlgorithm hashAlgID = DigestAlgorithm.fromOID(idV2val.getHashAlgID().getOID()); - MessageDigest hashAlg = MessageDigest.getInstance(hashAlgID.toString()); -- // TODO: check against CA allowed algs later - - HMACAlgorithm macAlgId = HMACAlgorithm.fromOID(idV2val.getMacAlgId().getOID()); - MessageDigest macAlg = MessageDigest - .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgId.toString())); -- // TODO: check against CA allowed algs later - - OCTET_STRING witness = idV2val.getWitness(); - if (witness == null) { -@@ -1151,32 +1364,18 @@ public abstract class EnrollProfile extends BasicProfile - } // verifyIdentityProofV2 - - private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) { -+ String method = "verifyIdentityProof: "; -+ - SET vals = attr.getValues(); - if (vals.size() < 1) - return false; -- String name = null; -- try { -- name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); -- } catch (EPropertyNotFound e) { -- } catch (EBaseException e) { -- } - -- if (name == null) -+ String configName = "cmc.sharedSecret.class"; -+ ISharedToken tokenClass = getSharedTokenClass(configName); -+ if (tokenClass == null) { -+ CMS.debug(method + " Failed to retrieve shared secret plugin class"); - return false; -- else { -- ISharedToken tokenClass = null; -- try { -- tokenClass = (ISharedToken) Class.forName(name).newInstance(); -- } catch (ClassNotFoundException e) { -- CMS.debug("EnrollProfile: Failed to find class name: " + name); -- return false; -- } catch (InstantiationException e) { -- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); -- return false; -- } catch (IllegalAccessException e) { -- CMS.debug("EnrollProfile: Illegal access: " + name); -- return false; -- } -+ } - - String token = tokenClass.getSharedToken(mCMCData); - OCTET_STRING ostr = null; -@@ -1184,20 +1383,20 @@ public abstract class EnrollProfile extends BasicProfile - ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), - ASN1Util.encode(vals.elementAt(0)))); - } catch (InvalidBERException e) { -- CMS.debug("EnrollProfile: Failed to decode the byte value."); -+ CMS.debug(method + "Failed to decode the byte value."); - return false; - } - byte[] b = ostr.toByteArray(); - byte[] text = ASN1Util.encode(reqSeq); - - return verifyDigest(token.getBytes(), text, b); -- } - } - - public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, - IRequest req) - throws EProfileException { - String method = "EnrollProfile: fillTaggedRequest: "; -+ CMS.debug(method + "begins"); - TaggedRequest.Type type = tagreq.getType(); - if (type == null) { - CMS.debug(method + "TaggedRequest type == null"); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index ac690f2..c130a1e 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -268,6 +268,18 @@ public class CMCOutputTemplate { - controlSeq.addElement(tagattr); - } - -+ SEQUENCE POPLinkWitnessV2Bpids = (SEQUENCE) context.get("POPLinkWitnessV2"); -+ if (POPLinkWitnessV2Bpids != null && POPLinkWitnessV2Bpids.size() > 0) { -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -+ new INTEGER(OtherInfo.BAD_REQUEST), null); -+ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, -+ POPLinkWitnessV2Bpids, (String) null, otherInfo); -+ tagattr = new TaggedAttribute( -+ new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ controlSeq.addElement(tagattr); -+ } -+ - SEQUENCE POPLinkWitnessBpids = (SEQUENCE) context.get("POPLinkWitness"); - if (POPLinkWitnessBpids != null && POPLinkWitnessBpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index bc7f8cf..bf96f90 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -306,6 +306,8 @@ CMS_ADMIN_SRVLT_CERT_VALIDATE_FAILED=Imported cert has not been verified to be v - # ProfileSubmitServlet - ####################################################### - CMS_POP_VERIFICATION_ERROR=Proof-of-Possession Verification Failed -+CMS_POI_VERIFICATION_ERROR=Proof-of-Identification Verification Failed -+CMS_POP_LINK_WITNESS_VERIFICATION_ERROR=POP Link Witness Verification Failed - CMS_AUTHENTICATION_AGENT_NAME=Agent Authentication - CMS_AUTHENTICATION_AGENT_TEXT=This plugin authenticates agents using a certificate. - CMS_AUTHENTICATION_SSL_CLIENT_NAME=SSL Client Authentication --- -1.8.3.1 - - -From 0bd94db7a4266a7a91e08162c7e5eebf071800f2 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 13 Apr 2017 20:44:32 -0400 -Subject: [PATCH 59/59] Allow key recovery to use encrypted field in key record - -The previous commit added a field in the KeyRecord to -specify whether or not a key was encrypted or key wrapped -when archived. This patch modifies the recovery servlets -to use this field to determine how to decrypt/unwrap the -key for transport. - -Absence of this field in the key record implies that is -an old record - and we use the value of the CS.cfg parameter -as the default. - -Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50 ---- - .../com/netscape/certsrv/dbs/keydb/IKeyRecord.java | 2 ++ - base/kra/src/com/netscape/kra/RecoveryService.java | 13 ++++++++++--- - .../src/com/netscape/kra/SecurityDataProcessor.java | 21 ++++++++++++++------- - .../com/netscape/kra/TokenKeyRecoveryService.java | 11 +++++++++-- - .../src/com/netscape/cmscore/dbs/KeyRecord.java | 9 +++++++++ - 5 files changed, 44 insertions(+), 12 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java -index c947d3c..d3aaa63 100644 ---- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java -+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java -@@ -173,4 +173,6 @@ public interface IKeyRecord { - public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception; - - public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception; -+ -+ public Boolean isEncrypted() throws EBaseException; - } -diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java -index c89e2f3..fda5b80 100644 ---- a/base/kra/src/com/netscape/kra/RecoveryService.java -+++ b/base/kra/src/com/netscape/kra/RecoveryService.java -@@ -224,8 +224,15 @@ public class RecoveryService implements IService { - statsSub.startTiming("recover_key"); - } - -+ Boolean encrypted = keyRecord.isEncrypted(); -+ if (encrypted == null) { -+ // must be an old key record -+ // assume the value of allowEncDecrypt -+ encrypted = allowEncDecrypt_recovery; -+ } -+ - PrivateKey privKey = null; -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - privateKeyData = recoverKey(params, keyRecord); - } else { - privKey = recoverKey(params, keyRecord, isRSA); -@@ -234,7 +241,7 @@ public class RecoveryService implements IService { - statsSub.endTiming("recover_key"); - } - -- if ((isRSA == true) && (allowEncDecrypt_recovery == true)) { -+ if ((isRSA == true) && encrypted) { - if (statsSub != null) { - statsSub.startTiming("verify_key"); - } -@@ -253,7 +260,7 @@ public class RecoveryService implements IService { - if (statsSub != null) { - statsSub.startTiming("create_p12"); - } -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - createPFX(request, params, privateKeyData); - } else { - createPFX(request, params, privKey, ct); -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 4261833..701b611 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -363,8 +363,15 @@ public class SecurityDataProcessor { - byte[] unwrappedSecData = null; - PrivateKey privateKey = null; - -+ Boolean encrypted = keyRecord.isEncrypted(); -+ if (encrypted == null) { -+ // must be an old key record -+ // assume the value of allowEncDecrypt -+ encrypted = allowEncDecrypt_recovery; -+ } -+ - if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - CMS.debug("Recover symmetric key by decrypting as per allowEncDecrypt_recovery: true."); - unwrappedSecData = recoverSecurityData(keyRecord); - } else { -@@ -375,7 +382,7 @@ public class SecurityDataProcessor { - unwrappedSecData = recoverSecurityData(keyRecord); - } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { - try { -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - CMS.debug("Recover asymmetric key by decrypting as per allowEncDecrypt_recovery: true."); - unwrappedSecData = recoverSecurityData(keyRecord); - } else { -@@ -466,7 +473,7 @@ public class SecurityDataProcessor { - if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { - - CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with transport passphrase"); -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, symmetric key: create blob with unwrapped key."); - pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); - } else { -@@ -478,7 +485,7 @@ public class SecurityDataProcessor { - CMS.debug("SecurityDataProcessor.recover(): encrypt stored passphrase with transport passphrase"); - pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); - } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, asymmetric key: create blob with unwrapped key."); - pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); - } else { -@@ -511,7 +518,7 @@ public class SecurityDataProcessor { - if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { - CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with session key"); - try { -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true."); - unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, - SymmetricKey.Usage.ENCRYPT, wrapParams); -@@ -559,7 +566,7 @@ public class SecurityDataProcessor { - } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { - CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored private key with session key"); - try { -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key."); - unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, - SymmetricKey.Usage.ENCRYPT, wrapParams); -@@ -599,7 +606,7 @@ public class SecurityDataProcessor { - params.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, - wrapParams.getPayloadWrapAlgorithm().toString()); - -- if ((allowEncDecrypt_recovery == true) || (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE))) { -+ if (encrypted || dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { - params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(false)); - if (wrapParams.getPayloadEncryptionIV() != null) { - params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr); -diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -index 67f4dc6..64f65a0 100644 ---- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -@@ -433,9 +433,16 @@ public class TokenKeyRecoveryService implements IService { - } - } // else, searched by keyid, can't check - -+ Boolean encrypted = keyRecord.isEncrypted(); -+ if (encrypted == null) { -+ // must be an old key record -+ // assume the value of allowEncDecrypt -+ encrypted = allowEncDecrypt_recovery; -+ } -+ - Type keyType = PrivateKey.RSA; - byte wrapped[]; -- if (allowEncDecrypt_recovery == true) { -+ if (encrypted) { - // Unwrap the archived private key - byte privateKeyData[] = null; - privateKeyData = recoverKey(params, keyRecord); -@@ -493,7 +500,7 @@ public class TokenKeyRecoveryService implements IService { - privateKeyData, - EncryptionAlgorithm.DES3_CBC_PAD, - algParam); -- } else { //allowEncDecrypt_recovery == false -+ } else { //encrypted == false - PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery); - if (privKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java -index b082165..556c4a7 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java -@@ -504,4 +504,13 @@ public class KeyRecord implements IDBObj, IKeyRecord { - - return params; - } -+ -+ public Boolean isEncrypted() throws EBaseException { -+ String encrypted = (String) mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTED); -+ if (encrypted == null) -+ return null; -+ return Boolean.valueOf(encrypted); -+ } -+ -+ - } --- -1.8.3.1 - diff --git a/SOURCES/pki-core-beta.patch b/SOURCES/pki-core-beta.patch deleted file mode 100644 index 6bcf558..0000000 --- a/SOURCES/pki-core-beta.patch +++ /dev/null @@ -1,13101 +0,0 @@ -From d4e83335d5ac6a6b39bf5abaa26075a9ec86f6b7 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 18 Apr 2017 08:09:00 +0200 -Subject: [PATCH 01/49] Spawn a CA and KRA on Travis - -Travis CI tests are now using a systemd container to install and run a -389-DS, CA and KRA instance. - -Change-Id: Ibc7d1a6b1e218492a84e88d4339de34b1eb58c7c ---- - .travis.test | 31 ----------------------------- - .travis.yml | 51 +++++++++++++++++++++++++++++++++++++++--------- - .travis/00-init | 36 ++++++++++++++++++++++++++++++++++ - .travis/10-compose-rpms | 31 +++++++++++++++++++++++++++++ - .travis/20-install-rpms | 6 ++++++ - .travis/30-setup-389ds | 12 ++++++++++++ - .travis/40-spawn-ca | 9 +++++++++ - .travis/50-spawn-kra | 9 +++++++++ - .travis/pki.cfg | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ - 9 files changed, 197 insertions(+), 40 deletions(-) - delete mode 100755 .travis.test - create mode 100755 .travis/00-init - create mode 100755 .travis/10-compose-rpms - create mode 100755 .travis/20-install-rpms - create mode 100755 .travis/30-setup-389ds - create mode 100755 .travis/40-spawn-ca - create mode 100755 .travis/50-spawn-kra - create mode 100644 .travis/pki.cfg - -diff --git a/.travis.test b/.travis.test -deleted file mode 100755 -index ca81022..0000000 ---- a/.travis.test -+++ /dev/null -@@ -1,31 +0,0 @@ --#!/bin/bash --set -ex -- --WORKDIR="${BUILDDIR:-/tmp/builddir}" --BUILDUSER=builduser --BUILDUSER_UID=${UID:-1000} --BUILDUSER_GID=${GID:-1000} -- --. /etc/os-release -- --echo "$NAME $VERSION $1" -- --## compose_pki_core_packages doesn't run as root, create a build user --groupadd --non-unique -g $BUILDUSER_GID ${BUILDUSER} --useradd --non-unique -u $BUILDUSER_UID -g $BUILDUSER_GID ${BUILDUSER} -- --## chown workdir and enter pki dir --chown ${BUILDUSER}:${BUILDUSER} ${WORKDIR} --cd ${WORKDIR}/pki -- --## prepare additional build dependencies --dnf copr -y enable @pki/10.4 --dnf builddep -y ./specs/pki-core.spec -- --# update, container might be outdated --dnf update -y -- --## run tox and build --# run make with --quiet to reduce log verbosity. Travis CI has a log limit --# of 10,000 lines. --sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -s -- ./scripts/compose_pki_core_packages rpms -diff --git a/.travis.yml b/.travis.yml -index 2e1a69f..b443118 100644 ---- a/.travis.yml -+++ b/.travis.yml -@@ -5,16 +5,49 @@ services: - - docker - - env: -- - CONTAINER=dogtagpki/pki-ci-containers:f25_104 -- - CONTAINER=dogtagpki/pki-ci-containers:f26_104 -- - CONTAINER=dogtagpki/pki-ci-containers:rawhide -+ global: -+ - CONTAINER=pkitest -+ - SCRIPTDIR=/tmp/workdir/pki/.travis -+ matrix: -+ - IMAGE=dogtagpki/pki-ci-containers:f25_104 -+ # F26 repo is unstable -+ # - IMAGE=dogtagpki/pki-ci-containers:f26_104 -+ # rawhide repo is unstable -+ # - IMAGE=dogtagpki/pki-ci-containers:rawhide - --script: -- - docker pull $CONTAINER -+before_install: -+ - docker pull ${IMAGE} - - > - docker run -+ --detach -+ --name=${CONTAINER} -+ --hostname='pki.test' -+ --privileged -+ --tmpfs /tmp -+ --tmpfs /run -+ -v /sys/fs/cgroup:/sys/fs/cgroup:ro - -v $(pwd):/tmp/workdir/pki -- -e UID=$(id -u) -- -e GID=$(id -g) -- $CONTAINER -- /tmp/workdir/pki/.travis.test $CONTAINER -+ -e BUILDUSER_UID=$(id -u) -+ -e BUILDUSER_GID=$(id -g) -+ -e TRAVIS=${TRAVIS} -+ -e TRAVIS_JOB_NUMBER=${TRAVIS_JOB_NUMBER} -+ -ti -+ ${IMAGE} -+ - docker ps -a -+ -+install: -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/00-init -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/10-compose-rpms -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/20-install-rpms -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/30-setup-389ds -+ -+script: -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra -+ -+after_script: -+ - docker kill ${CONTAINER} -+ - docker rm ${CONTAINER} -+ -+after_failure: -+ - journalctl -l -diff --git a/.travis/00-init b/.travis/00-init -new file mode 100755 -index 0000000..1b5aa53 ---- /dev/null -+++ b/.travis/00-init -@@ -0,0 +1,36 @@ -+#!/bin/bash -+set -e -+ -+. /etc/os-release -+ -+echo "$NAME $VERSION" -+ -+if test -z "${BUILDDIR}" || ! test -d "${BUILDDIR}"; then -+ echo "BUILDDIR not set or ${BUILDDIR} is not a directory." -+ exit 1 -+fi -+ -+if test -z "${BUILDUSER}" -o -z "${BUILDUSER_UID}" -o -z "${BUILDUSER_GID}"; then -+ echo "BUILDUSER, BUILDUSER_UID, BUILDUSER_GID not set" -+ exit 2 -+fi -+ -+## compose_pki_core_packages doesn't run as root, create a build user -+groupadd --non-unique -g ${BUILDUSER_GID} ${BUILDUSER} -+useradd --non-unique -u ${BUILDUSER_UID} -g ${BUILDUSER_GID} ${BUILDUSER} -+ -+## chown workdir and enter pki dir -+chown ${BUILDUSER}:${BUILDUSER} ${BUILDDIR} -+ -+# workaround for -+# [Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid' -+rm -f /var/cache/dnf/metadata_lock.pid -+dnf clean all -+dnf makecache || true -+dnf makecache -+ -+# update, container might be outdated -+dnf update -y -+ -+## prepare additional build dependencies -+dnf builddep -y ${BUILDDIR}/pki/specs/pki-core.spec -diff --git a/.travis/10-compose-rpms b/.travis/10-compose-rpms -new file mode 100755 -index 0000000..1e55548 ---- /dev/null -+++ b/.travis/10-compose-rpms -@@ -0,0 +1,31 @@ -+#!/bin/bash -+set -e -+ -+BUILDLOG=/tmp/compose.log -+ -+function compose { -+ pushd ${BUILDDIR}/pki -+ # run make with --quiet to reduce log verbosity. -+ sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -- \ -+ ./scripts/compose_pki_core_packages rpms -+ popd -+} -+ -+function upload { -+ if test -f $BUILDLOG; then -+ echo "Uploading build log to transfer" -+ curl --upload-file $BUILDLOG https://transfer.sh/pkitravis.txt -+ fi -+} -+ -+if test "${TRAVIS}" != "true"; then -+ compose -+else -+ trap upload EXIT -+ echo "Runing compose_pki_core_packages rpms." -+ echo "Build log will be posted to transfer.sh" -+ echo $(date) > $BUILDLOG -+ echo "Travis job ${TRAVIS_JOB_NUMBER}" >> $BUILDLOG -+ compose >>$BUILDLOG 2>&1 -+fi -+ -diff --git a/.travis/20-install-rpms b/.travis/20-install-rpms -new file mode 100755 -index 0000000..186efb8 ---- /dev/null -+++ b/.travis/20-install-rpms -@@ -0,0 +1,6 @@ -+#!/bin/bash -+set -e -+ -+find ${BUILDDIR}/packages/RPMS/ -name '*.rpm' -and -not -name '*debuginfo*' \ -+ | xargs dnf install -y --best --allowerasing -+ -diff --git a/.travis/30-setup-389ds b/.travis/30-setup-389ds -new file mode 100755 -index 0000000..cc16573 ---- /dev/null -+++ b/.travis/30-setup-389ds -@@ -0,0 +1,12 @@ -+#!/bin/bash -+set -e -+ -+setup-ds.pl \ -+ --silent \ -+ slapd.ServerIdentifier="pkitest" \ -+ General.SuiteSpotUserID=nobody \ -+ General.SuiteSpotGroup=nobody \ -+ slapd.ServerPort=389 \ -+ slapd.Suffix="dc=pki,dc=test" \ -+ slapd.RootDN="cn=Directory Manager" \ -+ slapd.RootDNPwd="DMSecret.123" -diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca -new file mode 100755 -index 0000000..9986698 ---- /dev/null -+++ b/.travis/40-spawn-ca -@@ -0,0 +1,9 @@ -+#!/bin/bash -+set -e -+ -+pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA -+ -+echo "Waiting for port 8080" -+for i in {1..20}; do -+ curl http://localhost:8080 && break || sleep 1 -+done -diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra -new file mode 100755 -index 0000000..80cb039 ---- /dev/null -+++ b/.travis/50-spawn-kra -@@ -0,0 +1,9 @@ -+#!/bin/bash -+set -e -+ -+pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA -+ -+echo "Waiting for port 8080" -+for i in {1..20}; do -+ curl http://localhost:8080 && break || sleep 1 -+done -diff --git a/.travis/pki.cfg b/.travis/pki.cfg -new file mode 100644 -index 0000000..a168822 ---- /dev/null -+++ b/.travis/pki.cfg -@@ -0,0 +1,52 @@ -+# based on -+# https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scripts/ca.cfg -+# https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scripts/kra.cfg -+ -+[DEFAULT] -+pki_instance_name=pkitest -+pki_https_port=8443 -+pki_http_port=8080 -+pki_master_https_port=8443 -+pki_security_domain_https_port=8443 -+pki_ds_bind_dn=cn=Directory Manager -+pki_ds_ldap_port=389 -+pki_ds_password=DMSecret.123 -+pki_backup_keys=True -+pki_backup_password=Secret.123 -+pki_client_database_password=Secret.123 -+pki_client_database_purge=False -+pki_client_pkcs12_password=Secret.123 -+pki_clone_pkcs12_password=Secret.123 -+pki_security_domain_name=pkitest -+pki_security_domain_user=caadmin -+pki_security_domain_password=Secret.123 -+pki_token_password=Secret123 -+ -+[CA] -+pki_admin_email=caadmin@pki.test -+pki_admin_name=caadmin -+pki_admin_nickname=caadmin -+pki_admin_password=Secret.123 -+pki_admin_uid=caadmin -+pki_ds_base_dn=dc=ca,dc=pki,dc=test -+pki_ds_database=ca -+ -+[KRA] -+pki_admin_cert_file=/root/.dogtag/pkitest/ca_admin.cert -+pki_admin_email=kraadmin@pki.test -+pki_admin_name=kraadmin -+pki_admin_nickname=kraadmin -+pki_admin_password=Secret.123 -+pki_admin_uid=kraadmin -+pki_ds_base_dn=dc=kra,dc=pki,dc=test -+pki_ds_database=kra -+ -+[OCSP] -+pki_admin_cert_file=/root/.dogtag/pkitest/ca_admin.cert -+pki_admin_email=ocspadmin@pki.test -+pki_admin_name=ocspadmin -+pki_admin_nickname=ocspadmin -+pki_admin_password=Secret.123 -+pki_admin_uid=ocspadmin -+pki_ds_base_dn=dc=ocsp,dc=pki,dc=test -+pki_ds_database=ocsp --- -1.8.3.1 - - -From 08edc86f8397543f308818458a320fbbef06c90d Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 18 Apr 2017 16:24:53 +0200 -Subject: [PATCH 02/49] Get journald output from test container - -Change-Id: Ibc16a49b4a03524fb62ddb33326a36ffa0b0389f -Signed-off-by: Christian Heimes ---- - .travis.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/.travis.yml b/.travis.yml -index b443118..2714bbc 100644 ---- a/.travis.yml -+++ b/.travis.yml -@@ -50,4 +50,4 @@ after_script: - - docker rm ${CONTAINER} - - after_failure: -- - journalctl -l -+ - docker exec -ti ${CONTAINER} journalctl -l --- -1.8.3.1 - - -From 749c137b59a9725a4cacdcd191b7e931303981df Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 17 Apr 2017 18:35:56 +0200 -Subject: [PATCH 03/49] Fixed missing IP addresses and subject ID in audit log. - -The PKIServerSocketListener has been modified to use WeakHashMap -to store socket info that might not be available after the socket -has been closed. - -https://pagure.io/dogtagpki/issue/2642 - -Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416 ---- - .../dogtagpki/server/PKIServerSocketListener.java | 104 +++++++++++++-------- - 1 file changed, 66 insertions(+), 38 deletions(-) - -diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -index 093776f..d742317 100644 ---- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java -@@ -19,6 +19,9 @@ package org.dogtagpki.server; - - import java.net.InetAddress; - import java.security.Principal; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.WeakHashMap; - - import org.mozilla.jss.crypto.X509Certificate; - import org.mozilla.jss.ssl.SSLAlertDescription; -@@ -38,6 +41,15 @@ public class PKIServerSocketListener implements SSLSocketListener { - - private static Logger logger = LoggerFactory.getLogger(PKIServerSocketListener.class); - -+ /** -+ * The socketInfos map is a storage for socket information that may not be available -+ * after the socket has been closed such as client IP address and subject ID. The -+ * WeakHashMap is used here to allow the map key (i.e. the socket object) to be -+ * garbage-collected since there is no guarantee that socket will be closed with an -+ * SSL alert for a proper map entry removal. -+ */ -+ Map> socketInfos = new WeakHashMap<>(); -+ - @Override - public void alertReceived(SSLAlertEvent event) { - try { -@@ -57,9 +69,10 @@ public class PKIServerSocketListener implements SSLSocketListener { - String reason = SSLAlertDescription.valueOf(description).toString(); - - logger.debug("SSL alert received:"); -- logger.debug(" - client: " + clientAddress); -- logger.debug(" - server: " + serverAddress); - logger.debug(" - reason: " + reason); -+ logger.debug(" - client: " + clientIP); -+ logger.debug(" - server: " + serverIP); -+ logger.debug(" - subject: " + subjectID); - - IAuditor auditor = CMS.getAuditor(); - -@@ -73,7 +86,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - auditor.log(auditMessage); - - } catch (Exception e) { -- e.printStackTrace(); -+ logger.error(e.getMessage(), e); - } - } - -@@ -82,51 +95,59 @@ public class PKIServerSocketListener implements SSLSocketListener { - try { - SSLSocket socket = event.getSocket(); - -- InetAddress clientAddress = socket.getInetAddress(); -- InetAddress serverAddress = socket.getLocalAddress(); -- String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); -- String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -- -- SSLSecurityStatus status = socket.getStatus(); -- X509Certificate peerCertificate = status.getPeerCertificate(); -- Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); -- String subjectID = subjectDN == null ? "" : subjectDN.toString(); -- - int description = event.getDescription(); - String reason = SSLAlertDescription.valueOf(description).toString(); - -- logger.debug("SSL alert sent:"); -- logger.debug(" - client: " + clientAddress); -- logger.debug(" - server: " + serverAddress); -- logger.debug(" - reason: " + reason); -- -- IAuditor auditor = CMS.getAuditor(); -+ String eventType; -+ String clientIP; -+ String serverIP; -+ String subjectID; - - if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { - -- String auditMessage = CMS.getLogMessage( -- AuditEvent.ACCESS_SESSION_TERMINATED, -- clientIP, -- serverIP, -- subjectID, -- reason); -+ eventType = AuditEvent.ACCESS_SESSION_TERMINATED; - -- auditor.log(auditMessage); -+ // get socket info from socketInfos map since socket has been closed -+ Map info = socketInfos.get(socket); -+ clientIP = (String)info.get("clientIP"); -+ serverIP = (String)info.get("serverIP"); -+ subjectID = (String)info.get("subjectID"); - - } else { - -- String auditMessage = CMS.getLogMessage( -- AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE, -- clientIP, -- serverIP, -- subjectID, -- reason); -+ eventType = AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE; - -- auditor.log(auditMessage); -+ // get socket info from the socket itself -+ InetAddress clientAddress = socket.getInetAddress(); -+ InetAddress serverAddress = socket.getLocalAddress(); -+ clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); -+ serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); -+ -+ SSLSecurityStatus status = socket.getStatus(); -+ X509Certificate peerCertificate = status.getPeerCertificate(); -+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); -+ subjectID = subjectDN == null ? "" : subjectDN.toString(); - } - -+ logger.debug("SSL alert sent:"); -+ logger.debug(" - reason: " + reason); -+ logger.debug(" - client: " + clientIP); -+ logger.debug(" - server: " + serverIP); -+ logger.debug(" - subject: " + subjectID); -+ -+ IAuditor auditor = CMS.getAuditor(); -+ -+ String auditMessage = CMS.getLogMessage( -+ eventType, -+ clientIP, -+ serverIP, -+ subjectID, -+ reason); -+ -+ auditor.log(auditMessage); -+ - } catch (Exception e) { -- e.printStackTrace(); -+ logger.error(e.getMessage(), e); - } - } - -@@ -146,9 +167,16 @@ public class PKIServerSocketListener implements SSLSocketListener { - String subjectID = subjectDN == null ? "" : subjectDN.toString(); - - logger.debug("Handshake completed:"); -- logger.debug(" - client: " + clientAddress); -- logger.debug(" - server: " + serverAddress); -- logger.debug(" - subject: " + subjectDN); -+ logger.debug(" - client: " + clientIP); -+ logger.debug(" - server: " + serverIP); -+ logger.debug(" - subject: " + subjectID); -+ -+ // store socket info in socketInfos map -+ Map info = new HashMap<>(); -+ info.put("clientIP", clientIP); -+ info.put("serverIP", serverIP); -+ info.put("subjectID", subjectID); -+ socketInfos.put(socket, info); - - IAuditor auditor = CMS.getAuditor(); - -@@ -161,7 +189,7 @@ public class PKIServerSocketListener implements SSLSocketListener { - auditor.log(auditMessage); - - } catch (Exception e) { -- e.printStackTrace(); -+ logger.error(e.getMessage(), e); - } - } - } --- -1.8.3.1 - - -From 786d40f231f3636db381a835ce78904362ea72d0 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 2 Mar 2017 16:32:21 +1000 -Subject: [PATCH 04/49] CMS.getLogMessage: escape format elements in arguments - -CMS.getLogMessage performs message formatting via MessageFormat, -then the message gets logged via a Logger. The Logger also performs -message formatting via MessageFormat. If the formatted log message -contains '{' or '}' (e.g. if it contains JSON) the MessageFormat -implementation interprets these as FormatElement delimiters and -parsing fails. - -Update CMS.getLogMessage() to scan arguments for unsafe characters -and if found, escape the whole message so that subsequent logging -will succeed. - -Part of: https://pagure.io/dogtagpki/issue/1359 ---- - .../src/com/netscape/cmscore/apps/CMSEngine.java | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -index ef9a6a2..94a0783 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -1592,7 +1592,25 @@ public class CMSEngine implements ICMSEngine { - return msg; - MessageFormat mf = new MessageFormat(msg); - -- return mf.format(params); -+ Object escapedParams[] = new Object[params.length]; -+ for (int i = 0; i < params.length; i++) { -+ if (params[i] instanceof String) -+ escapedParams[i] = escapeLogMessageParam((String) params[i]); -+ else -+ escapedParams[i] = params[i]; -+ } -+ -+ return mf.format(escapedParams); -+ } -+ -+ /** Quote a string for inclusion in a java.text.MessageFormat -+ */ -+ private String escapeLogMessageParam(String s) { -+ if (s == null) -+ return null; -+ if (s.contains("{") || s.contains("}")) -+ return "'" + s.replaceAll("'", "''") + "'"; -+ return s; - } - - public void debug(byte data[]) { --- -1.8.3.1 - - -From a35c6cde1047e305142bec839b8953d90008c127 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 7 Feb 2017 10:36:20 +1000 -Subject: [PATCH 05/49] Allow arbitrary user data in cert request - -If a certificate request comes with additional data in the -'cert-request' query param, add that to the request. Profile -components can then use this data. - -This is needed to convey the subject principal name to the -ExternalProcessConstraint, when validating FreeIPA certificate -requests after we switch to GSS-API authentication. - -Part of: https://pagure.io/dogtagpki/issue/1359 ---- - base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java | 5 +++++ - base/common/src/com/netscape/certsrv/request/IRequest.java | 5 +++++ - .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 3 +++ - .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 5 +++++ - 4 files changed, 18 insertions(+) - -diff --git a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java -index 1266712..34543cb 100644 ---- a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java -+++ b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java -@@ -180,6 +180,11 @@ public interface IEnrollProfile extends IProfile { - public static final String REQUEST_AUTHORITY_ID = "req_authority_id"; - - /** -+ * Arbitrary user-supplied data. -+ */ -+ public static final String REQUEST_USER_DATA = "req_user_data"; -+ -+ /** - * Set Default X509CertInfo in the request. - * - * @param request profile-based certificate request. -diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java -index a57f08e..cfc4ca0 100644 ---- a/base/common/src/com/netscape/certsrv/request/IRequest.java -+++ b/base/common/src/com/netscape/certsrv/request/IRequest.java -@@ -96,6 +96,11 @@ public interface IRequest extends Serializable { - */ - public static final String AUTHORITY_ID = "req_authority_id"; - -+ /** -+ * Arbitrary user-supplied data that will be saved in request. -+ */ -+ public static final String USER_DATA = "user_data"; -+ - public static final String RESULT = "Result"; // service result. - public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value - public static final Integer RES_ERROR = Integer.valueOf(2); // result value -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 5f7b0ef..1c44e2c 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -221,6 +221,9 @@ public abstract class EnrollProfile extends BasicProfile - - // set requested CA - result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); -+ -+ // set user data -+ result[i].setExtData(IRequest.USER_DATA, ctx.get(REQUEST_USER_DATA)); - } - return result; - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java -index d394fd3..908cbe4 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java -@@ -147,6 +147,11 @@ public class EnrollmentProcessor extends CertProcessor { - - IProfileContext ctx = profile.createContext(); - -+ // set arbitrary user data into request, if any -+ String userData = request.getParameter("user-data"); -+ if (userData != null) -+ ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData); -+ - if (aid != null) - ctx.set(IEnrollProfile.REQUEST_AUTHORITY_ID, aid.toString()); - --- -1.8.3.1 - - -From f67071910c6b74790f7ad75329f05e599076dee4 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 8 Feb 2017 11:55:13 +1000 -Subject: [PATCH 06/49] CertProcessor: set external principal attributes into - request - -When processing a certificate request, if the authenticated -principal is an ExternalPrincipal, add its whole attribute map to -the IRequest. This provides a way for AJP request attributes to be -propagated through the profile system to profile components like -ExternalProcessConstraint. One such attribute that is needed for -GSS-API support is "KRB5CCNAME". - -Part of: https://pagure.io/dogtagpki/issue/1359 ---- - .../netscape/cms/servlet/cert/CertProcessor.java | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -index 0534f90..156060a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -@@ -18,6 +18,7 @@ - package com.netscape.cms.servlet.cert; - - import java.math.BigInteger; -+import java.security.Principal; - import java.util.Date; - import java.util.Enumeration; - import java.util.HashMap; -@@ -26,6 +27,7 @@ import java.util.Locale; - import javax.servlet.http.HttpServletRequest; - - import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.ExternalAuthToken; - import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.EPropertyNotFound; -@@ -46,6 +48,7 @@ import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestStatus; - import com.netscape.cms.servlet.common.AuthCredentials; - import com.netscape.cms.servlet.processors.CAProcessor; -+import com.netscape.cms.tomcat.ExternalPrincipal; - import com.netscape.cmsutil.ldap.LDAPUtil; - - public class CertProcessor extends CAProcessor { -@@ -139,6 +142,24 @@ public class CertProcessor extends CAProcessor { - } - } - } -+ -+ // special processing of ExternalAuthToken / ExternalPrincipal -+ if (authToken instanceof ExternalAuthToken) { -+ Principal principal = -+ ((ExternalAuthToken) authToken).getPrincipal(); -+ if (principal instanceof ExternalPrincipal) { -+ HashMap m = -+ ((ExternalPrincipal) principal).getAttributes(); -+ for (String k : m.keySet()) { -+ req.setExtData( -+ IRequest.AUTH_TOKEN_PREFIX -+ + "." + "PRINCIPAL" -+ + "." + k -+ , m.get(k).toString() -+ ); -+ } -+ } -+ } - } - - /* --- -1.8.3.1 - - -From dcc42ad4ed7fcbc566b7cf7ce1cbfae93b24a9a9 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 7 Dec 2016 15:24:07 +1000 -Subject: [PATCH 07/49] Add ExternalProcessConstraint for request validation - -Add the ExternalProcessConstraint profile policy constraint class. -It can be configured to execute an arbitrary program that performs -additional request validation, rejecting the request if it -terminates with a nonzero exit status. Information about the -request is conveyed in the subprocess' environment. - -Part of: https://pagure.io/dogtagpki/issue/1359 ---- - base/ca/shared/conf/registry.cfg | 5 +- - .../constraint/ExternalProcessConstraint.java | 178 +++++++++++++++++++++ - .../04-AddExternalProcessConstraintToRegistry | 67 ++++++++ - 3 files changed, 249 insertions(+), 1 deletion(-) - create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java - create mode 100755 base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry - -diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg -index 280c713..2855b7a 100644 ---- a/base/ca/shared/conf/registry.cfg -+++ b/base/ca/shared/conf/registry.cfg -@@ -1,5 +1,5 @@ - types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater --constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl -+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl - constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint - constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint - constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint -@@ -45,6 +45,9 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr - constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint - constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint - constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint -+constraintPolicy.externalProcessConstraintImpl.class=com.netscape.cms.profile.constraint.ExternalProcessConstraint -+constraintPolicy.externalProcessConstraintImpl.desc=External Process Constraint -+constraintPolicy.externalProcessConstraintImpl.name=External Process Constraint - defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl - defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault - defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java -new file mode 100644 -index 0000000..8fb91ab ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java -@@ -0,0 +1,178 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2016, 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cms.profile.constraint; -+ -+import java.io.IOException; -+import java.io.InputStream; -+import java.util.Enumeration; -+import java.util.Locale; -+import java.util.Map; -+import java.util.TreeMap; -+import java.util.concurrent.TimeUnit; -+ -+import org.apache.commons.io.IOUtils; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthToken; -+import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.profile.EProfileException; -+import com.netscape.certsrv.profile.ERejectException; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.property.Descriptor; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+import com.netscape.cms.profile.input.CertReqInput; -+ -+import netscape.security.x509.X509CertInfo; -+ -+ -+public class ExternalProcessConstraint extends EnrollConstraint { -+ -+ public static final String CONFIG_EXECUTABLE = "executable"; -+ public static final String CONFIG_TIMEOUT = "timeout"; -+ -+ public static final long DEFAULT_TIMEOUT = 10; -+ -+ /* Map of envvars to include, and the corresponding IRequest keys -+ * -+ * All keys will be prefixed with "DOGTAG_" when added to environment. -+ */ -+ protected static final Map envVars = new TreeMap<>(); -+ -+ protected Map extraEnvVars = new TreeMap<>(); -+ -+ static { -+ envVars.put("DOGTAG_CERT_REQUEST", CertReqInput.VAL_CERT_REQUEST); -+ envVars.put("DOGTAG_USER", -+ IRequest.AUTH_TOKEN_PREFIX + "." + IAuthToken.USER_ID); -+ envVars.put("DOGTAG_PROFILE_ID", IRequest.PROFILE_ID); -+ envVars.put("DOGTAG_AUTHORITY_ID", IRequest.AUTHORITY_ID); -+ envVars.put("DOGTAG_USER_DATA", IRequest.USER_DATA); -+ } -+ -+ protected String executable; -+ protected long timeout; -+ -+ public ExternalProcessConstraint() { -+ addConfigName(CONFIG_EXECUTABLE); -+ addConfigName(CONFIG_TIMEOUT); -+ } -+ -+ public void init(IProfile profile, IConfigStore config) -+ throws EProfileException { -+ super.init(profile, config); -+ -+ this.executable = getConfig(CONFIG_EXECUTABLE); -+ if (this.executable == null || this.executable.isEmpty()) { -+ throw new EProfileException( -+ "Missing required config param 'executable'"); -+ } -+ -+ timeout = DEFAULT_TIMEOUT; -+ String timeoutConfig = getConfig(CONFIG_TIMEOUT); -+ if (this.executable != null && !this.executable.isEmpty()) { -+ try { -+ timeout = (new Integer(timeoutConfig)).longValue(); -+ } catch (NumberFormatException e) { -+ throw new EProfileException("Invalid timeout value", e); -+ } -+ if (timeout < 1) { -+ throw new EProfileException( -+ "Invalid timeout value: must be positive"); -+ } -+ } -+ -+ IConfigStore envConfig = config.getSubStore("params.env"); -+ Enumeration names = envConfig.getPropertyNames(); -+ while (names.hasMoreElements()) { -+ String name = names.nextElement(); -+ try { -+ extraEnvVars.put(name, envConfig.getString(name)); -+ } catch (EBaseException e) { -+ // shouldn't happen; log and move on -+ CMS.debug( -+ "ExternalProcessConstraint: caught exception processing " -+ + "'params.env' config: " + e -+ ); -+ -+ } -+ } -+ } -+ -+ public IDescriptor getConfigDescriptor(Locale locale, String name) { -+ if (name.equals(CONFIG_EXECUTABLE)) { -+ return new Descriptor( -+ IDescriptor.STRING, null, null, "Executable path"); -+ } else if (name.equals(CONFIG_TIMEOUT)) { -+ return new Descriptor( -+ IDescriptor.INTEGER, null, null, "Timeout in seconds"); -+ } else { -+ return null; -+ } -+ } -+ -+ public void validate(IRequest request, X509CertInfo info) -+ throws ERejectException { -+ CMS.debug("About to execute command: " + this.executable); -+ ProcessBuilder pb = new ProcessBuilder(this.executable); -+ -+ // set up process environment -+ Map env = pb.environment(); -+ for (String k : envVars.keySet()) { -+ String v = request.getExtDataInString(envVars.get(k)); -+ if (v != null) -+ env.put(k, v); -+ } -+ for (String k : extraEnvVars.keySet()) { -+ String v = request.getExtDataInString(extraEnvVars.get(k)); -+ if (v != null) -+ env.put(k, v); -+ } -+ -+ Process p; -+ String stdout = ""; -+ String stderr = ""; -+ boolean timedOut; -+ try { -+ p = pb.start(); -+ timedOut = !p.waitFor(timeout, TimeUnit.SECONDS); -+ if (timedOut) -+ p.destroyForcibly(); -+ else -+ stdout = IOUtils.toString(p.getInputStream()); -+ stderr = IOUtils.toString(p.getErrorStream()); -+ } catch (Throwable e) { -+ String msg = -+ "Caught exception while executing command: " + this.executable; -+ CMS.debug(msg); -+ CMS.debug(e); -+ throw new ERejectException(msg, e); -+ } -+ if (timedOut) -+ throw new ERejectException("Request validation timed out"); -+ int exitValue = p.exitValue(); -+ CMS.debug("ExternalProcessConstraint: exit value: " + exitValue); -+ CMS.debug("ExternalProcessConstraint: stdout: " + stdout); -+ CMS.debug("ExternalProcessConstraint: stderr: " + stderr); -+ if (exitValue != 0) -+ throw new ERejectException(stdout); -+ } -+ -+} -diff --git a/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry -new file mode 100755 -index 0000000..a9ee00a ---- /dev/null -+++ b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry -@@ -0,0 +1,67 @@ -+#!/usr/bin/python -+# Authors: -+# Fraser Tweedale -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+ -+from __future__ import absolute_import -+import os.path -+ -+import pki -+from pki.server.upgrade import PKIServerUpgradeScriptlet -+ -+ -+class AddExternalProcessConstraintToRegistry(PKIServerUpgradeScriptlet): -+ -+ new_config = { -+ 'constraintPolicy.externalProcessConstraintImpl.class': -+ 'com.netscape.cms.profile.constraint.ExternalProcessConstraint', -+ 'constraintPolicy.externalProcessConstraintImpl.desc': -+ 'External Process Constraint', -+ 'constraintPolicy.externalProcessConstraintImpl.name': -+ 'External Process Constraint', -+ } -+ -+ constraint_name = 'externalProcessConstraintImpl' -+ -+ def __init__(self): -+ super(AddExternalProcessConstraintToRegistry, self).__init__() -+ self.message = 'Add ExternalProcessConstraint to registry' -+ -+ def upgrade_subsystem(self, instance, subsystem): -+ if subsystem.name == 'ca': -+ self.add_new_entries(instance, subsystem) -+ -+ def add_new_entries(self, instance, subsystem): # pylint: disable=W0613 -+ filename = os.path.join(subsystem.conf_dir, 'registry.cfg') -+ self.backup(filename) -+ -+ properties = pki.PropertyFile(filename) -+ properties.read() -+ -+ # add constraint to constraint list -+ constraints = properties.get('constraintPolicy.ids').split(',') -+ if self.constraint_name in constraints: -+ return # update not required -+ -+ constraints.append(self.constraint_name) -+ properties.set('constraintPolicy.ids', ','.join(constraints)) -+ -+ for k, v in self.new_config.items(): -+ properties.set(k, v) -+ -+ properties.write() --- -1.8.3.1 - - -From b099b631bb49e17e0aa4cd8c7a818ba1c923ec92 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 8 Feb 2017 12:18:03 +1000 -Subject: [PATCH 08/49] Add authn manager that reuses auth token from session - -To process a cert request immediately (rather than having it queued -as pending), the user must be authenticated *by the profile*; auth -tokens from the main authentication system are not used. - -For external authentication support it is possible that the external -authentication is sufficient to authenticate use of a problem; -especially when the profile uses componenets like -ExternalProcessConstraint to perform validation of the cert request -against external sources of information. - -To support this use case, add the SessionAuthentication profile -authenticator, which merely reuses the IAuthToken from the session -context, if present. - -Part of: https://pagure.io/dogtagpki/issue/1359 ---- - base/ca/shared/conf/CS.cfg | 2 + - .../cms/authentication/SessionAuthentication.java | 167 +++++++++++++++++++++ - base/server/upgrade/10.4.1/.gitignore | 4 + - .../10.4.2/01-AddSessionAuthenticationPlugin | 51 +++++++ - 4 files changed, 224 insertions(+) - create mode 100644 base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java - create mode 100644 base/server/upgrade/10.4.1/.gitignore - create mode 100755 base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index e800360..3923319 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -175,6 +175,7 @@ auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupD - auths.impl.UserPwdDirAuth.class=com.netscape.cms.authentication.UserPwdDirAuthentication - auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication - auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth -+auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAuthentication - auths.instance.TokenAuth.pluginName=TokenAuth - auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents - auths.instance.AgentCertAuth.pluginName=AgentCertAuth -@@ -183,6 +184,7 @@ auths.instance.raCertAuth.pluginName=AgentCertAuth - auths.instance.flatFileAuth.pluginName=FlatFileAuth - auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/flatfile.txt - auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth -+auths.instance.SessionAuthentication.pluginName=SessionAuthentication - auths.revocationChecking.bufferSize=50 - auths.revocationChecking.ca=ca - auths.revocationChecking.enabled=true -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java -new file mode 100644 -index 0000000..27f08cd ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java -@@ -0,0 +1,167 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cms.authentication; -+ -+import java.util.Collections; -+import java.util.Enumeration; -+import java.util.Locale; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.AuthToken; -+import com.netscape.certsrv.authentication.EMissingCredential; -+import com.netscape.certsrv.authentication.IAuthCredentials; -+import com.netscape.certsrv.authentication.IAuthToken; -+import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.profile.IProfileAuthenticator; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+ -+/** -+ * Pull any existing auth token from the session context. -+ * -+ * Use with caution as a profile authenticator; if there is a -+ * session it will unconditionally approve the request -+ * (subject to constraints, etc). -+ */ -+public class SessionAuthentication -+ implements IProfileAuthenticator { -+ -+ private String instName = null; -+ private String implName = null; -+ private IConfigStore config = null; -+ -+ public SessionAuthentication() { -+ } -+ -+ public void init(String instName, String implName, IConfigStore config) -+ throws EBaseException { -+ this.instName = instName; -+ this.implName = implName; -+ this.config = config; -+ } -+ -+ /** -+ * Gets the name of this authentication manager. -+ */ -+ public String getName() { -+ return instName; -+ } -+ -+ /** -+ * Gets the plugin name of authentication manager. -+ */ -+ public String getImplName() { -+ return implName; -+ } -+ -+ public boolean isSSLClientRequired() { -+ return false; -+ } -+ -+ /** -+ * Authenticate user. -+ * -+ * @return the auth token from existing session context, if any. -+ * @throws EMissingCredential if no auth token or no session -+ */ -+ public IAuthToken authenticate(IAuthCredentials authCred) -+ throws EMissingCredential { -+ SessionContext context = SessionContext.getExistingContext(); -+ -+ if (context == null) -+ throw new EMissingCredential("SessionAuthentication: no session"); -+ -+ IAuthToken authToken = (IAuthToken) -+ context.get(SessionContext.AUTH_TOKEN); -+ -+ if (authToken == null) -+ throw new EMissingCredential("SessionAuthentication: no auth token"); -+ -+ return authToken; -+ } -+ -+ public String[] getRequiredCreds() { -+ String[] requiredCreds = { }; -+ return requiredCreds; -+ } -+ -+ public String[] getConfigParams() { -+ return null; -+ } -+ -+ /** -+ * prepare this authentication manager for shutdown. -+ */ -+ public void shutdown() { -+ } -+ -+ /** -+ * gets the configuretion substore used by this authentication -+ * manager -+ * -+ * @return configuration store -+ */ -+ public IConfigStore getConfigStore() { -+ return config; -+ } -+ -+ // Profile-related methods -+ -+ public void init(IProfile profile, IConfigStore config) { -+ } -+ -+ /** -+ * Retrieves the localizable name of this policy. -+ */ -+ public String getName(Locale locale) { -+ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); -+ } -+ -+ /** -+ * Retrieves the localizable description of this policy. -+ */ -+ public String getText(Locale locale) { -+ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); -+ } -+ -+ /** -+ * Retrieves a list of names of the value parameter. -+ */ -+ public Enumeration getValueNames() { -+ return Collections.emptyEnumeration(); -+ } -+ -+ public boolean isValueWriteable(String name) { -+ return false; -+ } -+ -+ /** -+ * Retrieves the descriptor of the given value -+ * parameter by name. -+ */ -+ public IDescriptor getValueDescriptor(Locale locale, String name) { -+ return null; -+ } -+ -+ public void populate(IAuthToken token, IRequest request) { -+ } -+} -diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/server/upgrade/10.4.1/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin -new file mode 100755 -index 0000000..62d508e ---- /dev/null -+++ b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin -@@ -0,0 +1,51 @@ -+#!/usr/bin/python -+# Authors: -+# Fraser Tweedale -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+ -+from __future__ import absolute_import -+import os.path -+ -+import pki -+from pki.server.upgrade import PKIServerUpgradeScriptlet -+ -+ -+class AddSessionAuthenticationPlugin(PKIServerUpgradeScriptlet): -+ def __init__(self): -+ super(AddSessionAuthenticationPlugin, self).__init__() -+ self.message = 'Add SessionAuthentication to CS.cfg' -+ -+ def upgrade_subsystem(self, instance, subsystem): -+ if subsystem.name == 'ca': -+ self.add_plugin(instance, subsystem) -+ -+ def add_plugin(self, instance, subsystem): # pylint: disable=W0613 -+ filename = os.path.join(subsystem.conf_dir, 'CS.cfg') -+ self.backup(filename) -+ -+ properties = pki.PropertyFile(filename) -+ properties.read() -+ -+ properties.set( -+ 'auths.impl.SessionAuthentication.class', -+ 'com.netscape.cms.authentication.SessionAuthentication') -+ properties.set( -+ 'auths.instance.SessionAuthentication.pluginName', -+ 'SessionAuthentication') -+ -+ properties.write() --- -1.8.3.1 - - -From b9dc595806abb17f34a679976122e526bdc29de8 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 18 Apr 2017 16:46:12 -0400 -Subject: [PATCH 09/49] Modify cert clients to check server for wrapping params - -CRMFPopClient and the pki cert client both can send a CRMF request -to a CA directly. Logic is added to check the CA for the required -KRA wrapping params and use those in place of any that have been -provided by the environment or command line. - -Also, additional data for the supported KRA keyset has been added to -the CAInfoService. This will need to be managed by the admin. The -default is "1" which corresponds to AES. - -Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4 ---- - base/common/src/org/dogtagpki/common/CAInfo.java | 16 +++++ - .../src/com/netscape/cmstools/CRMFPopClient.java | 71 ++++++++++++++++++++-- - .../cmstools/client/ClientCertRequestCLI.java | 32 ++++++---- - .../org/dogtagpki/server/rest/CAInfoService.java | 10 +++ - 4 files changed, 110 insertions(+), 19 deletions(-) - -diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java -index 89255ed..f21dcd0 100644 ---- a/base/common/src/org/dogtagpki/common/CAInfo.java -+++ b/base/common/src/org/dogtagpki/common/CAInfo.java -@@ -54,6 +54,7 @@ public class CAInfo extends ResourceMessage { - } - - String archivalMechanism; -+ String wrappingKeySet; - - @XmlElement(name="ArchivalMechanism") - public String getArchivalMechanism() { -@@ -64,11 +65,21 @@ public class CAInfo extends ResourceMessage { - this.archivalMechanism = archivalMechanism; - } - -+ @XmlElement(name="WrappingKeySet") -+ public String getWrappingKeySet() { -+ return wrappingKeySet; -+ } -+ -+ public void setWrappingKeySet(String wrappingKeySet) { -+ this.wrappingKeySet = wrappingKeySet; -+ } -+ - @Override - public int hashCode() { - final int prime = 31; - int result = super.hashCode(); - result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); -+ result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode()); - return result; - } - -@@ -86,6 +97,11 @@ public class CAInfo extends ResourceMessage { - return false; - } else if (!archivalMechanism.equals(other.archivalMechanism)) - return false; -+ if (wrappingKeySet == null) { -+ if (other.wrappingKeySet != null) -+ return false; -+ } else if (!wrappingKeySet.equals(other.wrappingKeySet)) -+ return false; - return true; - } - -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 5d9f7f1..0168503 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -40,6 +40,8 @@ import org.apache.http.HttpResponse; - import org.apache.http.client.methods.HttpGet; - import org.apache.http.impl.client.DefaultHttpClient; - import org.apache.http.util.EntityUtils; -+import org.dogtagpki.common.CAInfo; -+import org.dogtagpki.common.CAInfoClient; - import org.dogtagpki.common.KRAInfoResource; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.ASN1Util; -@@ -75,6 +77,9 @@ import org.mozilla.jss.pkix.primitive.Name; - import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; - import org.mozilla.jss.util.Password; - -+import com.netscape.certsrv.base.PKIException; -+import com.netscape.certsrv.client.ClientConfig; -+import com.netscape.certsrv.client.PKIClient; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Cert; - import com.netscape.cmsutil.util.HMACDigest; -@@ -187,6 +192,10 @@ public class CRMFPopClient { - option.setArgName("keyWrap"); - options.addOption(option); - -+ option = new Option("w", true, "Wrapping Keyset"); -+ option.setArgName("keySet"); -+ options.addOption(option); -+ - options.addOption("v", "verbose", false, "Run in verbose mode."); - options.addOption(null, "help", false, "Show help message."); - -@@ -218,6 +227,7 @@ public class CRMFPopClient { - System.out.println(" -g Use KeyWrapping to wrap private key (default: true)"); - System.out.println(" - true: use a key wrapping algorithm"); - System.out.println(" - false: use an encryption algorithm"); -+ System.out.println(" -w Key set ID to use when wrapping the private key"); - System.out.println(" -b PEM transport certificate (default: transport.txt)"); - System.out.println(" -v, --verbose Run in verbose mode."); - System.out.println(" --help Show help message."); -@@ -310,6 +320,7 @@ public class CRMFPopClient { - int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); - int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); - -+ // get the key wrapping mechanism - boolean keyWrap = true; - if (cmd.hasOption("g")) { - keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); -@@ -319,6 +330,10 @@ public class CRMFPopClient { - keyWrap = Boolean.parseBoolean(useKeyWrap); - } - } -+ String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : -+ KRAInfoResource.ENCRYPT_MECHANISM; -+ -+ String wrappingKeySet = cmd.getOptionValue("w"); - - String output = cmd.getOptionValue("o"); - -@@ -326,6 +341,16 @@ public class CRMFPopClient { - String username = cmd.getOptionValue("u"); - String requestor = cmd.getOptionValue("r"); - -+ if (hostPort != null) { -+ if (cmd.hasOption("g") || cmd.hasOption("w")) { -+ printError("Wrapping Key Set (-g) and keywrap (-w) options should " + -+ "not be specified when hostport is specified. " + -+ "CRMFPopClient will contact the server to " + -+ "determine the correct values for these parameters"); -+ System.exit(1); -+ } -+ } -+ - if (subjectDN == null) { - printError("Missing subject DN"); - System.exit(1); -@@ -458,11 +483,41 @@ public class CRMFPopClient { - String kid = CryptoUtil.byte2string(id); - System.out.println("Keypair private key id: " + kid); - -- String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : -- KRAInfoResource.ENCRYPT_MECHANISM; -+ if (hostPort != null) { -+ // check the CA for the required keyset and archival mechanism -+ // if found, override whatever has been set by the command line -+ // options or environment for archivalMechanism and wrappingKeySet -+ -+ ClientConfig config = new ClientConfig(); -+ String host = hostPort.substring(0, hostPort.indexOf(':')); -+ int port = Integer.parseInt(hostPort.substring(hostPort.indexOf(':')+1)); -+ config.setServerURL("http", host, port); -+ -+ PKIClient pkiclient = new PKIClient(config); -+ -+ // get archival mechanism -+ CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); -+ try { -+ CAInfo info = infoClient.getInfo(); -+ archivalMechanism = info.getArchivalMechanism(); -+ wrappingKeySet = info.getWrappingKeySet(); -+ } catch (PKIException e) { -+ if (e.getCode() == 404) { -+ // assume this is an older server, -+ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -+ wrappingKeySet = "0"; -+ } else { -+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -+ } -+ } catch (Exception e) { -+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -+ } -+ } -+ - if (verbose) System.out.println("Creating certificate request"); - CertRequest certRequest = client.createCertRequest( -- token, transportCert, algorithm, keyPair, subject, archivalMechanism); -+ token, transportCert, algorithm, keyPair, -+ subject, archivalMechanism, wrappingKeySet); - - ProofOfPossession pop = null; - -@@ -572,11 +627,15 @@ public class CRMFPopClient { - String algorithm, - KeyPair keyPair, - Name subject, -- String archivalMechanism) throws Exception { -+ String archivalMechanism, -+ String wrappingKeySet) throws Exception { - EncryptionAlgorithm encryptAlg = null; -- String keyset = System.getenv("KEY_WRAP_PARAMETER_SET"); - -- if (keyset != null && keyset.equalsIgnoreCase("0")) { -+ if (wrappingKeySet == null) { -+ wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET"); -+ } -+ -+ if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) { - // talking to an old server? - encryptAlg = EncryptionAlgorithm.DES3_CBC; - } else { -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -index 8ca857b..696ab8b 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -@@ -29,6 +29,7 @@ import java.util.Vector; - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; - import org.apache.commons.io.FileUtils; -+import org.dogtagpki.common.CAInfo; - import org.dogtagpki.common.CAInfoClient; - import org.dogtagpki.common.KRAInfoResource; - import org.mozilla.jss.CryptoManager; -@@ -39,6 +40,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest; - import org.mozilla.jss.pkix.crmf.ProofOfPossession; - import org.mozilla.jss.pkix.primitive.Name; - -+import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.cert.CertClient; - import com.netscape.certsrv.cert.CertEnrollmentRequest; - import com.netscape.certsrv.cert.CertRequestInfos; -@@ -250,23 +252,26 @@ public class ClientCertRequestCLI extends CLI { - // get archival mechanism - CAInfoClient infoClient = new CAInfoClient(client, "ca"); - String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -+ String wrappingKeySet = "1"; - try { -- archivalMechanism = infoClient.getInfo().getArchivalMechanism(); -- } catch (Exception e) { -- // this could be an older server, check for environment variable. -- String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); -- if (useKeyWrapping != null) { -- if (Boolean.parseBoolean(useKeyWrapping)) { -- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -- } else { -- archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM; -- } -+ CAInfo info = infoClient.getInfo(); -+ archivalMechanism = info.getArchivalMechanism(); -+ wrappingKeySet = info.getWrappingKeySet(); -+ } catch (PKIException e) { -+ if (e.getCode() == 404) { -+ // assume this is an older server, -+ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -+ wrappingKeySet = "0"; -+ } else { -+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); - } -+ } catch (Exception e) { -+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); - } - - csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, - algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, -- archivalMechanism); -+ archivalMechanism, wrappingKeySet); - - } else { - throw new Exception("Unknown request type: " + requestType); -@@ -408,7 +413,8 @@ public class ClientCertRequestCLI extends CLI { - int sensitive, - int extractable, - boolean withPop, -- String archivalMechanism -+ String archivalMechanism, -+ String wrappingKeySet - ) throws Exception { - - CryptoManager manager = CryptoManager.getInstance(); -@@ -430,7 +436,7 @@ public class ClientCertRequestCLI extends CLI { - } - - CertRequest certRequest = client.createCertRequest( -- token, transportCert, algorithm, keyPair, subject, archivalMechanism); -+ token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet); - - ProofOfPossession pop = null; - if (withPop) { -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -index 975ad61..f4724a6 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -@@ -50,6 +50,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { - if (archivalMechanism != null) - info.setArchivalMechanism(getArchivalMechanism()); - -+ info.setWrappingKeySet(getWrappingKeySet()); -+ - return createOKResponse(info); - } - -@@ -61,4 +63,12 @@ public class CAInfoService extends PKIService implements CAInfoResource { - boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); - return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM; - } -+ -+ String getWrappingKeySet() throws EBaseException { -+ IConfigStore cs = CMS.getConfigStore(); -+ boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); -+ if (!kra_present) return null; -+ -+ return cs.getString("kra.wrappingKeySet", "1"); -+ } - } --- -1.8.3.1 - - -From 316e20d2e39542bcb2d2043f36633dc7b779c61b Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 19 Apr 2017 14:19:37 -0400 -Subject: [PATCH 10/49] Make sure connection is always closed - -When an exception is thrown, the connection is currently -not closed, leading to Invalid State exceptions when the -next connection is attempted. This resolves this issue. - -Change-Id: I531881434a73affb1c6536dfbb05bce151c854fb ---- - .../com/netscape/certsrv/client/PKIConnection.java | 30 ++++++++++++++-------- - 1 file changed, 20 insertions(+), 10 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -index d5e4c00..d655023 100644 ---- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java -+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -@@ -429,23 +429,33 @@ public class PKIConnection { - } - - public T getEntity(Response response, Class clazz) { -- Family family = response.getStatusInfo().getFamily(); -- if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { -- if (response.hasEntity()) return response.readEntity(clazz); -+ try { -+ Family family = response.getStatusInfo().getFamily(); -+ if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { -+ if (response.hasEntity()) -+ return response.readEntity(clazz); -+ return null; -+ } -+ handleErrorResponse(response); - return null; -+ } finally { -+ response.close(); - } -- handleErrorResponse(response); -- return null; - } - - public T getEntity(Response response, GenericType clazz) { -- Family family = response.getStatusInfo().getFamily(); -- if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { -- if (response.hasEntity()) return response.readEntity(clazz); -+ try { -+ Family family = response.getStatusInfo().getFamily(); -+ if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { -+ if (response.hasEntity()) -+ return response.readEntity(clazz); -+ return null; -+ } -+ handleErrorResponse(response); - return null; -+ } finally { -+ response.close(); - } -- handleErrorResponse(response); -- return null; - } - - private void handleErrorResponse(Response response) { --- -1.8.3.1 - - -From 7033c5208fd315e9fd1c76d1755d1f7fd2bbf17a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 19 Apr 2017 23:40:43 +0200 -Subject: [PATCH 12/49] Added AuditEvent.setParameters(). - -A new method has been added to set AuditEvent's parameters. - -Change-Id: I1b1e23030a819160b035ed67e908b6fbadedd714 ---- - base/common/src/com/netscape/certsrv/logging/AuditEvent.java | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 716e0d4..72c93f8 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -387,6 +387,13 @@ public class AuditEvent implements IBundleLogEvent { - } - - /** -+ * Sets audit event's parameters. -+ */ -+ public void setParameters(Object[] params) { -+ mParams = params; -+ } -+ -+ /** - * Returns localized message string. This method should - * only be called if a localized string is necessary. - *

    --- -1.8.3.1 - - -From 6817c67bc93e99f36c79838fffc08145e6599580 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 19 Apr 2017 21:35:09 +0200 -Subject: [PATCH 14/49] Updated default SSL connection timeout. - -The default SSL connection timeout has been changed to 5 minutes -to improve PKI console usability. - -https://pagure.io/dogtagpki/issue/2643 - -Change-Id: I905ca855285ddd655d965488b175c2d11fe407fd ---- - base/server/tomcat7/conf/server.xml | 2 +- - base/server/tomcat8/conf/server.xml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml -index cc3160d..35bd7a4 100644 ---- a/base/server/tomcat7/conf/server.xml -+++ b/base/server/tomcat7/conf/server.xml -@@ -187,7 +187,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - --> - -Date: Thu, 20 Apr 2017 01:06:18 +0200 -Subject: [PATCH 15/49] Fixed SSL connection timeouts. - -The connectionTimeout parameter has been restored to 80 seconds. -The keepAliveTimeout parameter has been set to 5 minutes. - -https://pagure.io/dogtagpki/issue/2643 - -Change-Id: I05bca0284ad946d833ed144e2f93a4ef4b9b6f0f ---- - base/server/tomcat7/conf/server.xml | 3 ++- - base/server/tomcat8/conf/server.xml | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml -index 35bd7a4..2db8bca 100644 ---- a/base/server/tomcat7/conf/server.xml -+++ b/base/server/tomcat7/conf/server.xml -@@ -187,7 +187,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - --> - -Date: Thu, 20 Apr 2017 01:03:29 +0200 -Subject: [PATCH 16/49] Refactored line concatenation. - -The code that concatenates lines has been simplified using -String.replace(). - -Change-Id: Ib8532b12594604e3b013b5ac0ef30ce45f1351ea ---- - .../cms/profile/updater/SubsystemGroupUpdater.java | 11 +++-------- - .../netscape/cms/servlet/csadmin/RegisterUser.java | 14 ++++---------- - .../cms/servlet/processors/CAProcessor.java | 21 ++++----------------- - .../servlet/profile/ProfileSubmitCMCServlet.java | 10 ++-------- - 4 files changed, 13 insertions(+), 43 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -index 7daa8e4..4ecc255 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -+++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -@@ -175,14 +175,9 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - byte[] certEncoded = cert.getEncoded(); - b64 = CMS.BtoA(certEncoded).trim(); - -- // extract all line separators -- StringBuffer sb = new StringBuffer(); -- for (int i = 0; i < b64.length(); i++) { -- if (!Character.isWhitespace(b64.charAt(i))) { -- sb.append(b64.charAt(i)); -- } -- } -- b64 = sb.toString(); -+ // concatenate lines -+ b64 = b64.replace("\r", "").replace("\n", ""); -+ - } catch (Exception ence) { - CMS.debug("SubsystemGroupUpdater update: user cert encoding failed: " + ence); - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -index f02932e..77ef4d8 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -@@ -27,8 +27,6 @@ import javax.servlet.ServletException; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - --import netscape.security.x509.X509CertImpl; -- - import org.w3c.dom.Node; - - import com.netscape.certsrv.apps.CMS; -@@ -49,6 +47,8 @@ import com.netscape.cms.servlet.common.ICMSTemplateFiller; - import com.netscape.cmsutil.util.Utils; - import com.netscape.cmsutil.xml.XMLObject; - -+import netscape.security.x509.X509CertImpl; -+ - /** - * This servlet creates a TPS user in the CA, - * and it associates TPS's server certificate to -@@ -207,14 +207,8 @@ public class RegisterUser extends CMSServlet { - audit(auditMessage); - } - -- // extract all line separators -- StringBuffer sb = new StringBuffer(); -- for (int i = 0; i < certsString.length(); i++) { -- if (!Character.isWhitespace(certsString.charAt(i))) { -- sb.append(certsString.charAt(i)); -- } -- } -- certsString = sb.toString(); -+ // concatenate lines -+ certsString = certsString.replace("\r", "").replace("\n", ""); - - auditParams = "Scope;;certs+Operation;;OP_ADD+source;;RegisterUser" + - "+Resource;;" + uid + -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 8c4fef1..4bc738c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -1024,15 +1024,8 @@ public class CAProcessor extends Processor { - - base64Data = Utils.base64encode(rawData).trim(); - -- // extract all line separators from the "base64Data" -- StringBuffer sb = new StringBuffer(); -- for (int i = 0; i < base64Data.length(); i++) { -- if (!Character.isWhitespace(base64Data.charAt(i))) { -- sb.append(base64Data.charAt(i)); -- -- } -- } -- cert = sb.toString(); -+ // concatenate lines -+ cert = base64Data.replace("\r", "").replace("\n", ""); - } - - if (cert != null) { -@@ -1180,14 +1173,8 @@ public class CAProcessor extends Processor { - - base64Data = Utils.base64encode(rawData).trim(); - -- // extract all line separators from the "base64Data" -- StringBuffer sb = new StringBuffer(); -- for (int i = 0; i < base64Data.length(); i++) { -- if (!Character.isWhitespace(base64Data.charAt(i))) { -- sb.append(base64Data.charAt(i)); -- } -- } -- cert = sb.toString(); -+ // concatenate lines -+ cert = base64Data.replace("\r", "").replace("\n", ""); - } - - if (cert != null) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index fd155a6..83bab5b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -928,14 +928,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - - base64Data = Utils.base64encode(rawData).trim(); - -- // extract all line separators from the "base64Data" -- StringBuffer sb = new StringBuffer(); -- for (int i = 0; i < base64Data.length(); i++) { -- if (!Character.isWhitespace(base64Data.charAt(i))) { -- sb.append(base64Data.charAt(i)); -- } -- } -- cert = sb.toString(); -+ // concatenate lines -+ cert = base64Data.replace("\r", "").replace("\n", ""); - } - - if (cert != null) { --- -1.8.3.1 - - -From 6bb1757a035d3439a65aa604a19dcdf48b7b2dbc Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 05:01:57 +0200 -Subject: [PATCH 17/49] Refactored additional line concatenation. - -The code that concatenates lines has been simplified using -String.replace(). - -Change-Id: Id376f089cb9b8a78cfd9b3fb922e9cd9055c0e74 ---- - .../src/com/netscape/kra/EnrollmentService.java | 12 ++++------ - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 26 ++++----------------- - .../cms/servlet/admin/CMSAdminServlet.java | 11 ++------- - .../netscape/cms/servlet/cert/EnrollServlet.java | 27 ++++++++-------------- - .../cms/servlet/connector/ConnectorServlet.java | 11 ++------- - .../cms/servlet/request/ProcessCertReq.java | 11 ++------- - 6 files changed, 25 insertions(+), 73 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index 381fee8..a200c34 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -24,7 +24,6 @@ import java.security.InvalidKeyException; - import java.security.PublicKey; - import java.security.cert.CertificateException; - import java.util.Arrays; --import java.util.StringTokenizer; - import java.util.Vector; - - import org.mozilla.jss.asn1.ASN1Util; -@@ -917,7 +916,7 @@ public class EnrollmentService implements IService { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - -- StringBuffer key = new StringBuffer(); -+ String key = ""; - - // convert "rawData" into "base64Data" - if (rawData != null) { -@@ -925,13 +924,10 @@ public class EnrollmentService implements IService { - - base64Data = CMS.BtoA(rawData).trim(); - -- // extract all line separators from the "base64Data" -- StringTokenizer st = new StringTokenizer(base64Data, "\r\n"); -- while (st.hasMoreTokens()) { -- key.append(st.nextToken()); -- } -+ // concatenate lines -+ key = base64Data.replace("\r", "").replace("\n", ""); - } -- String checkKey = key.toString().trim(); -+ String checkKey = key.trim(); - if (checkKey.equals("")) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } else { -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index 1df04db..ec920e6 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -136,7 +136,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - public IRequestListener mReqInQListener = null; - - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -- private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", "; - /** - * Constructs an escrow authority. -@@ -1713,16 +1712,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - // convert "rawData" into "base64Data" - if (rawData != null) { - String base64Data = CMS.BtoA(rawData).trim(); -- StringBuffer key = new StringBuffer(); - -- // extract all line separators from the "base64Data" -- for (int i = 0; i < base64Data.length(); i++) { -- if (base64Data.substring(i, i).getBytes() != EOL) { -- key.append(base64Data.substring(i, i)); -- } -- } -- -- return key.toString(); -+ // concatenate lines -+ return base64Data.replace("\r", "").replace("\n", ""); - } - - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -@@ -1757,23 +1749,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - } - - String key = null; -- StringBuffer tempBuffer = new StringBuffer(); -+ - // convert "rawData" into "base64Data" - if (rawData != null) { - String base64Data = null; - - base64Data = CMS.BtoA(rawData).trim(); - -- // extract all line separators from the "base64Data" -- for (int i = 0; i < base64Data.length(); i++) { -- if (base64Data.substring(i, i).getBytes() != EOL) { -- tempBuffer.append(base64Data.substring(i, i)); -- } -- } -- } -- -- if (tempBuffer.length() > 0) { -- key = tempBuffer.toString(); -+ // concatenate lines -+ key = base64Data.replace("\r", "").replace("\n", ""); - } - - if (key != null) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -index 229c377..e5a1474 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -@@ -105,7 +105,6 @@ public final class CMSAdminServlet extends AdminServlet { - private final static String PROP_INTERNAL_DB = "internaldb"; - - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -- private final static byte EOL[] = { Character.LINE_SEPARATOR }; - - // CMS must be instantiated before this admin servlet. - -@@ -3390,7 +3389,6 @@ public final class CMSAdminServlet extends AdminServlet { - rawData = object.getPublic().getEncoded(); - - String key = null; -- StringBuffer sb = new StringBuffer(); - - // convert "rawData" into "base64Data" - if (rawData != null) { -@@ -3398,14 +3396,9 @@ public final class CMSAdminServlet extends AdminServlet { - - base64Data = Utils.base64encode(rawData).trim(); - -- // extract all line separators from the "base64Data" -- for (int i = 0; i < base64Data.length(); i++) { -- if (base64Data.substring(i, i).getBytes() != EOL) { -- sb.append(base64Data.substring(i, i)); -- } -- } -+ // concatenate lines -+ key = base64Data.replace("\r", "").replace("\n", ""); - } -- key = sb.toString(); - - if (key != null) { - key = key.trim(); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -index 3757967..6f01d2a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -@@ -35,14 +35,6 @@ import javax.servlet.http.HttpServletResponse; - - import org.dogtagpki.legacy.policy.IPolicyProcessor; - --import netscape.security.pkcs.PKCS10; --import netscape.security.x509.AlgorithmId; --import netscape.security.x509.CertificateAlgorithmId; --import netscape.security.x509.CertificateX509Key; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509CertInfo; --import netscape.security.x509.X509Key; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.IAuthSubsystem; -@@ -78,6 +70,14 @@ import com.netscape.cms.servlet.processors.PKCS10Processor; - import com.netscape.cms.servlet.processors.PKIProcessor; - import com.netscape.cmsutil.util.Utils; - -+import netscape.security.pkcs.PKCS10; -+import netscape.security.x509.AlgorithmId; -+import netscape.security.x509.CertificateAlgorithmId; -+import netscape.security.x509.CertificateX509Key; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509CertInfo; -+import netscape.security.x509.X509Key; -+ - /** - * Submit a Certificate Enrollment request - * -@@ -138,7 +138,6 @@ public class EnrollServlet extends CMSServlet { - "racertbasedenrollment"; - private final static String EE_RA_ENROLLMENT_SERVLET = - "raenrollment"; -- private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String[] SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] { - - /* 0 */"automated non-profile cert request rejection: " -@@ -1732,14 +1731,8 @@ public class EnrollServlet extends CMSServlet { - - base64Data = Utils.base64encode(rawData).trim(); - -- StringBuffer sb = new StringBuffer(); -- // extract all line separators from the "base64Data" -- for (int i = 0; i < base64Data.length(); i++) { -- if (base64Data.substring(i, i).getBytes() != EOL) { -- sb.append(base64Data.substring(i, i)); -- } -- } -- cert = sb.toString(); -+ // concatenate lines -+ cert = base64Data.replace("\r", "").replace("\n", ""); - } - - if (cert != null) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index 13c732b..9c75cc1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -98,7 +98,6 @@ public class ConnectorServlet extends CMSServlet { - - protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl"; -- private final static byte EOL[] = { Character.LINE_SEPARATOR }; - - public ConnectorServlet() { - } -@@ -1101,14 +1100,8 @@ public class ConnectorServlet extends CMSServlet { - - base64Data = Utils.base64encode(rawData).trim(); - -- StringBuffer sb = new StringBuffer(); -- // extract all line separators from the "base64Data" -- for (int i = 0; i < base64Data.length(); i++) { -- if (base64Data.substring(i, i).getBytes() != EOL) { -- sb.append(base64Data.substring(i, i)); -- } -- } -- cert = sb.toString(); -+ // concatenate lines -+ cert = base64Data.replace("\r", "").replace("\n", ""); - } - - if (cert != null) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -index d15774e..9d0da48 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -@@ -118,7 +118,6 @@ public class ProcessCertReq extends CMSServlet { - private final static String SIGNED_AUDIT_CANCELLATION = "cancel"; - private final static String SIGNED_AUDIT_CLONING = "clone"; - private final static String SIGNED_AUDIT_REJECTION = "reject"; -- private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String[] SIGNED_AUDIT_MANUAL_CANCELLATION_REASON = new String[] { - - /* 0 */"manual non-profile cert request cancellation: " -@@ -1840,14 +1839,8 @@ public class ProcessCertReq extends CMSServlet { - - base64Data = Utils.base64encode(rawData).trim(); - -- // extract all line separators from the "base64Data" -- StringBuffer sb = new StringBuffer(); -- for (int i = 0; i < base64Data.length(); i++) { -- if (base64Data.substring(i, i).getBytes() != EOL) { -- sb.append(base64Data.substring(i, i)); -- } -- } -- cert = sb.toString(); -+ // concatenate lines -+ cert = base64Data.replace("\r", "").replace("\n", ""); - } - - if (cert != null) { --- -1.8.3.1 - - -From 17e71d3ec1f52cc2e13590499dd70c5932885b20 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 09:56:16 +0200 -Subject: [PATCH 18/49] Added AdminServlet.audit(AuditEvent). - -A new audit() methods have been added to log AuditEvents in -AdminServlet. - -Change-Id: I92a259363bdda553621491e46122365c7097946a ---- - .../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index 089fcbe..16a2e39 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -1024,6 +1024,16 @@ public class AdminServlet extends HttpServlet { - auditor.log(msg); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ - /** - * Signed Audit Log Subject ID - * --- -1.8.3.1 - - -From 4a28ac15f5552d6594b6f6bb58af8f076ab5c46f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 03:43:06 +0200 -Subject: [PATCH 19/49] Refactored CAProcessor.auditInfoCertValue(). - -The auditInfoCertValue(IRequest) in CAProcessor has been merged -into auditInfoCertValue(X509CertImpl) since they are identical. - -Change-Id: Iccdad7a3c1ff3bc05f1f0ac1830eada21337dfca ---- - .../netscape/cms/servlet/cert/CertProcessor.java | 8 +-- - .../cms/servlet/processors/CAProcessor.java | 57 ---------------------- - 2 files changed, 5 insertions(+), 60 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -index 156060a..c16d8e0 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.ERejectException; -+import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; - import com.netscape.certsrv.profile.IProfileContext; -@@ -51,6 +52,8 @@ import com.netscape.cms.servlet.processors.CAProcessor; - import com.netscape.cms.tomcat.ExternalPrincipal; - import com.netscape.cmsutil.ldap.LDAPUtil; - -+import netscape.security.x509.X509CertImpl; -+ - public class CertProcessor extends CAProcessor { - - public CertProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException { -@@ -217,7 +220,6 @@ public class CertProcessor extends CAProcessor { - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = ILogger.UNIDENTIFIED; -- String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - String errorCode = null; - String errorReason = null; - -@@ -244,8 +246,8 @@ public class CertProcessor extends CAProcessor { - profile.submit(authToken, req); - req.setRequestStatus(RequestStatus.COMPLETE); - -- // reset the "auditInfoCertValue" -- auditInfoCertValue = auditInfoCertValue(req); -+ X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -+ String auditInfoCertValue = auditInfoCertValue(x509cert); - - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 4bc738c..a98d555 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -53,7 +53,6 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; --import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; - import com.netscape.certsrv.profile.IProfileSubsystem; -@@ -985,62 +984,6 @@ public class CAProcessor extends Processor { - return requesterID; - } - -- /** -- * Signed Audit Log Info Certificate Value -- * -- * This method is called to obtain the certificate from the passed in -- * "X509CertImpl" for a signed audit log message. -- *

    -- * -- * @param request request containing an X509CertImpl -- * @return cert string containing the certificate -- */ -- protected String auditInfoCertValue(IRequest request) { -- // if no signed audit object exists, bail -- if (signedAuditLogger == null) { -- return null; -- } -- -- X509CertImpl x509cert = request.getExtDataInCert( -- IEnrollProfile.REQUEST_ISSUED_CERT); -- -- if (x509cert == null) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- byte rawData[] = null; -- -- try { -- rawData = x509cert.getEncoded(); -- } catch (CertificateEncodingException e) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- String cert = null; -- -- // convert "rawData" into "base64Data" -- if (rawData != null) { -- String base64Data = null; -- -- base64Data = Utils.base64encode(rawData).trim(); -- -- // concatenate lines -- cert = base64Data.replace("\r", "").replace("\n", ""); -- } -- -- if (cert != null) { -- cert = cert.trim(); -- -- if (cert.equals("")) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } else { -- return cert; -- } -- } else { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- } -- - protected String auditSubjectID() { - // if no signed audit object exists, bail - if (signedAuditLogger == null) { --- -1.8.3.1 - - -From 41fcfc470c6462bc069774c74ecfe2fe09cf6ac3 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 04:24:18 +0200 -Subject: [PATCH 20/49] Refactored ConnectorServlet.auditInfoCertValue(). - -The ConnectorServlet.auditInfoCertValue() has been refactored to -accept X509CertImpl like CAProcessor.auditInfoCertValue(). - -Change-Id: I42f4a17a20f43a8c9dd2b329b07de3a23da7ca33 ---- - .../cms/servlet/connector/ConnectorServlet.java | 20 ++++++++------------ - 1 file changed, 8 insertions(+), 12 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index 9c75cc1..6732e92 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -424,9 +424,6 @@ public class ConnectorServlet extends CMSServlet { - String auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - String subject = null; - -- // additional parms for LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED -- String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- - // "normalize" the "auditSubjectID" - if (auditSubjectID != null) { - auditSubjectID = auditSubjectID.trim(); -@@ -622,8 +619,9 @@ public class ConnectorServlet extends CMSServlet { - queue.processRequest(thisreq); - - if (isProfileRequest(thisreq)) { -- // reset the "auditInfoCertValue" -- auditInfoCertValue = auditInfoCertValue(thisreq); -+ -+ X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -+ String auditInfoCertValue = auditInfoCertValue(x509cert); - - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( -@@ -643,8 +641,9 @@ public class ConnectorServlet extends CMSServlet { - } - } catch (EBaseException eAudit1) { - if (isProfileRequest(thisreq)) { -- // reset the "auditInfoCertValue" -- auditInfoCertValue = auditInfoCertValue(thisreq); -+ -+ X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -+ String auditInfoCertValue = auditInfoCertValue(x509cert); - - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( -@@ -1068,18 +1067,15 @@ public class ConnectorServlet extends CMSServlet { - * "X509CertImpl" for a signed audit log message. - *

    - * -- * @param request a Request containing an X509CertImpl -+ * @param x509cert an X509CertImpl - * @return cert string containing the certificate - */ -- private String auditInfoCertValue(IRequest request) { -+ private String auditInfoCertValue(X509CertImpl x509cert) { - // if no signed audit object exists, bail - if (mSignedAuditLogger == null) { - return null; - } - -- X509CertImpl x509cert = request.getExtDataInCert( -- IEnrollProfile.REQUEST_ISSUED_CERT); -- - if (x509cert == null) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } --- -1.8.3.1 - - -From e74fca2ced2416d656a09613e6e56657f4f88d20 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 04:29:40 +0200 -Subject: [PATCH 21/49] Refactored - ProfileSubmitCMCServlet.auditInfoCertValue(). - -The ProfileSubmitCMCServlet.auditInfoCertValue() has been modified -to accept X509CertImpl like CAProcessor.auditInfoCertValue(). - -Change-Id: Ib3b4c4c19250df73a769590488cb5716a50a065b ---- - .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 16 ++++++---------- - 1 file changed, 6 insertions(+), 10 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 83bab5b..c3ada9a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -642,7 +642,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = ILogger.UNIDENTIFIED; -- String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - - try { - /////////////////////////////////////////////// -@@ -672,8 +671,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - profile.submit(authToken, reqs[k]); - reqs[k].setRequestStatus(RequestStatus.COMPLETE); - -- // reset the "auditInfoCertValue" -- auditInfoCertValue = auditInfoCertValue(reqs[k]); -+ X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -+ String auditInfoCertValue = auditInfoCertValue(x509cert); - - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( -@@ -777,8 +776,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - profile.getRequestQueue().markAsServiced(provedReq); - CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete"); - -- // reset the "auditInfoCertValue" -- auditInfoCertValue = auditInfoCertValue(reqs[0]); -+ X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -+ String auditInfoCertValue = auditInfoCertValue(x509cert); - - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( -@@ -896,18 +895,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - * "X509CertImpl" for a signed audit log message. - *

    - * -- * @param request request containing an X509CertImpl -+ * @param x509cert an X509CertImpl - * @return cert string containing the certificate - */ -- private String auditInfoCertValue(IRequest request) { -+ private String auditInfoCertValue(X509CertImpl x509cert) { - // if no signed audit object exists, bail - if (mSignedAuditLogger == null) { - return null; - } - -- X509CertImpl x509cert = request.getExtDataInCert( -- IEnrollProfile.REQUEST_ISSUED_CERT); -- - if (x509cert == null) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } --- -1.8.3.1 - - -From ba32351d7c362e6b0e313cde0929c56f3f55ec5f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 21 Apr 2017 05:04:05 +0200 -Subject: [PATCH 22/49] Fixed missing IAuditor.log(AuditEvent). - -The IAuditor has been modified to define a log() method for -AuditEvent object. - -Change-Id: Ie1ad720bd6d3bcd71a4567eed477f0e34a8274c9 ---- - base/common/src/com/netscape/certsrv/logging/IAuditor.java | 2 ++ - base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java | 3 ++- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/IAuditor.java b/base/common/src/com/netscape/certsrv/logging/IAuditor.java -index 216015f..9521228 100644 ---- a/base/common/src/com/netscape/certsrv/logging/IAuditor.java -+++ b/base/common/src/com/netscape/certsrv/logging/IAuditor.java -@@ -73,4 +73,6 @@ public interface IAuditor { - * Log audit message. - */ - public void log(String message); -+ -+ public void log(AuditEvent event); - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java -index 48dfe3a..8962561 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java -@@ -220,7 +220,8 @@ public class Auditor implements IAuditor { - message); - } - -- protected void audit(AuditEvent event) { -+ @Override -+ public void log(AuditEvent event) { - - String template = event.getMessage(); - Object[] params = event.getParameters(); --- -1.8.3.1 - - -From fcbabc0ce929d91f63098bba4867d102ac04ead0 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 19 Apr 2017 08:50:06 +0200 -Subject: [PATCH 23/49] Python 3 support and Travis testing - -Fix Python 3 support for pkispawn: Config values are text values. Therefore -the config file has to be written as text file. - -Test Python 3 support in Travis CI. The little script py3rewrite copies -pki.server Python files and rewrites pkispawn and pkidestroy to use -Python 3. - -Change-Id: Ia516f80df94cacc2acfa70929ad16bb5b9c39ddf -Signed-off-by: Christian Heimes ---- - .travis.yml | 7 +++++ - .travis/40-spawn-ca | 2 +- - .travis/50-spawn-kra | 2 +- - .travis/99-destroy | 11 ++++++++ - .travis/py3rewrite | 46 +++++++++++++++++++++++++++++++ - base/server/python/pki/server/__init__.py | 4 +-- - 6 files changed, 68 insertions(+), 4 deletions(-) - create mode 100755 .travis/99-destroy - create mode 100755 .travis/py3rewrite - -diff --git a/.travis.yml b/.travis.yml -index 2714bbc..54ae884 100644 ---- a/.travis.yml -+++ b/.travis.yml -@@ -44,6 +44,13 @@ install: - script: - - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca - - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/99-destroy -+ # copy pki.server for Python 3 and rewrite pkispawn/pkidestroy shebang -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/py3rewrite -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/30-setup-389ds -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra -+ - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/99-destroy - - after_script: - - docker kill ${CONTAINER} -diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca -index 9986698..d6771db 100755 ---- a/.travis/40-spawn-ca -+++ b/.travis/40-spawn-ca -@@ -1,7 +1,7 @@ - #!/bin/bash - set -e - --pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA -+pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA - - echo "Waiting for port 8080" - for i in {1..20}; do -diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra -index 80cb039..93f2f4c 100755 ---- a/.travis/50-spawn-kra -+++ b/.travis/50-spawn-kra -@@ -1,7 +1,7 @@ - #!/bin/bash - set -e - --pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA -+pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA - - echo "Waiting for port 8080" - for i in {1..20}; do -diff --git a/.travis/99-destroy b/.travis/99-destroy -new file mode 100755 -index 0000000..d2fb1ad ---- /dev/null -+++ b/.travis/99-destroy -@@ -0,0 +1,11 @@ -+#!/bin/bash -+set -e -+ -+if [ -d /etc/pki/pkitest/kra ]; then -+ pkidestroy -v -i pkitest -s KRA -+fi -+ -+pkidestroy -v -i pkitest -s CA -+ -+remove-ds.pl -f -i slapd-pkitest -+ -diff --git a/.travis/py3rewrite b/.travis/py3rewrite -new file mode 100755 -index 0000000..f8a208d ---- /dev/null -+++ b/.travis/py3rewrite -@@ -0,0 +1,46 @@ -+#!/usr/bin/python3 -+import os -+import shutil -+ -+from distutils.sysconfig import get_python_lib -+ -+ -+BUILDDIR = os.environ['BUILDDIR'] -+PKIBASE = os.path.join(BUILDDIR, 'pki', 'base') -+PKICLIENT = os.path.join(PKIBASE, 'common', 'python', 'pki') -+PKISERVER = os.path.join(PKIBASE, 'server', 'python', 'pki', 'server') -+PKISBIN = os.path.join(PKIBASE, 'server', 'sbin') -+ -+SITEPACKAGES = get_python_lib() -+ -+ -+def copyscript(src, dst): -+ with open(src) as f: -+ lines = f.readlines() -+ lines[0] = '#!/usr/bin/python3\n' -+ with open(dst, 'w') as f: -+ os.fchmod(f.fileno(), 0o755) -+ f.writelines(lines) -+ -+ -+def copyfiles(): -+ shutil.rmtree(os.path.join(SITEPACKAGES, 'pki')) -+ shutil.copytree( -+ PKICLIENT, -+ os.path.join(SITEPACKAGES, 'pki') -+ ) -+ shutil.copytree( -+ PKISERVER, -+ os.path.join(SITEPACKAGES, 'pki', 'server') -+ ) -+ copyscript( -+ os.path.join(PKISBIN, 'pkispawn'), -+ '/usr/sbin/pkispawn' -+ ) -+ copyscript( -+ os.path.join(PKISBIN, 'pkidestroy'), -+ '/usr/sbin/pkidestroy' -+ ) -+ -+if __name__ == '__main__': -+ copyfiles() -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 8898654..46c6711 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -296,9 +296,9 @@ class PKISubsystem(object): - - def save(self): - sorted_config = sorted(self.config.items(), key=operator.itemgetter(0)) -- with io.open(self.cs_conf, 'wb') as f: -+ with io.open(self.cs_conf, 'w') as f: - for (key, value) in sorted_config: -- f.write('%s=%s\n' % (key, value)) -+ f.write(u'%s=%s\n' % (key, value)) - - def is_valid(self): - return os.path.exists(self.conf_dir) --- -1.8.3.1 - - -From ce3304834dbb3e4d001ecbbfc1af61044ae7a74c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 09:52:32 +0200 -Subject: [PATCH 24/49] Added AuthSuccessEvent. - -A new AuthSuccessEvent class of has been added to encapsulate the -AUTH_SUCCESS events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3 ---- - .../certsrv/logging/event/AuthSuccessEvent.java | 39 ++++++++++++++++++++++ - .../cms/src/com/netscape/cms/realm/PKIRealm.java | 16 ++++----- - .../netscape/cms/servlet/admin/AdminServlet.java | 21 +++++------- - .../com/netscape/cms/servlet/base/CMSServlet.java | 9 ++--- - .../cms/servlet/processors/CAProcessor.java | 17 +++------- - 5 files changed, 61 insertions(+), 41 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java -new file mode 100644 -index 0000000..5d4f973 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java -@@ -0,0 +1,39 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class AuthSuccessEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public AuthSuccessEvent( -+ String subjectID, -+ String outcome, -+ String authManagerID) { -+ -+ super(AUTH_SUCCESS); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ authManagerID -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -index bcd3ff8..81de9fb 100644 ---- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -@@ -18,6 +18,7 @@ import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IGroup; - import com.netscape.certsrv.usrgrp.IUGSubsystem; -@@ -60,14 +61,11 @@ public class PKIRealm extends RealmBase { - authToken.set(SessionContext.AUTH_MANAGER_ID, IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); - auditSubjectID = authToken.getInString(IAuthToken.USER_ID); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_SUCCESS, -+ audit(new AuthSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, -- IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); -+ IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID)); - -- audit(auditMessage); - return getPrincipal(username, authToken); - - } catch (Throwable e) { -@@ -120,14 +118,12 @@ public class PKIRealm extends RealmBase { - auditSubjectID = authToken.getInString(IAuthToken.USER_ID); - - CMS.debug("PKIRealm: User ID: " + username); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_SUCCESS, -+ -+ audit(new AuthSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, -- IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); -+ IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)); - -- audit(auditMessage); - return getPrincipal(username, authToken); - - } catch (Throwable e) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index 16a2e39..d530f6a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -35,8 +35,6 @@ import javax.servlet.http.HttpServlet; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - --import netscape.security.x509.X509CertImpl; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.IAuthCredentials; - import com.netscape.certsrv.authentication.IAuthManager; -@@ -54,12 +52,15 @@ import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IUGSubsystem; - import com.netscape.certsrv.usrgrp.IUser; - import com.netscape.cms.servlet.base.UserInfo; - import com.netscape.cmsutil.util.Utils; - -+import netscape.security.x509.X509CertImpl; -+ - /** - * A class represents an administration servlet that - * is responsible to serve administrative -@@ -524,23 +525,17 @@ public class AdminServlet extends HttpServlet { - sc.put(SessionContext.LOCALE, locale); - - if (authType.equals("sslclientauth")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_SUCCESS, -+ -+ audit(new AuthSuccessEvent( - auditSubjectID(), - ILogger.SUCCESS, -- CERTUSERDB); -+ CERTUSERDB)); - -- audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_SUCCESS, -+ audit(new AuthSuccessEvent( - auditSubjectID(), - ILogger.SUCCESS, -- PASSWDUSERDB); -- -- audit(auditMessage); -+ PASSWDUSERDB)); - } - } catch (IOException eAudit1) { - if (authType.equals("sslclientauth")) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index a007a00..9168870 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -66,6 +66,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -1789,14 +1790,10 @@ public abstract class CMSServlet extends HttpServlet { - // reset the "auditSubjectID" - auditSubjectID = auditSubjectID(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_SUCCESS, -+ audit(new AuthSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditAuthMgrID); -- -- audit(auditMessage); -+ auditAuthMgrID)); - - return authToken; - } catch (EBaseException eAudit1) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index a98d555..93d6a9a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; - import com.netscape.certsrv.profile.IProfileSubsystem; -@@ -520,14 +521,10 @@ public class CAProcessor extends Processor { - - authSubjectID = authSubjectID + " : " + uid_cred; - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_SUCCESS, -+ audit(new AuthSuccessEvent( - authSubjectID, - ILogger.SUCCESS, -- authMgrID); -- -- audit(auditMessage); -+ authMgrID)); - } - endTiming("profile_authentication"); - return authToken; -@@ -655,14 +652,10 @@ public class CAProcessor extends Processor { - // reset the "auditSubjectID" - auditSubjectID = auditSubjectID(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_SUCCESS, -+ audit(new AuthSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditAuthMgrID); -- -- audit(auditMessage); -+ auditAuthMgrID)); - - return authToken; - } catch (EBaseException eAudit1) { --- -1.8.3.1 - - -From 0de8be3084c4ccf23c2850331f86fc067e7c8383 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 10:07:44 +0200 -Subject: [PATCH 25/49] Added AuthFailEvent. - -A new AuthFailEvent class of has been added to encapsulate the -AUTH_FAIL events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b ---- - .../certsrv/logging/event/AuthFailEvent.java | 41 +++++++++ - .../cms/src/com/netscape/cms/realm/PKIRealm.java | 22 +++-- - .../netscape/cms/servlet/admin/AdminServlet.java | 96 ++++++++-------------- - .../com/netscape/cms/servlet/base/CMSServlet.java | 11 ++- - .../cms/servlet/processors/CAProcessor.java | 27 +++--- - 5 files changed, 102 insertions(+), 95 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java -new file mode 100644 -index 0000000..a2c7d8d ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java -@@ -0,0 +1,41 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class AuthFailEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public AuthFailEvent( -+ String subjectID, -+ String outcome, -+ String authManagerID, -+ String attemptedUID) { -+ -+ super(AUTH_FAIL); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ authManagerID, -+ attemptedUID -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -index 81de9fb..8306193 100644 ---- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java -@@ -18,6 +18,7 @@ import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IGroup; -@@ -45,7 +46,7 @@ public class PKIRealm extends RealmBase { - @Override - public Principal authenticate(String username, String password) { - CMS.debug("PKIRealm: Authenticating user " + username + " with password."); -- String auditMessage = null; -+ - String auditSubjectID = ILogger.UNIDENTIFIED; - String attemptedAuditUID = username; - -@@ -69,14 +70,13 @@ public class PKIRealm extends RealmBase { - return getPrincipal(username, authToken); - - } catch (Throwable e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - auditSubjectID, - ILogger.FAILURE, - IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID, -- attemptedAuditUID); -- audit(auditMessage); -+ attemptedAuditUID)); -+ - e.printStackTrace(); - } - -@@ -87,7 +87,6 @@ public class PKIRealm extends RealmBase { - public Principal authenticate(final X509Certificate certs[]) { - CMS.debug("PKIRealm: Authenticating certificate chain:"); - -- String auditMessage = null; - // get the cert from the ssl client auth - // in cert based auth, subject id from cert has already passed SSL authentication - // what remains is to see if the user exists in the internal user db -@@ -127,14 +126,13 @@ public class PKIRealm extends RealmBase { - return getPrincipal(username, authToken); - - } catch (Throwable e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - auditSubjectID, - ILogger.FAILURE, - IAuthSubsystem.CERTUSERDB_AUTHMGR_ID, -- attemptedAuditUID); -- audit(auditMessage); -+ attemptedAuditUID)); -+ - e.printStackTrace(); - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index d530f6a..a715c73 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -52,6 +52,7 @@ import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IUGSubsystem; -@@ -274,7 +275,6 @@ public class AdminServlet extends HttpServlet { - protected void authenticate(HttpServletRequest req) throws - IOException { - -- String auditMessage = null; - String auditUID = ILogger.UNIDENTIFIED; - String authType = ""; - -@@ -297,15 +297,12 @@ public class AdminServlet extends HttpServlet { - (X509Certificate[]) req.getAttribute(CERT_ATTR); - - if (allCerts == null || allCerts.length == 0) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -- auditUID); -- -- audit(auditMessage); -+ auditUID)); - - throw new IOException("No certificate"); - } -@@ -389,25 +386,20 @@ public class AdminServlet extends HttpServlet { - */ - - if (authType.equals("sslclientauth")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -- auditUID); -+ auditUID)); - -- audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -- auditUID); -- -- audit(auditMessage); -+ auditUID)); - } - - throw new IOException("authentication failed"); -@@ -423,25 +415,20 @@ public class AdminServlet extends HttpServlet { - tuserid)); - - if (authType.equals("sslclientauth")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -- auditUID); -+ auditUID)); - -- audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -- auditUID); -- -- audit(auditMessage); -+ auditUID)); - } - - throw new IOException("authentication failed"); -@@ -459,25 +446,20 @@ public class AdminServlet extends HttpServlet { - tuserid)); - - if (authType.equals("sslclientauth")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -- auditUID); -+ auditUID)); - -- audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -- auditUID); -- -- audit(auditMessage); -+ auditUID)); - } - - throw new IOException("authentication failed"); -@@ -495,25 +477,20 @@ public class AdminServlet extends HttpServlet { - CMS.getLogMessage("ADMIN_SRVLT_USR_GRP_ERR", e.toString())); - - if (authType.equals("sslclientauth")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -- auditUID); -+ auditUID)); - -- audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -- auditUID); -- -- audit(auditMessage); -+ auditUID)); - } - - throw new IOException("authentication failed"); -@@ -539,25 +516,20 @@ public class AdminServlet extends HttpServlet { - } - } catch (IOException eAudit1) { - if (authType.equals("sslclientauth")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - CERTUSERDB, -- auditUID); -+ auditUID)); - -- audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - ILogger.UNIDENTIFIED, - ILogger.FAILURE, - PASSWDUSERDB, -- auditUID); -- -- audit(auditMessage); -+ auditUID)); - } - - // rethrow the specific exception to be handled later -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index 9168870..c23b9d1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -66,6 +66,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.request.IRequest; -@@ -1701,7 +1702,7 @@ public abstract class CMSServlet extends HttpServlet { - */ - public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName) - throws EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = ILogger.UNIDENTIFIED; - String auditAuthMgrID = ILogger.UNIDENTIFIED; - String auditUID = ILogger.UNIDENTIFIED; -@@ -1797,14 +1798,12 @@ public abstract class CMSServlet extends HttpServlet { - - return authToken; - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditAuthMgrID, -- auditUID); -- audit(auditMessage); -+ auditUID)); - - // rethrow the specific exception to be handled later - throw eAudit1; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 93d6a9a..a28bee1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; -@@ -474,7 +475,7 @@ public class CAProcessor extends Processor { - - String authSubjectID = auditSubjectID(); - String authMgrID = authenticator.getName(); -- String auditMessage = null; -+ - try { - if (isRenewal) { - authToken = authenticate(authenticator, request, origReq, context, credentials); -@@ -486,13 +487,12 @@ public class CAProcessor extends Processor { - CMS.debug("CAProcessor: authentication error: " + e); - - authSubjectID += " : " + uid_cred; -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - authSubjectID, - ILogger.FAILURE, - authMgrID, -- uid_attempted_cred); -- audit(auditMessage); -+ uid_attempted_cred)); - - throw e; - -@@ -500,13 +500,12 @@ public class CAProcessor extends Processor { - CMS.debug(e); - - authSubjectID += " : " + uid_cred; -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - authSubjectID, - ILogger.FAILURE, - authMgrID, -- uid_attempted_cred); -- audit(auditMessage); -+ uid_attempted_cred)); - - throw e; - } -@@ -565,7 +564,7 @@ public class CAProcessor extends Processor { - - public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName) - throws EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = ILogger.UNIDENTIFIED; - String auditAuthMgrID = ILogger.UNIDENTIFIED; - String auditUID = ILogger.UNIDENTIFIED; -@@ -659,14 +658,12 @@ public class CAProcessor extends Processor { - - return authToken; - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTH_FAIL, -+ -+ audit(new AuthFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditAuthMgrID, -- auditUID); -- audit(auditMessage); -+ auditUID)); - - // rethrow the specific exception to be handled later - throw eAudit1; --- -1.8.3.1 - - -From fdcb514b0711f10eab47c81837138192207e44b4 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 16:30:18 +0200 -Subject: [PATCH 26/49] Added AuthzSuccessEvent. - -A new AuthzSuccessEvent class of has been added to encapsulate the -AUTHZ_SUCCESS events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5 ---- - .../certsrv/logging/event/AuthzSuccessEvent.java | 59 ++++++++++++++++++++++ - .../netscape/cms/servlet/admin/AdminServlet.java | 9 ++-- - .../com/netscape/cms/servlet/base/CMSServlet.java | 18 +++---- - .../cms/servlet/processors/CAProcessor.java | 18 +++---- - .../org/dogtagpki/server/rest/ACLInterceptor.java | 27 +++++----- - 5 files changed, 89 insertions(+), 42 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java -new file mode 100644 -index 0000000..05e505c ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java -@@ -0,0 +1,59 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class AuthzSuccessEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public AuthzSuccessEvent( -+ String subjectID, -+ String outcome, -+ String aclResource, -+ String operation) { -+ -+ super(AUTHZ_SUCCESS); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ aclResource, -+ operation -+ }); -+ } -+ -+ public AuthzSuccessEvent( -+ String subjectID, -+ String outcome, -+ String aclResource, -+ String operation, -+ String info) { -+ -+ super(AUTHZ_SUCCESS_INFO); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ aclResource, -+ operation, -+ info -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index a715c73..adf9424 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -54,6 +54,7 @@ import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; -+import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IUGSubsystem; - import com.netscape.certsrv.usrgrp.IUser; -@@ -676,15 +677,11 @@ public class AdminServlet extends HttpServlet { - return null; - } - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS, -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index c23b9d1..c70f55a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; -+import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -1822,14 +1823,12 @@ public abstract class CMSServlet extends HttpServlet { - try { - authzToken = mAuthz.authorize(authzMgrName, authToken, exp); - if (authzToken != null) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS, -+ -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -1955,15 +1954,12 @@ public abstract class CMSServlet extends HttpServlet { - operation); - - if (authzTok != null) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS, -+ -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index a28bee1..8760caf 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; -+import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; - import com.netscape.certsrv.profile.IProfileSubsystem; -@@ -707,14 +708,12 @@ public class CAProcessor extends Processor { - try { - authzToken = authz.authorize(authzMgrName, authToken, exp); - if (authzToken != null) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS, -+ -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -839,15 +838,12 @@ public class CAProcessor extends Processor { - operation); - - if (authzTok != null) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS, -+ -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -index 331bae1..490eaed 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.ForbiddenException; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.cms.realm.PKIPrincipal; - - /** -@@ -189,15 +190,14 @@ public class ACLInterceptor implements ContainerRequestFilter { - // If still not available, it's unprotected, allow request. - if (!authzRequired) { - CMS.debug("ACLInterceptor: No ACL mapping; authz not required."); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS_INFO, -+ -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - null, //resource - null, //operation -- LOGGING_MISSING_ACL_MAPPING + ":" + auditInfo); //info -- audit(auditMessage); -+ LOGGING_MISSING_ACL_MAPPING + ":" + auditInfo)); //info -+ - return; - } - -@@ -230,14 +230,14 @@ public class ACLInterceptor implements ContainerRequestFilter { - // If no property defined, allow request. - if (value == null) { - CMS.debug("ACLInterceptor: No ACL configuration."); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS_INFO, -+ -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - null, //resource - null, //operation -- LOGGING_NO_ACL_ACCESS_ALLOWED + ":" + auditInfo); -+ LOGGING_NO_ACL_ACCESS_ALLOWED + ":" + auditInfo)); -+ - return; - } - -@@ -317,15 +317,14 @@ public class ACLInterceptor implements ContainerRequestFilter { - } - - // Allow request. -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_SUCCESS_INFO, -+ -+ audit(new AuthzSuccessEvent( - auditSubjectID, - ILogger.SUCCESS, - values[0], // resource - values[1], // operation -- auditInfo); -- audit(auditMessage); -+ auditInfo)); -+ - return; - } - --- -1.8.3.1 - - -From 30d1575046065dbd79f537e5f819c405e45af0bc Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 16:49:28 +0200 -Subject: [PATCH 27/49] Added AuthzFailEvent. - -A new AuthzFailEvent class of has been added to encapsulate the -AUTHZ_FAIL events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c ---- - .../certsrv/logging/event/AuthzFailEvent.java | 59 ++++++++++++++++++++++ - .../netscape/cms/servlet/admin/AdminServlet.java | 26 +++------- - .../com/netscape/cms/servlet/base/CMSServlet.java | 44 ++++++---------- - .../cms/servlet/processors/CAProcessor.java | 35 +++++-------- - .../org/dogtagpki/server/rest/ACLInterceptor.java | 52 ++++++++----------- - 5 files changed, 118 insertions(+), 98 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java -new file mode 100644 -index 0000000..1e44919 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java -@@ -0,0 +1,59 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class AuthzFailEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public AuthzFailEvent( -+ String subjectID, -+ String outcome, -+ String aclResource, -+ String operation) { -+ -+ super(AUTHZ_FAIL); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ aclResource, -+ operation -+ }); -+ } -+ -+ public AuthzFailEvent( -+ String subjectID, -+ String outcome, -+ String aclResource, -+ String operation, -+ String info) { -+ -+ super(AUTHZ_FAIL_INFO); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ aclResource, -+ operation, -+ info -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index adf9424..ecc6a7d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -54,6 +54,7 @@ import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; -+import com.netscape.certsrv.logging.event.AuthzFailEvent; - import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IUGSubsystem; -@@ -611,15 +612,11 @@ public class AdminServlet extends HttpServlet { - } catch (EAuthzAccessDenied e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -634,15 +631,11 @@ public class AdminServlet extends HttpServlet { - } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -655,15 +648,12 @@ public class AdminServlet extends HttpServlet { - - return null; - } catch (Exception e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index c70f55a..afb109a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; -+import com.netscape.certsrv.logging.event.AuthzFailEvent; - import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.request.IRequest; -@@ -1839,14 +1840,12 @@ public abstract class CMSServlet extends HttpServlet { - - audit(auditMessage); - } else { -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - auditMessage = CMS.getLogMessage( - AuditEvent.ROLE_ASSUME, -@@ -1858,14 +1857,12 @@ public abstract class CMSServlet extends HttpServlet { - } - return authzToken; - } catch (Exception e) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - auditMessage = CMS.getLogMessage( - AuditEvent.ROLE_ASSUME, -@@ -1970,15 +1967,12 @@ public abstract class CMSServlet extends HttpServlet { - - audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -1992,15 +1986,12 @@ public abstract class CMSServlet extends HttpServlet { - - return authzTok; - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -2013,15 +2004,12 @@ public abstract class CMSServlet extends HttpServlet { - - return null; - } catch (Exception eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 8760caf..1d04f3a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; -+import com.netscape.certsrv.logging.event.AuthzFailEvent; - import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; -@@ -724,14 +725,12 @@ public class CAProcessor extends Processor { - - audit(auditMessage); - } else { -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - auditMessage = CMS.getLogMessage( - AuditEvent.ROLE_ASSUME, -@@ -743,14 +742,12 @@ public class CAProcessor extends Processor { - } - return authzToken; - } catch (EBaseException e) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - auditMessage = CMS.getLogMessage( - AuditEvent.ROLE_ASSUME, -@@ -854,15 +851,12 @@ public class CAProcessor extends Processor { - - audit(auditMessage); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -876,15 +870,12 @@ public class CAProcessor extends Processor { - - return authzTok; - } catch (Exception eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - auditACLResource, -- auditOperation); -- -- audit(auditMessage); -+ auditOperation)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -index 490eaed..b4f75f1 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java -@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.ForbiddenException; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthzFailEvent; - import com.netscape.certsrv.logging.event.AuthzSuccessEvent; - import com.netscape.cms.realm.PKIPrincipal; - -@@ -108,7 +109,6 @@ public class ACLInterceptor implements ContainerRequestFilter { - String auditInfo = clazz.getSimpleName() + "." + method.getName(); - - CMS.debug("ACLInterceptor: " + auditInfo + "()"); -- String auditMessage = null; - String auditSubjectID = ILogger.UNIDENTIFIED; - - /* -@@ -174,14 +174,13 @@ public class ACLInterceptor implements ContainerRequestFilter { - CMS.debug("ACLInterceptor: No authentication token present."); - // store a message in the signed audit log file - // although if it didn't pass authentication, it should not have gotten here -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL_INFO, -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - null, // resource - null, // operation -- LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo); -- audit(auditMessage); -+ LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo)); -+ - throw new ForbiddenException("No authorization token present."); - } - if (authToken != null) -@@ -213,16 +212,14 @@ public class ACLInterceptor implements ContainerRequestFilter { - value = properties.getProperty(name); - - } catch (IOException e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL_INFO, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - null, //resource - null, //operation -- LOGGING_ACL_PARSING_ERROR + ":" + auditInfo); -+ LOGGING_ACL_PARSING_ERROR + ":" + auditInfo)); - -- audit(auditMessage); - e.printStackTrace(); - throw new Failure(e); - } -@@ -246,16 +243,14 @@ public class ACLInterceptor implements ContainerRequestFilter { - // If invalid mapping, reject request. - if (values.length != 2) { - CMS.debug("ACLInterceptor: Invalid ACL mapping."); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL_INFO, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - null, //resource - null, //operation -- LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo); -+ LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo)); - -- audit(auditMessage); - throw new ForbiddenException("Invalid ACL mapping."); - } - -@@ -273,15 +268,14 @@ public class ACLInterceptor implements ContainerRequestFilter { - if (authzToken == null) { - String info = "No authorization token present."; - CMS.debug("ACLInterceptor: " + info); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL_INFO, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - values[0], // resource - values[1], // operation -- info); -- audit(auditMessage); -+ info)); -+ - throw new ForbiddenException("No authorization token present."); - } - -@@ -290,28 +284,26 @@ public class ACLInterceptor implements ContainerRequestFilter { - } catch (EAuthzAccessDenied e) { - String info = e.getMessage(); - CMS.debug("ACLInterceptor: " + info); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL_INFO, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - values[0], // resource - values[1], // operation -- info); -- audit(auditMessage); -+ info)); -+ - throw new ForbiddenException(e.toString()); - - } catch (EBaseException e) { - String info = e.getMessage(); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.AUTHZ_FAIL_INFO, -+ -+ audit(new AuthzFailEvent( - auditSubjectID, - ILogger.FAILURE, - values[0], // resource - values[1], // operation -- info); -- audit(auditMessage); -+ info)); -+ - e.printStackTrace(); - throw new Failure(e); - } --- -1.8.3.1 - - -From aad80e8775eac61ed9eac2f3f94d2ec90207e827 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 20 Apr 2017 10:20:06 +0200 -Subject: [PATCH 28/49] Added RoleAssumeEvent. - -A new RoleAssumeEvent class of has been added to encapsulate the -ROLE_ASSUME events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9 ---- - .../certsrv/logging/event/RoleAssumeEvent.java | 39 +++++++++++++++ - .../netscape/cms/servlet/admin/AdminServlet.java | 35 ++++---------- - .../com/netscape/cms/servlet/base/CMSServlet.java | 56 +++++++--------------- - .../servlet/csadmin/SecurityDomainProcessor.java | 15 +++--- - .../cms/servlet/processors/CAProcessor.java | 48 ++++++------------- - 5 files changed, 88 insertions(+), 105 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java -new file mode 100644 -index 0000000..2715893 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java -@@ -0,0 +1,39 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class RoleAssumeEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public RoleAssumeEvent( -+ String subjectID, -+ String outcome, -+ String groups) { -+ -+ super(ROLE_ASSUME); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ groups -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index ecc6a7d..662a3e9 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.logging.event.AuthzFailEvent; - import com.netscape.certsrv.logging.event.AuthzSuccessEvent; -+import com.netscape.certsrv.logging.event.RoleAssumeEvent; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IUGSubsystem; - import com.netscape.certsrv.usrgrp.IUser; -@@ -573,7 +574,7 @@ public class AdminServlet extends HttpServlet { - * @return the authorization token - */ - protected AuthzToken authorize(HttpServletRequest req) { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - String auditACLResource = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - String auditOperation = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -@@ -618,14 +619,10 @@ public class AdminServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - - return null; - } catch (EBaseException e) { -@@ -637,14 +634,10 @@ public class AdminServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - - return null; - } catch (Exception e) { -@@ -655,14 +648,10 @@ public class AdminServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - - return null; - } -@@ -673,14 +662,10 @@ public class AdminServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - - return authzTok; - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index afb109a..9dc7470 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -70,6 +70,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.logging.event.AuthzFailEvent; - import com.netscape.certsrv.logging.event.AuthzSuccessEvent; -+import com.netscape.certsrv.logging.event.RoleAssumeEvent; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -1815,7 +1816,7 @@ public abstract class CMSServlet extends HttpServlet { - public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken, - String exp) throws EBaseException { - AuthzToken authzToken = null; -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - String auditGroupID = auditGroupID(); - String auditACLResource = resource; -@@ -1831,14 +1832,11 @@ public abstract class CMSServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditGroupID); -+ auditGroupID)); - -- audit(auditMessage); - } else { - - audit(new AuthzFailEvent( -@@ -1847,13 +1845,10 @@ public abstract class CMSServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroupID); -- -- audit(auditMessage); -+ auditGroupID)); - } - return authzToken; - } catch (Exception e) { -@@ -1864,13 +1859,11 @@ public abstract class CMSServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroupID); -+ auditGroupID)); - -- audit(auditMessage); - throw new EBaseException(e.toString()); - } - } -@@ -1900,7 +1893,7 @@ public abstract class CMSServlet extends HttpServlet { - public AuthzToken authorize(String authzMgrName, IAuthToken authToken, - String resource, String operation) - throws EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - String auditGroupID = auditGroupID(); - String auditID = auditSubjectID; -@@ -1958,14 +1951,11 @@ public abstract class CMSServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditID, - ILogger.SUCCESS, -- auditGroups(auditSubjectID)); -+ auditGroups(auditSubjectID))); - -- audit(auditMessage); - } else { - - audit(new AuthzFailEvent( -@@ -1974,14 +1964,10 @@ public abstract class CMSServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - } - - return authzTok; -@@ -1993,14 +1979,10 @@ public abstract class CMSServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - - return null; - } catch (Exception eAudit1) { -@@ -2011,14 +1993,10 @@ public abstract class CMSServlet extends HttpServlet { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - - return null; - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -index cd769db..dc28a7c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.UnauthorizedException; - import com.netscape.certsrv.ldap.ILdapConnFactory; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.RoleAssumeEvent; - import com.netscape.certsrv.system.DomainInfo; - import com.netscape.certsrv.system.InstallToken; - import com.netscape.certsrv.system.SecurityDomainHost; -@@ -89,22 +90,19 @@ public class SecurityDomainProcessor extends CAProcessor { - CMS.debug("SecurityDomainProcessor: group: " + group); - - if (!ugSubsystem.isMemberOf(user, group)) { -- String message = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ -+ audit(new RoleAssumeEvent( - user, - ILogger.FAILURE, -- group); -- audit(message); -+ group)); - - throw new UnauthorizedException("User " + user + " is not a member of " + group + " group."); - } - -- String message = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - user, - ILogger.SUCCESS, -- group); -- audit(message); -+ group)); - - String ip = ""; - try { -@@ -123,6 +121,7 @@ public class SecurityDomainProcessor extends CAProcessor { - - ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable(); - int status = ctable.addEntry(sessionID, ip, user, group); -+ String message; - - if (status == ISecurityDomainSessionTable.SUCCESS) { - message = CMS.getLogMessage( -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 1d04f3a..74f501f 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -57,6 +57,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent; - import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.logging.event.AuthzFailEvent; - import com.netscape.certsrv.logging.event.AuthzSuccessEvent; -+import com.netscape.certsrv.logging.event.RoleAssumeEvent; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; - import com.netscape.certsrv.profile.IProfileSubsystem; -@@ -700,7 +701,7 @@ public class CAProcessor extends Processor { - public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken, - String exp) throws EBaseException { - AuthzToken authzToken = null; -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - String auditGroupID = auditGroupID(); - String auditACLResource = resource; -@@ -716,14 +717,11 @@ public class CAProcessor extends Processor { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditGroupID); -+ auditGroupID)); - -- audit(auditMessage); - } else { - - audit(new AuthzFailEvent( -@@ -732,13 +730,10 @@ public class CAProcessor extends Processor { - auditACLResource, - auditOperation)); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroupID); -- -- audit(auditMessage); -+ auditGroupID)); - } - return authzToken; - } catch (EBaseException e) { -@@ -749,13 +744,11 @@ public class CAProcessor extends Processor { - auditACLResource, - auditOperation)); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditSubjectID, - ILogger.FAILURE, -- auditGroupID); -+ auditGroupID)); - -- audit(auditMessage); - throw e; - } - } -@@ -784,7 +777,7 @@ public class CAProcessor extends Processor { - */ - public AuthzToken authorize(String authzMgrName, IAuthToken authToken, - String resource, String operation) { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - String auditGroupID = auditGroupID(); - String auditID = auditSubjectID; -@@ -842,14 +835,11 @@ public class CAProcessor extends Processor { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditID, - ILogger.SUCCESS, -- auditGroups(auditSubjectID)); -+ auditGroups(auditSubjectID))); - -- audit(auditMessage); - } else { - - audit(new AuthzFailEvent( -@@ -858,14 +848,10 @@ public class CAProcessor extends Processor { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - } - - return authzTok; -@@ -877,14 +863,10 @@ public class CAProcessor extends Processor { - auditACLResource, - auditOperation)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.ROLE_ASSUME, -+ audit(new RoleAssumeEvent( - auditID, - ILogger.FAILURE, -- auditGroups(auditSubjectID)); -- -- audit(auditMessage); -+ auditGroups(auditSubjectID))); - - return null; - } --- -1.8.3.1 - - -From 3d9ef95a913af023958b79ef383853cf958757e0 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 21 Apr 2017 04:55:00 +0200 -Subject: [PATCH 29/49] Added ConfigRoleEvent. - -A new ConfigRoleEvent class of has been added to encapsulate the -CONFIG_ROLE events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738 ---- - .../certsrv/logging/event/ConfigRoleEvent.java | 39 ++ - .../cms/profile/updater/SubsystemGroupUpdater.java | 37 +- - .../cms/servlet/admin/GroupMemberProcessor.java | 10 +- - .../cms/servlet/admin/UsrGrpAdminServlet.java | 500 ++++++--------------- - .../netscape/cms/servlet/csadmin/RegisterUser.java | 40 +- - .../cms/servlet/csadmin/UpdateDomainXML.java | 44 +- - .../netscape/cms/servlet/processors/Processor.java | 13 - - .../org/dogtagpki/server/rest/GroupService.java | 10 +- - .../src/org/dogtagpki/server/rest/UserService.java | 18 +- - 9 files changed, 264 insertions(+), 447 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -new file mode 100644 -index 0000000..695712b ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -@@ -0,0 +1,39 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class ConfigRoleEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public ConfigRoleEvent( -+ String subjectID, -+ String outcome, -+ String params) { -+ -+ super(CONFIG_ROLE); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ params -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -index 4ecc255..276c5b5 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -+++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java -@@ -28,6 +28,7 @@ import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigRoleEvent; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.profile.IProfile; -@@ -102,7 +103,6 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - public void update(IRequest req, RequestStatus status) - throws EProfileException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - CMS.debug("SubsystemGroupUpdater update starts"); -@@ -163,12 +163,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - - system.addUser(user); - CMS.debug("SubsystemGroupUpdater update: successfully add the user"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams); -- audit(auditMessage); -+ auditParams)); - - String b64 = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - try { -@@ -188,12 +187,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - - system.addUserCert(user); - CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams); -- audit(auditMessage); -+ auditParams)); - - } catch (ConflictingOperationException e) { - CMS.debug("UpdateSubsystemGroup: update " + e.toString()); -@@ -201,12 +199,12 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - - } catch (Exception e) { - CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString()); -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams); -- audit(auditMessage); -+ auditParams)); -+ - throw new EProfileException(e.toString()); - } - -@@ -232,12 +230,10 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - group.addMemberName(id); - system.modifyGroup(group); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams); -- audit(auditMessage); -+ auditParams)); - - CMS.debug("UpdateSubsystemGroup: update: successfully added the user to the group."); - } else { -@@ -245,12 +241,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater { - } - } catch (Exception e) { - CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString()); -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams); -- audit(auditMessage); -+ auditParams)); - } - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java -index 00f960e..c6ae5b1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java -@@ -43,9 +43,9 @@ import com.netscape.certsrv.group.GroupMemberCollection; - import com.netscape.certsrv.group.GroupMemberData; - import com.netscape.certsrv.group.GroupNotFoundException; - import com.netscape.certsrv.group.GroupResource; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigRoleEvent; - import com.netscape.certsrv.usrgrp.IGroup; - import com.netscape.certsrv.usrgrp.IUGSubsystem; - import com.netscape.cms.servlet.processors.Processor; -@@ -388,6 +388,12 @@ public class GroupMemberProcessor extends Processor { - } - - public void audit(String type, String id, Map params, String status) { -- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status); -+ -+ if (auditor == null) return; -+ -+ auditor.log(new ConfigRoleEvent( -+ auditor.getSubjectID(), -+ status, -+ auditor.getParamString(ScopeDef.SC_GROUP_MEMBERS, type, id, params))); - } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java -index 1c38b88..183fbea 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java -@@ -31,9 +31,6 @@ import javax.servlet.ServletException; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - --import netscape.security.pkcs.PKCS7; --import netscape.security.x509.X509CertImpl; -- - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.InternalCertificate; - -@@ -48,9 +45,9 @@ import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.common.NameValuePairs; - import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigRoleEvent; - import com.netscape.certsrv.password.IPasswordCheck; - import com.netscape.certsrv.usrgrp.EUsrGrpException; - import com.netscape.certsrv.usrgrp.IGroup; -@@ -60,6 +57,9 @@ import com.netscape.certsrv.usrgrp.IUser; - import com.netscape.cmsutil.util.Cert; - import com.netscape.cmsutil.util.Utils; - -+import netscape.security.pkcs.PKCS7; -+import netscape.security.x509.X509CertImpl; -+ - /** - * A class representing an administration servlet for - * User/Group Manager. It communicates with client -@@ -667,7 +667,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -678,14 +677,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -697,14 +692,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - // backslashes (BS) are not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_RS_ID_BS"), -@@ -716,14 +707,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - // backslashes (BS) are not allowed - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_SPECIAL_ID", id)); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_SPECIAL_ID", id), -@@ -739,14 +726,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - - log(ILogger.LL_FAILURE, msg); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, msg, null, resp); - return; -@@ -766,14 +749,11 @@ public class UsrGrpAdminServlet extends AdminServlet { - IPasswordCheck passwdCheck = CMS.getPasswordChecker(); - - if (!passwdCheck.isGoodPassword(pword)) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EUsrGrpException(passwdCheck.getReason(pword)); - -@@ -819,14 +799,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception ex) { - ex.printStackTrace(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); -@@ -842,14 +818,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception ex) { - log(ILogger.LL_FAILURE, ex.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); -@@ -868,28 +840,20 @@ public class UsrGrpAdminServlet extends AdminServlet { - - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; - } catch (EUsrGrpException e) { - log(ILogger.LL_FAILURE, e.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - if (user.getUserID() == null) { - sendResponse(ERROR, -@@ -903,40 +867,30 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); - return; - } - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -978,7 +932,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -989,14 +942,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -1012,14 +961,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (certsString == null) { - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; -@@ -1052,14 +997,11 @@ public class UsrGrpAdminServlet extends AdminServlet { - X509Certificate p7certs[] = pkcs7.getCertificates(); - - if (p7certs.length == 0) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); -@@ -1087,14 +1029,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - // not a chain, or in random order - CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); -@@ -1153,14 +1091,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - //----- - log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", ex.toString())); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); -@@ -1169,14 +1103,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_O_ERROR", e.toString())); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_O_ERROR"), null, resp); -@@ -1191,14 +1121,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - mMgr.addUserCert(user); - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; -@@ -1207,14 +1133,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED", - String.valueOf(certs[0].getSubjectDN()))); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_EXPIRED"), null, resp); -@@ -1223,28 +1145,21 @@ public class UsrGrpAdminServlet extends AdminServlet { - log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID", - String.valueOf(certs[0].getSubjectDN()))); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"), null, resp); - return; - - } catch (ConflictingOperationException e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_CERT_EXISTS"), null, resp); -@@ -1253,14 +1168,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); -@@ -1279,14 +1190,11 @@ public class UsrGrpAdminServlet extends AdminServlet { - // // rethrow the specific exception to be handled later - // throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1331,7 +1239,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1342,14 +1249,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -1364,14 +1267,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (certDN == null) { - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; -@@ -1382,28 +1281,20 @@ public class UsrGrpAdminServlet extends AdminServlet { - mMgr.removeUserCert(user); - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); -@@ -1422,14 +1313,11 @@ public class UsrGrpAdminServlet extends AdminServlet { - // // rethrow the specific exception to be handled later - // throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1474,7 +1362,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1493,14 +1380,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -1515,14 +1398,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - } catch (Exception ex) { - ex.printStackTrace(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); - return; -@@ -1535,14 +1414,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (mustDelete) { - mMgr.removeUserFromGroup(group, id); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV_G"), -@@ -1557,52 +1432,39 @@ public class UsrGrpAdminServlet extends AdminServlet { - mMgr.removeUser(id); - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; - } catch (Exception ex) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV"), null, resp); - return; - } - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1644,7 +1506,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1656,14 +1517,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -1694,26 +1551,19 @@ public class UsrGrpAdminServlet extends AdminServlet { - mMgr.addGroup(group); - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; - } catch (Exception e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_ADD_FAILED"), -@@ -1721,26 +1571,20 @@ public class UsrGrpAdminServlet extends AdminServlet { - return; - } - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1782,7 +1626,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1794,14 +1637,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -1813,37 +1652,27 @@ public class UsrGrpAdminServlet extends AdminServlet { - mMgr.removeGroup(id); - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1887,7 +1716,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1899,14 +1727,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -1952,14 +1776,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (!isDuplicate(groupName, memberName)) { - group.addMemberName(memberName); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EBaseException(CMS.getUserMessage("CMS_BASE_DUPLICATE_ROLES", memberName)); - } -@@ -1976,27 +1796,19 @@ public class UsrGrpAdminServlet extends AdminServlet { - mMgr.modifyGroup(group); - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_MODIFY_FAILED"), -@@ -2004,26 +1816,20 @@ public class UsrGrpAdminServlet extends AdminServlet { - return; - } - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -2136,7 +1942,6 @@ public class UsrGrpAdminServlet extends AdminServlet { - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -2148,14 +1953,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - if (id == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), -@@ -2172,14 +1973,10 @@ public class UsrGrpAdminServlet extends AdminServlet { - - log(ILogger.LL_FAILURE, msg); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, msg, null, resp); - return; -@@ -2197,14 +1994,11 @@ public class UsrGrpAdminServlet extends AdminServlet { - IPasswordCheck passwdCheck = CMS.getPasswordChecker(); - - if (!passwdCheck.isGoodPassword(pword)) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EUsrGrpException(passwdCheck.getReason(pword)); - -@@ -2228,54 +2022,40 @@ public class UsrGrpAdminServlet extends AdminServlet { - mMgr.modifyUser(user); - NameValuePairs params = new NameValuePairs(); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, params, resp); - return; - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); - return; - } - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -index 77ef4d8..f3a0164 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java -@@ -34,8 +34,8 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.authorization.EAuthzAccessDenied; - import com.netscape.certsrv.base.EBaseException; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigRoleEvent; - import com.netscape.certsrv.usrgrp.ICertUserLocator; - import com.netscape.certsrv.usrgrp.IGroup; - import com.netscape.certsrv.usrgrp.IUGSubsystem; -@@ -144,7 +144,6 @@ public class RegisterUser extends CMSServlet { - CMS.debug("RegisterUser got name=" + name); - CMS.debug("RegisterUser got certsString=" + certsString); - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditParams = "Scope;;users+Operation;;OP_ADD+source;;RegisterUser" + - "+Resource;;" + uid + -@@ -199,12 +198,11 @@ public class RegisterUser extends CMSServlet { - - ugsys.addUser(user); - CMS.debug("RegisterUser created user " + uid); -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams); -- audit(auditMessage); -+ auditParams)); - } - - // concatenate lines -@@ -218,23 +216,22 @@ public class RegisterUser extends CMSServlet { - if (!foundByCert) { - ugsys.addUserCert(user); - CMS.debug("RegisterUser added user certificate"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams); -- audit(auditMessage); -+ auditParams)); -+ - } else - CMS.debug("RegisterUser no need to add user certificate"); - } catch (Exception eee) { - CMS.debug("RegisterUser error " + eee.toString()); -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams); -+ auditParams)); - -- audit(auditMessage); - outputError(httpResp, "Error: Certificate malformed"); - return; - } -@@ -261,22 +258,17 @@ public class RegisterUser extends CMSServlet { - ugsys.modifyGroup(group); - CMS.debug("RegisterUser modified group"); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams); -- -- audit(auditMessage); -+ auditParams)); - } - } catch (Exception e) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams); -- -- audit(auditMessage); -+ auditParams)); - } - - // send success status back to the requestor -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -index 5872ab0..91d8983 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java -@@ -28,13 +28,6 @@ import javax.servlet.ServletException; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - --import netscape.ldap.LDAPAttribute; --import netscape.ldap.LDAPAttributeSet; --import netscape.ldap.LDAPConnection; --import netscape.ldap.LDAPEntry; --import netscape.ldap.LDAPException; --import netscape.ldap.LDAPModification; -- - import org.w3c.dom.Document; - import org.w3c.dom.Element; - import org.w3c.dom.Node; -@@ -49,12 +42,20 @@ import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.ldap.ILdapConnFactory; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigRoleEvent; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.base.UserInfo; - import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cms.servlet.common.ICMSTemplateFiller; - import com.netscape.cmsutil.xml.XMLObject; - -+import netscape.ldap.LDAPAttribute; -+import netscape.ldap.LDAPAttributeSet; -+import netscape.ldap.LDAPConnection; -+import netscape.ldap.LDAPEntry; -+import netscape.ldap.LDAPException; -+import netscape.ldap.LDAPModification; -+ - public class UpdateDomainXML extends CMSServlet { - - /** -@@ -368,12 +369,11 @@ public class UpdateDomainXML extends CMSServlet { - // remove the user for this subsystem's admin - status2 = remove_from_ldap(adminUserDN); - if (status2.equals(SUCCESS)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- userAuditParams); -- audit(auditMessage); -+ userAuditParams)); - - // remove this user from the subsystem group - userAuditParams = "Scope;;groups+Operation;;OP_DELETE_USER" + -@@ -384,26 +384,26 @@ public class UpdateDomainXML extends CMSServlet { - new LDAPAttribute("uniqueMember", adminUserDN)); - status2 = modify_ldap(dn, mod); - if (status2.equals(SUCCESS)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.SUCCESS, -- userAuditParams); -+ userAuditParams)); -+ - } else { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- userAuditParams); -+ userAuditParams)); - } -- audit(auditMessage); -+ - } else { // error deleting user -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_ROLE, -+ -+ audit(new ConfigRoleEvent( - auditSubjectID, - ILogger.FAILURE, -- userAuditParams); -- audit(auditMessage); -+ userAuditParams)); - } - } - } else { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java -index 64344d2..ffe707c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java -@@ -60,19 +60,6 @@ public class Processor { - return map; - } - -- public void audit(String message, String scope, String type, String id, Map params, String status) { -- -- if (auditor == null) return; -- -- String auditMessage = CMS.getLogMessage( -- message, -- auditor.getSubjectID(), -- status, -- auditor.getParamString(scope, type, id, params)); -- -- auditor.log(auditMessage); -- } -- - public void log(int source, int level, String message) { - - if (logger == null) return; -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -index 4aa0209..6292cf8 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java -@@ -40,8 +40,8 @@ import com.netscape.certsrv.group.GroupData; - import com.netscape.certsrv.group.GroupMemberData; - import com.netscape.certsrv.group.GroupNotFoundException; - import com.netscape.certsrv.group.GroupResource; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigRoleEvent; - import com.netscape.certsrv.usrgrp.IGroup; - import com.netscape.certsrv.usrgrp.IGroupConstants; - import com.netscape.certsrv.usrgrp.IUGSubsystem; -@@ -432,6 +432,12 @@ public class GroupService extends SubsystemService implements GroupResource { - } - - public void audit(String type, String id, Map params, String status) { -- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status); -+ -+ if (auditor == null) return; -+ -+ auditor.log(new ConfigRoleEvent( -+ auditor.getSubjectID(), -+ status, -+ auditor.getParamString(ScopeDef.SC_GROUPS, type, id, params))); - } - } -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -index e10c4f5..ec690d6 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java -@@ -52,8 +52,8 @@ import com.netscape.certsrv.common.OpDef; - import com.netscape.certsrv.common.ScopeDef; - import com.netscape.certsrv.dbs.certdb.CertId; - import com.netscape.certsrv.group.GroupMemberData; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigRoleEvent; - import com.netscape.certsrv.password.IPasswordCheck; - import com.netscape.certsrv.user.UserCertCollection; - import com.netscape.certsrv.user.UserCertData; -@@ -1227,10 +1227,22 @@ public class UserService extends SubsystemService implements UserResource { - } - - public void auditUser(String type, String id, Map params, String status) { -- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status); -+ -+ if (auditor == null) return; -+ -+ auditor.log(new ConfigRoleEvent( -+ auditor.getSubjectID(), -+ status, -+ auditor.getParamString(ScopeDef.SC_USERS, type, id, params))); - } - - public void auditUserCert(String type, String id, Map params, String status) { -- audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status); -+ -+ if (auditor == null) return; -+ -+ auditor.log(new ConfigRoleEvent( -+ auditor.getSubjectID(), -+ status, -+ auditor.getParamString(ScopeDef.SC_USER_CERTS, type, id, params))); - } - } --- -1.8.3.1 - - -From 692b2d776397b8fd2e4dfbab3a5d2ac407c440de Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 12 Apr 2017 21:45:12 +0200 -Subject: [PATCH 30/49] Added CertRequestProcessedEvent. - -A new CertRequestProcessedEvent class of has been added to -encapsulate the CERT_REQUEST_PROCESSED events. - -https://pagure.io/dogtagpki/issue/2636 - -Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f ---- - .../logging/event/CertRequestProcessedEvent.java | 43 +++++++ - .../netscape/cms/servlet/cert/CertProcessor.java | 26 ++--- - .../netscape/cms/servlet/cert/EnrollServlet.java | 50 +++------ - .../cms/servlet/cert/RequestProcessor.java | 42 ++----- - .../cms/servlet/connector/ConnectorServlet.java | 19 ++-- - .../servlet/profile/ProfileSubmitCMCServlet.java | 38 +++---- - .../cms/servlet/request/ProcessCertReq.java | 125 +++++++-------------- - 7 files changed, 138 insertions(+), 205 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -new file mode 100644 -index 0000000..1703f65 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -@@ -0,0 +1,43 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class CertRequestProcessedEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public CertRequestProcessedEvent( -+ String subjectID, -+ String outcome, -+ String requesterID, -+ String infoName, -+ String infoValue) { -+ -+ super(CERT_REQUEST_PROCESSED); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requesterID, -+ infoName, -+ infoValue -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -index c16d8e0..2a60cb0 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -@@ -32,8 +32,8 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.EPropertyNotFound; - import com.netscape.certsrv.cert.CertEnrollmentRequest; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.ERejectException; - import com.netscape.certsrv.profile.IEnrollProfile; -@@ -217,7 +217,6 @@ public class CertProcessor extends CAProcessor { - } - - protected String submitRequests(Locale locale, IProfile profile, IAuthToken authToken, IRequest[] reqs) { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = ILogger.UNIDENTIFIED; - String errorCode = null; -@@ -252,16 +251,13 @@ public class CertProcessor extends CAProcessor { - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue); -- -- audit(auditMessage); -+ auditInfoCertValue)); - } - } - } catch (EDeferException e) { -@@ -288,16 +284,13 @@ public class CertProcessor extends CAProcessor { - req.setExtData(IRequest.ERROR, e.toString()); - req.setExtData(IRequest.ERROR_CODE, errorCode); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- codeToReason(locale, errorCode, e.toString(), req.getRequestId())); -+ codeToReason(locale, errorCode, e.toString(), req.getRequestId()))); - -- audit(auditMessage); - } catch (Throwable e) { - // return error to the user - CMS.debug(e); -@@ -307,15 +300,12 @@ public class CertProcessor extends CAProcessor { - req.setExtData(IRequest.ERROR, errorReason); - req.setExtData(IRequest.ERROR_CODE, errorCode); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- errorReason); -- -- audit(auditMessage); -+ errorReason)); - } - - try { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -index 6f01d2a..cb2b76f 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.RequestStatus; - import com.netscape.certsrv.usrgrp.IGroup; -@@ -1368,29 +1369,23 @@ public class EnrollServlet extends CMSServlet { - for (int i = 0; i < issuedCerts.length; i++) { - // (automated "agent" cert request processed - // - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(issuedCerts[i])); -- -- audit(auditMessage); -+ auditInfoCertValue(issuedCerts[i]))); - } - } catch (IOException ex) { - cmsReq.setStatus(ICMSRequest.ERROR); - - // (automated "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0])); - } - - return; -@@ -1402,15 +1397,12 @@ public class EnrollServlet extends CMSServlet { - - if (completed == false) { - // (automated "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1])); - - return; - } -@@ -1458,15 +1450,12 @@ public class EnrollServlet extends CMSServlet { - - for (int i = 0; i < issuedCerts.length; i++) { - // (automated "agent" cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(issuedCerts[i])); -- -- audit(auditMessage); -+ auditInfoCertValue(issuedCerts[i]))); - } - - return; -@@ -1481,15 +1470,12 @@ public class EnrollServlet extends CMSServlet { - - for (int i = 0; i < issuedCerts.length; i++) { - // (automated "agent" cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(issuedCerts[i])); -- -- audit(auditMessage); -+ auditInfoCertValue(issuedCerts[i]))); - } - } catch (IOException e) { - log(ILogger.LL_FAILURE, -@@ -1498,15 +1484,12 @@ public class EnrollServlet extends CMSServlet { - e.toString())); - - // (automated "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2])); - - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR")); -@@ -1514,15 +1497,12 @@ public class EnrollServlet extends CMSServlet { - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - // (automated "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3])); - - throw eAudit1; - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -index 474a2e5..66fe58c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -@@ -25,8 +25,6 @@ import java.util.Locale; - - import javax.servlet.http.HttpServletRequest; - --import netscape.security.x509.X509CertImpl; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; -@@ -40,8 +38,8 @@ import com.netscape.certsrv.ca.AuthorityID; - import com.netscape.certsrv.ca.CANotFoundException; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.cert.CertReviewResponse; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.ERejectException; -@@ -62,6 +60,8 @@ import com.netscape.certsrv.request.RequestStatus; - import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cms.servlet.profile.ProfileOutputFactory; - -+import netscape.security.x509.X509CertImpl; -+ - public class RequestProcessor extends CertProcessor { - - public RequestProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException { -@@ -275,23 +275,18 @@ public class RequestProcessor extends CertProcessor { - * occurred - */ - private void cancelRequest(IRequest req) throws EProfileException { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(req); - String auditInfoValue = auditInfoValue(req); - - req.setRequestStatus(RequestStatus.CANCELED); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_CANCELLATION, -- auditInfoValue); -- -- audit(auditMessage); -+ auditInfoValue)); - } - - /** -@@ -311,23 +306,18 @@ public class RequestProcessor extends CertProcessor { - * occurred - */ - private void rejectRequest(IRequest req) throws EProfileException { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(req); - String auditInfoValue = auditInfoValue(req); - - req.setRequestStatus(RequestStatus.REJECTED); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- auditInfoValue); -- -- audit(auditMessage); -+ auditInfoValue)); - } - - /** -@@ -374,7 +364,6 @@ public class RequestProcessor extends CertProcessor { - */ - private void approveRequest(IRequest req, CertReviewResponse data, IProfile profile, Locale locale) - throws EBaseException { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(req); - -@@ -398,28 +387,21 @@ public class RequestProcessor extends CertProcessor { - X509CertImpl theCert = req.getExtDataInCert( - IEnrollProfile.REQUEST_ISSUED_CERT); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(theCert)); -- -- audit(auditMessage); -+ auditInfoCertValue(theCert))); - - } catch (EProfileException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- ILogger.SIGNED_AUDIT_EMPTY_VALUE); -- -- audit(auditMessage); -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - - CMS.debug("CertRequestExecutor: about to throw EProfileException because of bad profile execute."); - throw eAudit1; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index 6732e92..ee60187 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -52,6 +52,7 @@ import com.netscape.certsrv.connector.IRequestEncoder; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.profile.IProfileSubsystem; -@@ -626,16 +627,13 @@ public class ConnectorServlet extends CMSServlet { - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue); -- -- audit(auditMessage); -+ auditInfoCertValue)); - } - } - } -@@ -648,16 +646,13 @@ public class ConnectorServlet extends CMSServlet { - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue); -- -- audit(auditMessage); -+ auditInfoCertValue)); - } - } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index c3ada9a..28f777b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -44,8 +44,8 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.SessionContext; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.ERejectException; -@@ -639,7 +639,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - } //for - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = ILogger.UNIDENTIFIED; - -@@ -677,16 +676,13 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue); -- -- audit(auditMessage); -+ auditInfoCertValue)); - } - } - } catch (EDeferException e) { -@@ -733,31 +729,26 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - - if (errorCode != null) { - if (errorCode.equals("1")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- errorReason); -+ errorReason)); - -- audit(auditMessage); - } else if (errorCode.equals("2")) { - // do NOT store a message in the signed audit log file - // as this errorCode indicates that a process has been - // deferred for manual acceptance/cancellation/rejection - } else if (errorCode.equals("3")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- errorReason); -- -- audit(auditMessage); -+ errorReason)); - } - error_codes[k] = Integer.parseInt(errorCode); - } else -@@ -782,16 +773,13 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue); -- -- audit(auditMessage); -+ auditInfoCertValue)); - } - } - } catch (ERejectException e) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -index 9d0da48..2bcc8ad 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -@@ -50,6 +50,7 @@ import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -463,37 +464,31 @@ public class ProcessCertReq extends CMSServlet { - audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- ILogger.SIGNED_AUDIT_EMPTY_VALUE); -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[0]); -+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[0])); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_REJECTION_REASON[0]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[0])); - } - - return; -@@ -935,15 +930,12 @@ public class ProcessCertReq extends CMSServlet { - // store a message in the signed audit log file - // (one for each manual "agent" - // cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditInfoName, -- auditInfoCertValue(issuedCerts[i])); -- -- audit(auditMessage); -+ auditInfoCertValue(issuedCerts[i]))); - } - header.addStringValue( - "serialNumber", sbuf.toString()); -@@ -979,15 +971,12 @@ public class ProcessCertReq extends CMSServlet { - // store a message in the signed audit log file - // (manual "agent" cert request processed - // - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditInfoName, -- ILogger.SIGNED_AUDIT_EMPTY_VALUE); -- -- audit(auditMessage); -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - } - - // grant trusted manager or agent privileges -@@ -1104,15 +1093,12 @@ public class ProcessCertReq extends CMSServlet { - - // store a message in the signed audit log file - // (manual "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_REJECTION_REASON[1]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[1])); - - } else if (toDo.equals("cancel")) { - mQueue.cancelRequest(r); -@@ -1166,15 +1152,12 @@ public class ProcessCertReq extends CMSServlet { - - // store a message in the signed audit log file - // (manual "agent" cert request processed - "cancelled") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[1]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[1])); - - } else if (toDo.equals("clone")) { - IRequest clonedRequest = mQueue.cloneAndMarkPending(r); -@@ -1277,37 +1260,30 @@ public class ProcessCertReq extends CMSServlet { - audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- ILogger.SIGNED_AUDIT_EMPTY_VALUE); -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[2]); -+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[2])); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_REJECTION_REASON[2]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[2])); - } - } - -@@ -1330,37 +1306,30 @@ public class ProcessCertReq extends CMSServlet { - audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- ILogger.SIGNED_AUDIT_EMPTY_VALUE); -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[3]); -+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[3])); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_REJECTION_REASON[3]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[3])); - } - } - -@@ -1384,37 +1353,30 @@ public class ProcessCertReq extends CMSServlet { - audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- ILogger.SIGNED_AUDIT_EMPTY_VALUE); -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[4]); -+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[4])); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_REJECTION_REASON[4]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[4])); - } - } - -@@ -1438,37 +1400,30 @@ public class ProcessCertReq extends CMSServlet { - audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) { - // (manual "agent" cert request processed - "accepted") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- ILogger.SIGNED_AUDIT_EMPTY_VALUE); -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) { - // (manual "agent" cert request processed - "cancelled") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[5]); -+ SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[5])); - -- audit(auditMessage); - } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) { - // (manual "agent" cert request processed - "rejected") -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_REQUEST_PROCESSED, -+ audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditInfoName, -- SIGNED_AUDIT_MANUAL_REJECTION_REASON[5]); -- -- audit(auditMessage); -+ SIGNED_AUDIT_MANUAL_REJECTION_REASON[5])); - } - } - --- -1.8.3.1 - - -From f902b0365f2cf92f14f0a814394cd025669b3ea8 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 24 Apr 2017 20:35:50 +0200 -Subject: [PATCH 31/49] Updated debug logs in SystemConfigService. - -Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177 ---- - .../src/org/dogtagpki/server/rest/SystemConfigService.java | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -index 27a6817..afbb24a 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -@@ -1008,18 +1008,25 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - - if (!CryptoUtil.isInternalToken(token)) { - try { -+ CMS.debug("Logging into token " + token); - CryptoToken ctoken = CryptoUtil.getKeyStorageToken(token); - String tokenpwd = data.getTokenPassword(); - ConfigurationUtils.loginToken(ctoken, tokenpwd); -+ - } catch (NotInitializedException e) { -+ CMS.debug(e); - throw new PKIException("Token is not initialized", e); -+ - } catch (NoSuchTokenException e) { -- throw new BadRequestException("Invalid Token provided. No such token.", e); -+ CMS.debug(e); -+ throw new BadRequestException("No such key storage token: " + token, e); -+ - } catch (TokenException e) { - CMS.debug(e); - throw new PKIException("Token Exception: " + e, e); -+ - } catch (IncorrectPasswordException e) { -- throw new BadRequestException("Incorrect Password provided for token.", e); -+ throw new BadRequestException("Incorrect password for token " + token, e); - } - } - } --- -1.8.3.1 - - -From 993a55fb4c883b3ca7ea0e64e24f4501909a571c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 21 Apr 2017 05:37:05 +0200 -Subject: [PATCH 32/49] Added ConfigSignedAuditEvent. - -A new SignedAuditConfigRoleEvent class of has been added to -encapsulate the CONFIG_SIGNED_AUDIT events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd ---- - .../logging/event/ConfigSignedAuditEvent.java | 39 +++ - .../cms/servlet/admin/LogAdminServlet.java | 381 ++++++++------------- - .../org/dogtagpki/server/rest/AuditService.java | 9 +- - 3 files changed, 185 insertions(+), 244 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java -new file mode 100644 -index 0000000..32de443 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java -@@ -0,0 +1,39 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class ConfigSignedAuditEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public ConfigSignedAuditEvent( -+ String subjectID, -+ String outcome, -+ String params) { -+ -+ super(CONFIG_SIGNED_AUDIT); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ params -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -index c424520..1641f27 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java -@@ -44,6 +44,7 @@ import com.netscape.certsrv.logging.ILogEventListener; - import com.netscape.certsrv.logging.ILogSubsystem; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.LogPlugin; -+import com.netscape.certsrv.logging.event.ConfigSignedAuditEvent; - - /** - * A class representings an administration servlet for logging -@@ -414,7 +415,7 @@ public class LogAdminServlet extends AdminServlet { - private synchronized void addLogPlugin(HttpServletRequest req, - HttpServletResponse resp, String scope) - throws ServletException, IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -435,13 +436,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -454,13 +453,11 @@ public class LogAdminServlet extends AdminServlet { - if (mSys.getLogPlugins().containsKey(id)) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -475,13 +472,11 @@ public class LogAdminServlet extends AdminServlet { - if (classPath == null) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -504,13 +499,11 @@ public class LogAdminServlet extends AdminServlet { - } catch (ClassNotFoundException e) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -520,13 +513,11 @@ public class LogAdminServlet extends AdminServlet { - } catch (IllegalArgumentException e) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -540,13 +531,11 @@ public class LogAdminServlet extends AdminServlet { - if (ILogEventListener.class.isAssignableFrom(newImpl) == false) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -557,13 +546,11 @@ public class LogAdminServlet extends AdminServlet { - } catch (NullPointerException e) { // unlikely, only if newImpl null. - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -584,13 +571,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -608,13 +593,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(SUCCESS, null, params, resp); -@@ -632,14 +615,11 @@ public class LogAdminServlet extends AdminServlet { - // // rethrow the specific exception to be handled later - // throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -686,7 +666,7 @@ public class LogAdminServlet extends AdminServlet { - private synchronized void addLogInst(HttpServletRequest req, - HttpServletResponse resp, String scope) - throws ServletException, IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -705,13 +685,11 @@ public class LogAdminServlet extends AdminServlet { - if (id == null) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -723,13 +701,11 @@ public class LogAdminServlet extends AdminServlet { - if (!isValidID(id)) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, "Invalid ID '" + id + "'", -@@ -740,13 +716,11 @@ public class LogAdminServlet extends AdminServlet { - if (mSys.getLogInsts().containsKey(id)) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -762,13 +736,11 @@ public class LogAdminServlet extends AdminServlet { - if (implname == null) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -785,13 +757,11 @@ public class LogAdminServlet extends AdminServlet { - if (plugin == null) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse( -@@ -845,13 +815,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -864,13 +832,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -883,13 +849,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -908,13 +872,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, e.toString(getLocale(req)), null, resp); -@@ -924,13 +886,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, e.toString(), null, resp); -@@ -946,13 +906,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -970,13 +928,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(SUCCESS, null, params, resp); -@@ -994,14 +950,11 @@ public class LogAdminServlet extends AdminServlet { - // // rethrow the specific exception to be handled later - // throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1077,7 +1030,7 @@ public class LogAdminServlet extends AdminServlet { - private synchronized void delLogInst(HttpServletRequest req, - HttpServletResponse resp, String scope) - throws ServletException, IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1099,13 +1052,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1118,13 +1069,11 @@ public class LogAdminServlet extends AdminServlet { - if (mSys.getLogInsts().containsKey(id) == false) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1154,13 +1103,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1171,13 +1118,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(SUCCESS, null, params, resp); -@@ -1195,14 +1140,11 @@ public class LogAdminServlet extends AdminServlet { - // // rethrow the specific exception to be handled later - // throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1239,7 +1181,7 @@ public class LogAdminServlet extends AdminServlet { - private synchronized void delLogPlugin(HttpServletRequest req, - HttpServletResponse resp, String scope) - throws ServletException, IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1261,13 +1203,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1279,13 +1219,11 @@ public class LogAdminServlet extends AdminServlet { - if (mSys.getLogPlugins().containsKey(id) == false) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1304,13 +1242,11 @@ public class LogAdminServlet extends AdminServlet { - if (getLogPluginName(log) == id) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1335,13 +1271,11 @@ public class LogAdminServlet extends AdminServlet { - } catch (EBaseException e) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1352,13 +1286,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(SUCCESS, null, params, resp); -@@ -1376,14 +1308,11 @@ public class LogAdminServlet extends AdminServlet { - // // rethrow the specific exception to be handled later - // throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1468,13 +1397,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1487,13 +1414,11 @@ public class LogAdminServlet extends AdminServlet { - if (!mSys.getLogInsts().containsKey(id)) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1508,13 +1433,11 @@ public class LogAdminServlet extends AdminServlet { - if (implname == null) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1530,13 +1453,11 @@ public class LogAdminServlet extends AdminServlet { - if (plugin == null) { - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse( -@@ -1682,13 +1603,11 @@ public class LogAdminServlet extends AdminServlet { - // store a message in the signed audit log - // file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1797,13 +1716,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1848,13 +1765,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1899,13 +1814,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -1958,13 +1871,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(ERROR, -@@ -2017,13 +1928,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - sendResponse(RESTART, null, params, resp); -@@ -2063,13 +1972,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - // rethrow the specific exception to be handled later -@@ -2109,13 +2016,11 @@ public class LogAdminServlet extends AdminServlet { - - // store a message in the signed audit log file - if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ -+ audit(new ConfigSignedAuditEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - } - - // rethrow the specific exception to be handled later -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -index 2d5b371..7c29651 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java -@@ -49,11 +49,11 @@ import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.base.ResourceNotFoundException; - import com.netscape.certsrv.logging.AuditConfig; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFile; - import com.netscape.certsrv.logging.AuditFileCollection; - import com.netscape.certsrv.logging.AuditResource; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigSignedAuditEvent; - import com.netscape.cms.servlet.base.SubsystemService; - - /** -@@ -412,12 +412,9 @@ public class AuditService extends SubsystemService implements AuditResource { - */ - public void auditTPSConfigSignedAudit(String status, Map params) { - -- String msg = CMS.getLogMessage( -- AuditEvent.CONFIG_SIGNED_AUDIT, -+ auditor.log(new ConfigSignedAuditEvent( - servletRequest.getUserPrincipal().getName(), - status, -- auditor.getParamString(null, params)); -- auditor.log(msg); -- -+ auditor.getParamString(null, params))); - } - } --- -1.8.3.1 - - -From 36a606e4b51de17c56da0f9ee4daab062ec4acf3 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 19 Apr 2017 23:23:39 +0200 -Subject: [PATCH 33/49] Added CertRequestProcessedEvent constructor for - X509CertImpl. - -A new CertRequestProcessedEvent constructor has been added to -encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl -object. - -Copies of auditInfoCertValue() method in various classes have been -combined and moved into CertRequestProcessedEvent. - -https://pagure.io/dogtagpki/issue/2636 - -Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091 ---- - .../logging/event/CertRequestProcessedEvent.java | 71 ++++++++++++++++++++++ - .../netscape/cms/servlet/cert/CertProcessor.java | 5 +- - .../netscape/cms/servlet/cert/EnrollServlet.java | 61 +------------------ - .../cms/servlet/cert/RequestProcessor.java | 2 +- - .../cms/servlet/connector/ConnectorServlet.java | 65 ++------------------ - .../cms/servlet/processors/CAProcessor.java | 54 ---------------- - .../servlet/profile/ProfileSubmitCMCServlet.java | 64 ++----------------- - .../cms/servlet/request/ProcessCertReq.java | 56 +---------------- - 8 files changed, 91 insertions(+), 287 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -index 1703f65..3e5041d 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -@@ -17,7 +17,13 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.certsrv.logging.event; - -+import java.security.cert.CertificateEncodingException; -+ - import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.cmsutil.util.Utils; -+ -+import netscape.security.x509.X509CertImpl; - - public class CertRequestProcessedEvent extends AuditEvent { - -@@ -40,4 +46,69 @@ public class CertRequestProcessedEvent extends AuditEvent { - infoValue - }); - } -+ -+ public CertRequestProcessedEvent( -+ String subjectID, -+ String outcome, -+ String requesterID, -+ String infoName, -+ X509CertImpl x509cert) { -+ -+ super(CERT_REQUEST_PROCESSED); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requesterID, -+ infoName, -+ auditInfoCertValue(x509cert) -+ }); -+ } -+ -+ /** -+ * Signed Audit Log Info Certificate Value -+ * -+ * This method is called to obtain the certificate from the passed in -+ * "X509CertImpl" for a signed audit log message. -+ *

    -+ * -+ * @param x509cert an X509CertImpl -+ * @return cert string containing the certificate -+ */ -+ public static String auditInfoCertValue(X509CertImpl x509cert) { -+ -+ if (x509cert == null) { -+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } -+ -+ byte rawData[] = null; -+ -+ try { -+ rawData = x509cert.getEncoded(); -+ } catch (CertificateEncodingException e) { -+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } -+ -+ String cert = null; -+ -+ // convert "rawData" into "base64Data" -+ if (rawData != null) { -+ String base64Data = Utils.base64encode(rawData).trim(); -+ -+ // concatenate lines -+ cert = base64Data.replace("\r", "").replace("\n", ""); -+ } -+ -+ if (cert != null) { -+ cert = cert.trim(); -+ -+ if (cert.equals("")) { -+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } else { -+ return cert; -+ } -+ } else { -+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } -+ } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -index 2a60cb0..d25d817 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -@@ -246,8 +246,9 @@ public class CertProcessor extends CAProcessor { - req.setRequestStatus(RequestStatus.COMPLETE); - - X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = auditInfoCertValue(x509cert); -+ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); - -+ // TODO: simplify this condition - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -@@ -257,7 +258,7 @@ public class CertProcessor extends CAProcessor { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue)); -+ x509cert)); - } - } - } catch (EDeferException e) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -index cb2b76f..43df5b6 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java -@@ -19,7 +19,6 @@ package com.netscape.cms.servlet.cert; - - import java.io.IOException; - import java.math.BigInteger; --import java.security.cert.CertificateEncodingException; - import java.security.cert.CertificateException; - import java.security.cert.CertificateParsingException; - import java.security.cert.X509Certificate; -@@ -69,7 +68,6 @@ import com.netscape.cms.servlet.processors.CRMFProcessor; - import com.netscape.cms.servlet.processors.KeyGenProcessor; - import com.netscape.cms.servlet.processors.PKCS10Processor; - import com.netscape.cms.servlet.processors.PKIProcessor; --import com.netscape.cmsutil.util.Utils; - - import netscape.security.pkcs.PKCS10; - import netscape.security.x509.AlgorithmId; -@@ -1374,7 +1372,7 @@ public class EnrollServlet extends CMSServlet { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(issuedCerts[i]))); -+ issuedCerts[i])); - } - } catch (IOException ex) { - cmsReq.setStatus(ICMSRequest.ERROR); -@@ -1455,7 +1453,7 @@ public class EnrollServlet extends CMSServlet { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(issuedCerts[i]))); -+ issuedCerts[i])); - } - - return; -@@ -1475,7 +1473,7 @@ public class EnrollServlet extends CMSServlet { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(issuedCerts[i]))); -+ issuedCerts[i])); - } - } catch (IOException e) { - log(ILogger.LL_FAILURE, -@@ -1674,57 +1672,4 @@ public class EnrollServlet extends CMSServlet { - throws EBaseException { - mIsTestBed = config.getBoolean("isTestBed", true); - } -- -- /** -- * Signed Audit Log Info Certificate Value -- * -- * This method is called to obtain the certificate from the passed in -- * "X509CertImpl" for a signed audit log message. -- *

    -- * -- * @param x509cert an X509CertImpl -- * @return cert string containing the certificate -- */ -- private String auditInfoCertValue(X509CertImpl x509cert) { -- // if no signed audit object exists, bail -- if (mSignedAuditLogger == null) { -- return null; -- } -- -- if (x509cert == null) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- byte rawData[] = null; -- -- try { -- rawData = x509cert.getEncoded(); -- } catch (CertificateEncodingException e) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- String cert = null; -- -- // convert "rawData" into "base64Data" -- if (rawData != null) { -- String base64Data = null; -- -- base64Data = Utils.base64encode(rawData).trim(); -- -- // concatenate lines -- cert = base64Data.replace("\r", "").replace("\n", ""); -- } -- -- if (cert != null) { -- cert = cert.trim(); -- -- if (cert.equals("")) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } else { -- return cert; -- } -- } else { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -index 66fe58c..b66aec2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -@@ -392,7 +392,7 @@ public class RequestProcessor extends CertProcessor { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue(theCert))); -+ theCert)); - - } catch (EProfileException eAudit1) { - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index ee60187..b5ccdd2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -25,7 +25,6 @@ import java.io.InputStreamReader; - import java.io.OutputStream; - import java.io.OutputStreamWriter; - import java.security.cert.Certificate; --import java.security.cert.CertificateEncodingException; - import java.security.cert.CertificateException; - import java.security.cert.X509Certificate; - import java.util.Enumeration; -@@ -62,7 +61,6 @@ import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestStatus; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; --import com.netscape.cmsutil.util.Utils; - - import netscape.security.x509.CRLExtensions; - import netscape.security.x509.CRLReasonExtension; -@@ -622,8 +620,9 @@ public class ConnectorServlet extends CMSServlet { - if (isProfileRequest(thisreq)) { - - X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = auditInfoCertValue(x509cert); -+ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); - -+ // TODO: simplify this condition - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -@@ -633,7 +632,7 @@ public class ConnectorServlet extends CMSServlet { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue)); -+ x509cert)); - } - } - } -@@ -641,8 +640,9 @@ public class ConnectorServlet extends CMSServlet { - if (isProfileRequest(thisreq)) { - - X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = auditInfoCertValue(x509cert); -+ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); - -+ // TODO: simplify this condition - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -@@ -652,7 +652,7 @@ public class ConnectorServlet extends CMSServlet { - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue)); -+ x509cert)); - } - } - } -@@ -1054,57 +1054,4 @@ public class ConnectorServlet extends CMSServlet { - - return profileID; - } -- -- /** -- * Signed Audit Log Info Certificate Value -- * -- * This method is called to obtain the certificate from the passed in -- * "X509CertImpl" for a signed audit log message. -- *

    -- * -- * @param x509cert an X509CertImpl -- * @return cert string containing the certificate -- */ -- private String auditInfoCertValue(X509CertImpl x509cert) { -- // if no signed audit object exists, bail -- if (mSignedAuditLogger == null) { -- return null; -- } -- -- if (x509cert == null) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- byte rawData[] = null; -- -- try { -- rawData = x509cert.getEncoded(); -- } catch (CertificateEncodingException e) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- String cert = null; -- -- // convert "rawData" into "base64Data" -- if (rawData != null) { -- String base64Data = null; -- -- base64Data = Utils.base64encode(rawData).trim(); -- -- // concatenate lines -- cert = base64Data.replace("\r", "").replace("\n", ""); -- } -- -- if (cert != null) { -- cert = cert.trim(); -- -- if (cert.equals("")) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } else { -- return cert; -- } -- } else { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 74f501f..25f7bb3 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -71,7 +71,6 @@ import com.netscape.certsrv.util.IStatsSubsystem; - import com.netscape.cms.servlet.common.AuthCredentials; - import com.netscape.cms.servlet.common.CMSGateway; - import com.netscape.cms.servlet.common.ServletUtils; --import com.netscape.cmsutil.util.Utils; - - import netscape.security.x509.X509CertImpl; - -@@ -1040,59 +1039,6 @@ public class CAProcessor extends Processor { - } - - /** -- * Signed Audit Log Info Certificate Value -- * -- * This method is called to obtain the certificate from the passed in -- * "X509CertImpl" for a signed audit log message. -- *

    -- * -- * @param x509cert an X509CertImpl -- * @return cert string containing the certificate -- */ -- protected String auditInfoCertValue(X509CertImpl x509cert) { -- // if no signed audit object exists, bail -- if (signedAuditLogger == null) { -- return null; -- } -- -- if (x509cert == null) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- byte rawData[] = null; -- -- try { -- rawData = x509cert.getEncoded(); -- } catch (CertificateEncodingException e) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- String cert = null; -- -- // convert "rawData" into "base64Data" -- if (rawData != null) { -- String base64Data = null; -- -- base64Data = Utils.base64encode(rawData).trim(); -- -- // concatenate lines -- cert = base64Data.replace("\r", "").replace("\n", ""); -- } -- -- if (cert != null) { -- cert = cert.trim(); -- -- if (cert.equals("")) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } else { -- return cert; -- } -- } else { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- } -- -- /** - * Signed Audit Groups - * - * This method is called to extract all "groups" associated -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 28f777b..26ca2a4 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -19,7 +19,6 @@ package com.netscape.cms.servlet.profile; - - import java.io.InputStream; - import java.io.OutputStream; --import java.security.cert.CertificateEncodingException; - import java.util.Enumeration; - import java.util.Locale; - -@@ -671,8 +670,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - reqs[k].setRequestStatus(RequestStatus.COMPLETE); - - X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = auditInfoCertValue(x509cert); -+ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); - -+ // TODO: simplify this condition - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -@@ -682,7 +682,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue)); -+ x509cert)); - } - } - } catch (EDeferException e) { -@@ -768,8 +768,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete"); - - X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = auditInfoCertValue(x509cert); -+ String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); - -+ // TODO: simplify this condition - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -@@ -779,7 +780,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, -- auditInfoCertValue)); -+ x509cert)); - } - } - } catch (ERejectException e) { -@@ -875,57 +876,4 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - - return requesterID; - } -- -- /** -- * Signed Audit Log Info Certificate Value -- * -- * This method is called to obtain the certificate from the passed in -- * "X509CertImpl" for a signed audit log message. -- *

    -- * -- * @param x509cert an X509CertImpl -- * @return cert string containing the certificate -- */ -- private String auditInfoCertValue(X509CertImpl x509cert) { -- // if no signed audit object exists, bail -- if (mSignedAuditLogger == null) { -- return null; -- } -- -- if (x509cert == null) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- byte rawData[] = null; -- -- try { -- rawData = x509cert.getEncoded(); -- } catch (CertificateEncodingException e) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- String cert = null; -- -- // convert "rawData" into "base64Data" -- if (rawData != null) { -- String base64Data = null; -- -- base64Data = Utils.base64encode(rawData).trim(); -- -- // concatenate lines -- cert = base64Data.replace("\r", "").replace("\n", ""); -- } -- -- if (cert != null) { -- cert = cert.trim(); -- -- if (cert.equals("")) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } else { -- return cert; -- } -- } else { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -index 2bcc8ad..c229263 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -@@ -21,7 +21,6 @@ import java.io.IOException; - import java.math.BigInteger; - import java.security.NoSuchAlgorithmException; - import java.security.cert.Certificate; --import java.security.cert.CertificateEncodingException; - import java.security.cert.CertificateException; - import java.util.Date; - import java.util.Enumeration; -@@ -935,7 +934,7 @@ public class ProcessCertReq extends CMSServlet { - ILogger.SUCCESS, - auditRequesterID, - auditInfoName, -- auditInfoCertValue(issuedCerts[i]))); -+ issuedCerts[i])); - } - header.addStringValue( - "serialNumber", sbuf.toString()); -@@ -1757,59 +1756,6 @@ public class ProcessCertReq extends CMSServlet { - - return infoName; - } -- -- /** -- * Signed Audit Log Info Certificate Value -- * -- * This method is called to obtain the certificate from the passed in -- * "X509CertImpl" for a signed audit log message. -- *

    -- * -- * @param x509cert an X509CertImpl -- * @return cert string containing the certificate -- */ -- private String auditInfoCertValue(X509CertImpl x509cert) { -- // if no signed audit object exists, bail -- if (mSignedAuditLogger == null) { -- return null; -- } -- -- if (x509cert == null) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- byte rawData[] = null; -- -- try { -- rawData = x509cert.getEncoded(); -- } catch (CertificateEncodingException e) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- -- String cert = null; -- -- // convert "rawData" into "base64Data" -- if (rawData != null) { -- String base64Data = null; -- -- base64Data = Utils.base64encode(rawData).trim(); -- -- // concatenate lines -- cert = base64Data.replace("\r", "").replace("\n", ""); -- } -- -- if (cert != null) { -- cert = cert.trim(); -- -- if (cert.equals("")) { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } else { -- return cert; -- } -- } else { -- return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- } - } - - class RAReqCompletedFiller extends ImportCertsTemplateFiller { --- -1.8.3.1 - - -From 6f457f2c5e0df576f067b46a78b481eb5dc197e8 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 14 Apr 2017 01:46:36 +0200 -Subject: [PATCH 34/49] Added CertRequestProcessedEvent constructor for - IRequest. - -A new CertRequestProcessedEvent constructor has been added to -encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest -object. - -The auditInfoValue() method in CAProcessor has been moved into -CertRequestProcessedEvent. - -https://pagure.io/dogtagpki/issue/2636 - -Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb ---- - .../logging/event/CertRequestProcessedEvent.java | 53 ++++++++++++++++++++++ - .../cms/servlet/cert/RequestProcessor.java | 7 +-- - .../cms/servlet/processors/CAProcessor.java | 39 ---------------- - 3 files changed, 55 insertions(+), 44 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -index 3e5041d..777434b 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -@@ -21,6 +21,7 @@ import java.security.cert.CertificateEncodingException; - - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.request.IRequest; - import com.netscape.cmsutil.util.Utils; - - import netscape.security.x509.X509CertImpl; -@@ -29,6 +30,8 @@ public class CertRequestProcessedEvent extends AuditEvent { - - private static final long serialVersionUID = 1L; - -+ public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = "requestNotes"; -+ - public CertRequestProcessedEvent( - String subjectID, - String outcome, -@@ -65,6 +68,24 @@ public class CertRequestProcessedEvent extends AuditEvent { - }); - } - -+ public CertRequestProcessedEvent( -+ String subjectID, -+ String outcome, -+ String requesterID, -+ String infoName, -+ IRequest request) { -+ -+ super(CERT_REQUEST_PROCESSED); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requesterID, -+ infoName, -+ auditInfoValue(request) -+ }); -+ } -+ - /** - * Signed Audit Log Info Certificate Value - * -@@ -111,4 +132,36 @@ public class CertRequestProcessedEvent extends AuditEvent { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - } -+ -+ /** -+ * Signed Audit Log Info Value -+ * -+ * This method is called to obtain the "reason" for -+ * a signed audit log message. -+ *

    -+ * -+ * @param request the actual request -+ * @return reason string containing the signed audit log message reason -+ */ -+ String auditInfoValue(IRequest request) { -+ -+ String reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ -+ if (request != null) { -+ // overwrite "reason" if and only if "info" != null -+ String info = -+ request.getExtDataInString(SIGNED_AUDIT_CERT_REQUEST_REASON); -+ -+ if (info != null) { -+ reason = info.trim(); -+ -+ // overwrite "reason" if and only if "reason" is empty -+ if (reason.equals("")) { -+ reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } -+ } -+ } -+ -+ return reason; -+ } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -index b66aec2..4494d2c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -@@ -277,8 +277,6 @@ public class RequestProcessor extends CertProcessor { - private void cancelRequest(IRequest req) throws EProfileException { - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(req); -- String auditInfoValue = auditInfoValue(req); -- - req.setRequestStatus(RequestStatus.CANCELED); - - audit(new CertRequestProcessedEvent( -@@ -286,7 +284,7 @@ public class RequestProcessor extends CertProcessor { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_CANCELLATION, -- auditInfoValue)); -+ req)); - } - - /** -@@ -308,7 +306,6 @@ public class RequestProcessor extends CertProcessor { - private void rejectRequest(IRequest req) throws EProfileException { - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(req); -- String auditInfoValue = auditInfoValue(req); - - req.setRequestStatus(RequestStatus.REJECTED); - -@@ -317,7 +314,7 @@ public class RequestProcessor extends CertProcessor { - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, -- auditInfoValue)); -+ req)); - } - - /** -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -index 25f7bb3..bc5b9b5 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java -@@ -120,9 +120,6 @@ public class CAProcessor extends Processor { - public static final String ACL_INFO = "ACLinfo"; - public static final String PROFILE_SUB_ID = "profileSubId"; - -- public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = -- "requestNotes"; -- - protected String profileID; - protected String profileSubId; - protected String aclMethod; -@@ -1003,42 +1000,6 @@ public class CAProcessor extends Processor { - } - - /** -- * Signed Audit Log Info Value -- * -- * This method is called to obtain the "reason" for -- * a signed audit log message. -- *

    -- * -- * @param request the actual request -- * @return reason string containing the signed audit log message reason -- */ -- protected String auditInfoValue(IRequest request) { -- // if no signed audit object exists, bail -- if (signedAuditLogger == null) { -- return null; -- } -- -- String reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- -- if (request != null) { -- // overwrite "reason" if and only if "info" != null -- String info = -- request.getExtDataInString(SIGNED_AUDIT_CERT_REQUEST_REASON); -- -- if (info != null) { -- reason = info.trim(); -- -- // overwrite "reason" if and only if "reason" is empty -- if (reason.equals("")) { -- reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- } -- } -- -- return reason; -- } -- -- /** - * Signed Audit Groups - * - * This method is called to extract all "groups" associated --- -1.8.3.1 - - -From 8caedd6723f4885d4aff2348aa3d9fc850627aa1 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 7 Feb 2017 17:27:06 +1000 -Subject: [PATCH 35/49] LDAPProfileSubsystem: avoid duplicating logic in - superclass - -Part of: https://fedorahosted.org/pki/ticket/2588 - -Change-Id: I1ac9a3d89c93832ef6b6b48b89138495ef4892fb ---- - .../cmscore/profile/AbstractProfileSubsystem.java | 7 +++- - .../cmscore/profile/LDAPProfileSubsystem.java | 43 ++++------------------ - 2 files changed, 13 insertions(+), 37 deletions(-) - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java -index 116b8e2..2a209ad 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java -@@ -121,7 +121,7 @@ public abstract class AbstractProfileSubsystem implements IProfileSubsystem { - /** - * Commits a profile. - */ -- public void commitProfile(String id) -+ public synchronized void commitProfile(String id) - throws EProfileException { - IConfigStore cs = mProfiles.get(id).getConfigStore(); - -@@ -157,6 +157,11 @@ public abstract class AbstractProfileSubsystem implements IProfileSubsystem { - - // finally commit the configStore - // -+ commitConfigStore(id, cs); -+ } -+ -+ protected void commitConfigStore(String id, IConfigStore cs) -+ throws EProfileException { - try { - cs.commit(false); - } catch (EBaseException e) { -diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java -index fff8ead..bce675e 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java -@@ -303,43 +303,14 @@ public class LDAPProfileSubsystem - readProfile(entry); - } - -+ /** -+ * Commit the configStore and track the resulting -+ * entryUSN and (in case of add) the nsUniqueId -+ */ - @Override -- public synchronized void commitProfile(String id) throws EProfileException { -- LDAPConfigStore cs = (LDAPConfigStore) mProfiles.get(id).getConfigStore(); -- -- // first create a *new* profile object from the configStore -- // and initialise it with the updated configStore -- // -- IPluginRegistry registry = (IPluginRegistry) -- CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); -- String classId = mProfileClassIds.get(id); -- IPluginInfo info = registry.getPluginInfo("profile", classId); -- String className = info.getClassName(); -- IProfile newProfile = null; -- try { -- newProfile = (IProfile) Class.forName(className).newInstance(); -- } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) { -- throw new EProfileException("Could not instantiate class '" -- + classId + "' for profile '" + id + "': " + e); -- } -- newProfile.setId(id); -- try { -- newProfile.init(this, cs); -- } catch (EBaseException e) { -- throw new EProfileException( -- "Failed to initialise profile '" + id + "': " + e); -- } -- -- // next replace the existing profile with the new profile; -- // this is to avoid any intermediate state where the profile -- // is not fully initialised with its inputs, outputs and -- // policy objects. -- // -- mProfiles.put(id, newProfile); -- -- // finally commit the configStore and track the resulting -- // entryUSN and (in case of add) the nsUniqueId -- // -+ protected void commitConfigStore(String id, IConfigStore configStore) -+ throws EProfileException { -+ LDAPConfigStore cs = (LDAPConfigStore) configStore; - try { - String[] attrs = {"entryUSN", "nsUniqueId"}; - LDAPEntry entry = cs.commitReturn(false, attrs); --- -1.8.3.1 - - -From 6562b05a73090c0f7882a9684a8ceac2666e4401 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 7 Feb 2017 17:39:33 +1000 -Subject: [PATCH 36/49] ISourceConfigStore: add clear() method to interface - -The SourceConfigStore load() method does not clear the config store, -but this might be necessary to avoid stale data if wanting to -perform a complete replacement of the data (e.g. reload from file). - -We should not change the behaviour of load() in case some code is -relying on the current behaviour, so add the clear() method to the -interface. - -Part of: https://fedorahosted.org/pki/ticket/2588 - -Change-Id: Ia139a49f1a23c4f9410d7b94c9a4c8f14f29fe93 ---- - base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java | 5 +++++ - .../cmscore/src/com/netscape/cmscore/base/PropConfigStore.java | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java -index 42637c2..8eb86c2 100644 ---- a/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java -+++ b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java -@@ -63,6 +63,11 @@ public interface ISourceConfigStore extends Serializable { - public Enumeration keys(); - - /** -+ * Clear the config store. -+ */ -+ public void clear(); -+ -+ /** - * Reads a config store from an input stream. - * - * @param in input stream where the properties are located -diff --git a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java -index cc16e24..acf2844 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java -@@ -223,6 +223,10 @@ public class PropConfigStore implements IConfigStore, Cloneable { - } - } - -+ public synchronized void clear() { -+ mSource.clear(); -+ } -+ - /** - * Reads a config store from an input stream. - * --- -1.8.3.1 - - -From 62419afd831039e7487ba184c6bf8f876f4d21da Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 7 Feb 2017 21:12:08 +1000 -Subject: [PATCH 37/49] ProfileService: clear profile attributes when modifying - -When modifying a profile, attributes are not cleared. Attributes -that were removed in the updated profile configuration are not -actually removed. - -When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear -the config store before loading the new configuration. - -Fixes: https://fedorahosted.org/pki/ticket/2588 -Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19 ---- - base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -index be61892..8666b9c 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -@@ -718,6 +718,7 @@ public class ProfileService extends SubsystemService implements ProfileResource - } - - // no error thrown, so commit updated profile config -+ profile.getConfigStore().clear(); - profile.getConfigStore().load(new ByteArrayInputStream(data)); - ps.disableProfile(profileId); - ps.commitProfile(profileId); --- -1.8.3.1 - - -From da624993c302a81a11f37f984d75c37a467dc5e5 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 6 Apr 2017 16:07:07 +1000 -Subject: [PATCH 38/49] KRA: do not accumulate recovered keys in token - -When using token-based unwrapping of archived keys, the key is being -stored in the token. We do not want to accumulate the keys here; -make them temporary. - -Part of: https://pagure.io/dogtagpki/issue/2610 - -Change-Id: Ic12a4db7238512b4fec5d6fdb023b20195c2d438 ---- - base/kra/src/com/netscape/kra/RecoveryService.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java -index fda5b80..5609b19 100644 ---- a/base/kra/src/com/netscape/kra/RecoveryService.java -+++ b/base/kra/src/com/netscape/kra/RecoveryService.java -@@ -416,7 +416,7 @@ public class RecoveryService implements IService { - privKey = mStorageUnit.unwrap( - keyRecord.getPrivateKeyData(), - pubkey, -- false, -+ true /* temporary */, - keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams())); - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); --- -1.8.3.1 - - -From 3cc50b49e2a18344937702bd1b170b9faf738845 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 27 Apr 2017 11:10:36 -0400 -Subject: [PATCH 39/49] Modify the key client to default to 3DES - -When no algorithm OID is provided, we used to default to 3DES. -We need to continue to do this to not break IPA. - -Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d ---- - base/common/python/pki/key.py | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py -index e782d54..9313b0e 100644 ---- a/base/common/python/pki/key.py -+++ b/base/common/python/pki/key.py -@@ -514,7 +514,7 @@ class KeyClient(object): - pki.util.read_environment_files() - client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET') - if client_keyset is not None: -- return client_keyset -+ return int(client_keyset) - return 0 - - def get_server_keyset(self): -@@ -795,7 +795,7 @@ class KeyClient(object): - data_type, - encrypted_data, - wrapped_session_key, -- algorithm_oid=None, -+ algorithm_oid=self.encrypt_alg_oid, - nonce_iv=nonce_iv, - key_algorithm=key_algorithm, - key_size=key_size, -@@ -850,8 +850,10 @@ class KeyClient(object): - raise TypeError('Missing wrapped session key') - - if not algorithm_oid: -- algorithm_oid = pki.crypto.AES_128_CBC_OID -- # algorithm_oid = KeyClient.DES_EDE3_CBC_OID -+ # legacy apps like IPA call this directly without -+ # setting the algorithm_oid. We need to keep DES -+ # for backward compatibility -+ algorithm_oid = pki.crypto.DES_EDE3_CBC_OID - - if not nonce_iv: - raise TypeError('Missing nonce IV') --- -1.8.3.1 - - -From b93cec621203c6fb970b57ef042636ba2f9efa3d Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 27 Apr 2017 16:01:39 +1000 -Subject: [PATCH 41/49] Add upgrade script that adds KRA wrapping params - -Part of: https://pagure.io/dogtagpki/issue/1408 - -Change-Id: Iaa1c2c3b6f7de178bd38c2b5b8df57a2a99f64b1 ---- - base/server/upgrade/10.4.2/02-AddKRAWrappingParams | 78 ++++++++++++++++++++++ - 1 file changed, 78 insertions(+) - create mode 100755 base/server/upgrade/10.4.2/02-AddKRAWrappingParams - -diff --git a/base/server/upgrade/10.4.2/02-AddKRAWrappingParams b/base/server/upgrade/10.4.2/02-AddKRAWrappingParams -new file mode 100755 -index 0000000..c95b844 ---- /dev/null -+++ b/base/server/upgrade/10.4.2/02-AddKRAWrappingParams -@@ -0,0 +1,78 @@ -+#!/usr/bin/python -+# Authors: -+# Fraser Tweedale -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+ -+from __future__ import absolute_import -+import os.path -+ -+import pki -+from pki.server.upgrade import PKIServerUpgradeScriptlet -+ -+proplist = [ -+ ('kra.storageUnit.wrapping.0.sessionKeyLength', '168'), -+ ('kra.storageUnit.wrapping.0.sessionKeyWrapAlgorithm', 'RSA'), -+ ('kra.storageUnit.wrapping.0.payloadEncryptionPadding', 'PKCS5Padding'), -+ ('kra.storageUnit.wrapping.0.sessionKeyKeyGenAlgorithm', 'DESede'), -+ ('kra.storageUnit.wrapping.0.payloadEncryptionAlgorithm', 'DESede'), -+ ('kra.storageUnit.wrapping.0.payloadEncryptionMode', 'CBC'), -+ ('kra.storageUnit.wrapping.0.payloadEncryptionIV', 'AQEBAQEBAQE='), -+ ('kra.storageUnit.wrapping.0.payloadWrapAlgorithm', 'DES3/CBC/Pad'), -+ ('kra.storageUnit.wrapping.0.payloadWrapIV', 'AQEBAQEBAQE='), -+ ('kra.storageUnit.wrapping.0.sessionKeyType', 'DESede'), -+ ('kra.storageUnit.wrapping.1.sessionKeyLength', '128'), -+ ('kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm', 'RSA'), -+ ('kra.storageUnit.wrapping.1.payloadEncryptionPadding', 'PKCS5Padding'), -+ ('kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm', 'AES'), -+ ('kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm', 'AES'), -+ ('kra.storageUnit.wrapping.1.payloadEncryptionMode', 'CBC'), -+ ('kra.storageUnit.wrapping.1.payloadEncryptionIVLen', '16'), -+ ('kra.storageUnit.wrapping.1.payloadWrapAlgorithm', 'AES KeyWrap/Padding'), -+ ('kra.storageUnit.wrapping.1.sessionKeyType', 'AES'), -+ -+ # this upgrade script adds the config, but uses the legacy -+ # configuration so that behaviour of deployed instance does -+ # not change -+ ('kra.storageUnit.wrapping.choice', '0'), -+] -+ -+ -+class AddKRAWrappingParams(PKIServerUpgradeScriptlet): -+ def __init__(self): -+ super(AddKRAWrappingParams, self).__init__() -+ self.message = 'Add wrapping params to KRA CS.cfg' -+ -+ def upgrade_subsystem(self, instance, subsystem): -+ if subsystem.name == 'kra': -+ self.upgrade_config(instance, subsystem) -+ -+ def upgrade_config(self, instance, subsystem): # pylint: disable=W0613 -+ filename = os.path.join(subsystem.conf_dir, 'CS.cfg') -+ self.backup(filename) -+ -+ properties = pki.PropertyFile(filename) -+ properties.read() -+ -+ # if the property exists, leave it alone, otherwise set -+ # it to the value defined above -+ for k, v in proplist: -+ cur = properties.get(k) -+ if cur is None: -+ properties.set(k, v) -+ -+ properties.write() --- -1.8.3.1 - - -From 853220445eb0ce54b6ce241547891605329b7e3e Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 28 Apr 2017 00:29:45 -0400 -Subject: [PATCH 42/49] Fix DES3 using python-cryptography provider - -Incorrect key size lead to errors when the client side -was set to use 3DES. Also deprecate not providing an -encryption algorithm OID explcitly in -archive_encrypted_data() - -Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9 ---- - base/common/python/pki/crypto.py | 7 ++++++- - base/common/python/pki/key.py | 3 +++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py -index 0891acd..7f03846 100644 ---- a/base/common/python/pki/crypto.py -+++ b/base/common/python/pki/crypto.py -@@ -389,9 +389,14 @@ class CryptographyCryptoProvider(CryptoProvider): - self.encrypt_mode = modes.CBC - self.encrypt_size = 128 - elif level == 0: -+ # note that 3DES keys are actually 192 bits long, even -+ # though only 168 bits are used internally. See -+ # https://tools.ietf.org/html/rfc4949 -+ # Using 168 here will cause python-cryptography key verification -+ # checks to fail. - self.encrypt_alg = algorithms.TripleDES - self.encrypt_mode = modes.CBC -- self.encrypt_size = 168 -+ self.encrypt_size = 192 - - def generate_nonce_iv(self, mechanism='AES'): - """ Create a random initialization vector """ -diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py -index 9313b0e..d2b8297 100644 ---- a/base/common/python/pki/key.py -+++ b/base/common/python/pki/key.py -@@ -28,6 +28,7 @@ from __future__ import print_function - import base64 - import json - import os -+import warnings - - from six import iteritems - from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 -@@ -853,6 +854,8 @@ class KeyClient(object): - # legacy apps like IPA call this directly without - # setting the algorithm_oid. We need to keep DES - # for backward compatibility -+ warnings.warn("algorithm_oid=None is deprecated", -+ DeprecationWarning) - algorithm_oid = pki.crypto.DES_EDE3_CBC_OID - - if not nonce_iv: --- -1.8.3.1 - - -From d98f20d33378a37898d4d6ffec80b09261504823 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Wed, 26 Apr 2017 15:21:39 -0700 -Subject: [PATCH 43/49] CA in the certificate profiles the startTime parameter - is not working as expected. - -This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects. ---- - .../src/com/netscape/cms/profile/def/CAValidityDefault.java | 12 ++++++------ - .../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java | 4 ++-- - .../netscape/cms/profile/def/RandomizedValidityDefault.java | 2 +- - .../src/com/netscape/cms/profile/def/ValidityDefault.java | 10 +++++----- - 4 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java -index 2df256e..2ecd484 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java -@@ -24,6 +24,11 @@ import java.util.Calendar; - import java.util.Date; - import java.util.Locale; - -+import netscape.security.x509.BasicConstraintsExtension; -+import netscape.security.x509.CertificateValidity; -+import netscape.security.x509.PKIXExtensions; -+import netscape.security.x509.X509CertInfo; -+ - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.ca.ICertificateAuthority; -@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException; - import com.netscape.certsrv.property.IDescriptor; - import com.netscape.certsrv.request.IRequest; - --import netscape.security.x509.BasicConstraintsExtension; --import netscape.security.x509.CertificateValidity; --import netscape.security.x509.PKIXExtensions; --import netscape.security.x509.X509CertInfo; -- - /** - * This class implements a CA signing cert enrollment default policy - * that populates a server-side configurable validity -@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault { - if (startTimeStr == null || startTimeStr.equals("")) { - startTimeStr = "60"; - } -- int startTime = Integer.parseInt(startTimeStr); -+ long startTime = Long.parseLong(startTimeStr); - - Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); - CMS.debug("CAValidityDefault: not before: " + notBefore); -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java -index 6532a13..2f05f32 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java -@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault { - if (startTimeStr == null || startTimeStr.equals("")) { - startTimeStr = "60"; - } -- int startTime = Integer.parseInt(startTimeStr); -+ long startTime = Long.parseLong(startTimeStr); - Date notBefore = new Date(CMS.getCurrentDate().getTime() + - (1000 * startTime)); - long notAfterVal = 0; - - notAfterVal = notBefore.getTime() + -- (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION))); -+ (mDefault * Long.parseLong(getConfig(CONFIG_DURATION))); - Date notAfter = new Date(notAfterVal); - - ext = new PrivateKeyUsageExtension(notBefore, notAfter); -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java -index 6308715..ce69c15 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java -@@ -290,7 +290,7 @@ public class RandomizedValidityDefault extends EnrollDefault { - if (startTimeStr == null || startTimeStr.equals("")) { - startTimeStr = "60"; - } -- int startTime = Integer.parseInt(startTimeStr); -+ long startTime = Long.parseLong(startTimeStr); - - String notBeforeRandomBitsStr = getConfig(CONFIG_NOT_BEFORE_RANDOM_BITS); - if (notBeforeRandomBitsStr == null || notBeforeRandomBitsStr.length() == 0) { -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java -index 21ec8ea..a74ccdf 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java -@@ -24,6 +24,10 @@ import java.util.Calendar; - import java.util.Date; - import java.util.Locale; - -+import netscape.security.x509.CertificateValidity; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509CertInfo; -+ - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.ca.ICertificateAuthority; -@@ -34,10 +38,6 @@ import com.netscape.certsrv.property.EPropertyException; - import com.netscape.certsrv.property.IDescriptor; - import com.netscape.certsrv.request.IRequest; - --import netscape.security.x509.CertificateValidity; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509CertInfo; -- - /** - * This class implements an enrollment default policy - * that populates a server-side configurable validity -@@ -265,7 +265,7 @@ public class ValidityDefault extends EnrollDefault { - if (startTimeStr == null || startTimeStr.equals("")) { - startTimeStr = "60"; - } -- int startTime = Integer.parseInt(startTimeStr); -+ long startTime = Long.parseLong(startTimeStr); - - Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); - CMS.debug("ValidityDefault: not before: " + notBefore); --- -1.8.3.1 - - -From 9590944d5726ff32d94c6a2b2909175eae946466 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 28 Apr 2017 17:44:19 -0400 -Subject: [PATCH 44/49] Fix symkey retrieval using NSS python client - -This is tested using Barbican as a client. We are simply -reverting to the same behavior we had before for the -NSS Crypto provider case. - -Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce ---- - base/common/python/pki/crypto.py | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py -index 7f03846..edb32c0 100644 ---- a/base/common/python/pki/crypto.py -+++ b/base/common/python/pki/crypto.py -@@ -325,9 +325,17 @@ class NSSCryptoProvider(CryptoProvider): - :param nonce_iv Nonce data - :return: Unwrapped data - -- Return unwrapped data for data wrapped using AES KeyWrap -+ Return unwrapped data for data that has been keywrapped. -+ For NSS, we only support 3DES - so something that has been -+ keywrapped can be decrypted. This is precisely what we used -+ to do before. - """ -- raise NotImplementedError() -+ return self.symmetric_unwrap( -+ data, -+ wrapping_key, -+ mechanism=nss.CKM_DES3_CBC_PAD, -+ nonce_iv=nonce_iv -+ ) - - def get_cert(self, cert_nick): - """ --- -1.8.3.1 - - -From 3ff9de6a517d7fdcdee6c4a8c884eff052f8f824 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 28 Apr 2017 17:55:17 -0700 -Subject: [PATCH 45/49] Ticket #2717 CMC user-signed enrollment request This - patch provides implementation that allows user-signed CMC requests to be - processed; The resulting certificate will bear the same subjectDN as that of - the signing cert; The new uri to access is - /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: - caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: - CMCUserSignedAuth and new profile default plugin: - CMCUserSignedSubjectNameDefault and new profile constraint plugin: - CMCUserSignedSubjectNameConstraint - ---- - base/ca/shared/conf/CS.cfg | 6 +- - base/ca/shared/conf/registry.cfg | 10 +- - .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 83 ++ - base/ca/shared/webapps/ca/WEB-INF/web.xml | 28 + - .../certsrv/authentication/IAuthManager.java | 3 + - .../com/netscape/certsrv/logging/AuditEvent.java | 2 + - .../src/com/netscape/cmstools/CRMFPopClient.java | 2 +- - .../cms/authentication/CMCUserSignedAuth.java | 1140 ++++++++++++++++++++ - .../netscape/cms/profile/common/BasicProfile.java | 28 +- - .../netscape/cms/profile/common/EnrollProfile.java | 426 +++++--- - .../CMCUserSignedSubjectNameConstraint.java | 141 +++ - .../def/CMCUserSignedSubjectNameDefault.java | 159 +++ - .../netscape/cms/profile/def/EnrollDefault.java | 5 +- - .../cms/profile/input/CMCCertReqInput.java | 21 +- - .../netscape/cms/profile/input/CertReqInput.java | 36 +- - .../servlet/profile/ProfileSubmitCMCServlet.java | 28 +- - base/server/cmsbundle/src/LogMessages.properties | 1 + - base/server/cmsbundle/src/UserMessages.properties | 2 + - 18 files changed, 1964 insertions(+), 157 deletions(-) - create mode 100644 base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg - create mode 100644 base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java - create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java - create mode 100644 base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 3923319..b29802c 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -168,6 +168,7 @@ auths.impl._001=## authentication manager implementations - auths.impl._002=## - auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication - auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth -+auths.impl.CMCUserSignedAuth.class=com.netscape.cms.authentication.CMCUserSignedAuth - auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication - auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication - auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication -@@ -734,6 +735,7 @@ ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher - ca.publish.rule.instance.LdapXCertRule.type=xcert - cmc.cert.confirmRequired=false - cmc.lraPopWitness.verify.allow=false -+cmc.popLinkWitnessRequired=false - cmc.revokeCert.verify=true - cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret - cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -@@ -905,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg -index 2855b7a..519d854 100644 ---- a/base/ca/shared/conf/registry.cfg -+++ b/base/ca/shared/conf/registry.cfg -@@ -1,5 +1,5 @@ - types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater --constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl -+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl - constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint - constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint - constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint -@@ -36,6 +36,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr - constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint - constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint - constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint -+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint -+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint -+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint - constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint - constraintPolicy.validityConstraintImpl.desc=Validity Constraint - constraintPolicy.validityConstraintImpl.name=Validity Constraint -@@ -48,7 +51,7 @@ constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint - constraintPolicy.externalProcessConstraintImpl.class=com.netscape.cms.profile.constraint.ExternalProcessConstraint - constraintPolicy.externalProcessConstraintImpl.desc=External Process Constraint - constraintPolicy.externalProcessConstraintImpl.name=External Process Constraint --defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl -+defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,cmcUserSignedSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl - defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault - defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default - defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default -@@ -67,6 +70,9 @@ defaultPolicy.authTokenSubjectNameDefaultImpl.name=Token Supplied Subject Name D - defaultPolicy.userSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.UserSubjectNameDefault - defaultPolicy.userSubjectNameDefaultImpl.desc=User Supplied Subject Name Default - defaultPolicy.userSubjectNameDefaultImpl.name=User Supplied Subject Name Default -+defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.CMCUserSignedSubjectNameDefault -+defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.desc=CMC User Signed Subject Name Default -+defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.name=CMC User Signed Subject Name Default - defaultPolicy.userKeyDefaultImpl.class=com.netscape.cms.profile.def.UserKeyDefault - defaultPolicy.userKeyDefaultImpl.desc=User Supplied Key Default - defaultPolicy.userKeyDefaultImpl.name=User Supplied Key Default -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -new file mode 100644 -index 0000000..229a3cd ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -@@ -0,0 +1,83 @@ -+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication. -+enable=true -+enableBy=admin -+name=User-Signed CMC-Authenticated User Certificate Enrollment -+visible=false -+auth.instance_id=CMCUserSignedAuth -+input.list=i1,i2 -+input.i1.class_id=cmcCertReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint -+policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=- -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml -index bf8aed4..dc61ab3 100644 ---- a/base/ca/shared/webapps/ca/WEB-INF/web.xml -+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml -@@ -1553,6 +1553,29 @@ - - - -+ caProfileSubmitUserSignedCMCFull -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caFullCMCUserSignedCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitUserSignedCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ - caProfileList - com.netscape.cms.servlet.profile.ProfileListServlet - GetClientCert -@@ -2257,6 +2280,11 @@ - - - -+ caProfileSubmitUserSignedCMCFull -+ /ee/ca/profileSubmitUserSignedCMCFull -+ -+ -+ - caProfileList - /ee/ca/profileList - -diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java -index f9eddbc..21639e2 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java -+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java -@@ -31,6 +31,9 @@ public interface IAuthManager { - /* standard credential for client cert from ssl client auth */ - public static final String CRED_SSL_CLIENT_CERT = "sslClientCert"; - -+ /* standard credential for CMC request signing cert */ -+ public static final String CRED_CMC_SIGNING_CERT = "cmcSigningCert"; -+ - /** - * Standard credential for client cert's serial number from revocation. - */ -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 72c93f8..7a4aa9b 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -145,6 +145,8 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; - public final static String CMC_SIGNED_REQUEST_SIG_VERIFY = - "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; -+ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY = -+ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5"; - - public final static String COMPUTE_RANDOM_DATA_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 0168503..d0e5c27 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -545,7 +545,7 @@ public class CRMFPopClient { - pop = client.createPop(algorithm, signature); - } - -- if (verbose) System.out.println("Creating CRMF requrest"); -+ if (verbose) System.out.println("Creating CRMF request"); - String request = client.createCRMFRequest(certRequest, pop); - - StringWriter sw = new StringWriter(); -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -new file mode 100644 -index 0000000..a72ce58 ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -0,0 +1,1140 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2007 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+// package statement // -+/////////////////////// -+ -+package com.netscape.cms.authentication; -+ -+/////////////////////// -+// import statements // -+/////////////////////// -+ -+/* cert server imports */ -+import java.io.ByteArrayInputStream; -+import java.io.ByteArrayOutputStream; -+import java.io.IOException; -+import java.math.BigInteger; -+import java.security.MessageDigest; -+import java.security.PublicKey; -+import java.util.Enumeration; -+import java.util.Hashtable; -+import java.util.Locale; -+import java.util.Vector; -+ -+import org.mozilla.jss.CryptoManager; -+import org.mozilla.jss.CryptoManager.NotInitializedException; -+import org.mozilla.jss.asn1.ASN1Util; -+import org.mozilla.jss.asn1.INTEGER; -+import org.mozilla.jss.asn1.InvalidBERException; -+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; -+import org.mozilla.jss.asn1.OCTET_STRING; -+import org.mozilla.jss.asn1.SEQUENCE; -+import org.mozilla.jss.asn1.SET; -+import org.mozilla.jss.crypto.CryptoToken; -+import org.mozilla.jss.crypto.DigestAlgorithm; -+import org.mozilla.jss.crypto.PrivateKey; -+import org.mozilla.jss.pkcs10.CertificationRequest; -+import org.mozilla.jss.pkcs11.PK11ECPublicKey; -+import org.mozilla.jss.pkcs11.PK11PubKey; -+import org.mozilla.jss.pkix.cert.Certificate; -+import org.mozilla.jss.pkix.cert.CertificateInfo; -+import org.mozilla.jss.pkix.cmc.PKIData; -+import org.mozilla.jss.pkix.cmc.TaggedAttribute; -+import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; -+import org.mozilla.jss.pkix.cmc.TaggedRequest; -+import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; -+import org.mozilla.jss.pkix.cms.IssuerAndSerialNumber; -+import org.mozilla.jss.pkix.cms.SignedData; -+import org.mozilla.jss.pkix.cms.SignerIdentifier; -+import org.mozilla.jss.pkix.crmf.CertReqMsg; -+import org.mozilla.jss.pkix.crmf.CertRequest; -+import org.mozilla.jss.pkix.crmf.CertTemplate; -+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; -+import org.mozilla.jss.pkix.primitive.Name; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.AuthToken; -+import com.netscape.certsrv.authentication.EInvalidCredentials; -+import com.netscape.certsrv.authentication.EMissingCredential; -+import com.netscape.certsrv.authentication.IAuthCredentials; -+import com.netscape.certsrv.authentication.IAuthManager; -+import com.netscape.certsrv.authentication.IAuthToken; -+import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.base.IExtendedPluginInfo; -+import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.profile.EProfileException; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.profile.IProfileAuthenticator; -+import com.netscape.certsrv.property.Descriptor; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+import com.netscape.cmsutil.crypto.CryptoUtil; -+import com.netscape.cmsutil.util.Utils; -+ -+import netscape.security.pkcs.PKCS10; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509CertInfo; -+import netscape.security.x509.X509Key; -+ -+//import com.netscape.cmscore.util.*; -+////////////////////// -+// class definition // -+////////////////////// -+ -+/** -+ * User Signed CMC authentication plug-in -+ * note: -+ * - this version differs from CMCAuth in that it allows non-agent users -+ * to sign own cmc requests; It is expected to be used with -+ * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint -+ * so that the resulting cert will bear the same subjectDN of that of the CMC -+ * signing cert -+ * - it originates from CMCAuth with modification for user-signed cmc -+ * @author cfu - user signed cmc authentication -+ *

    -+ * -+ * @version $Revision$, $Date$ -+ */ -+public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, -+ IProfileAuthenticator { -+ -+ //////////////////////// -+ // default parameters // -+ //////////////////////// -+ -+ ///////////////////////////// -+ // IAuthManager parameters // -+ ///////////////////////////// -+ -+ /* authentication plug-in configuration store */ -+ private IConfigStore mConfig; -+ private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; -+ private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; -+ public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; -+ public static final String REASON_CODE = "reasonCode"; -+ /* authentication plug-in name */ -+ private String mImplName = null; -+ -+ /* authentication plug-in instance name */ -+ private String mName = null; -+ -+ /* authentication plug-in fields */ -+ -+ /* Holds authentication plug-in fields accepted by this implementation. -+ * This list is passed to the configuration console so configuration -+ * for instances of this implementation can be configured through the -+ * console. -+ */ -+ protected static String[] mConfigParams = -+ new String[] {}; -+ -+ /* authentication plug-in values */ -+ -+ /* authentication plug-in properties */ -+ -+ /* required credentials to authenticate. UID and CMC are strings. */ -+ public static final String CRED_CMC = "cmcRequest"; -+ -+ protected static String[] mRequiredCreds = {}; -+ -+ //////////////////////////////////// -+ // IExtendedPluginInfo parameters // -+ //////////////////////////////////// -+ -+ /* Vector of extendedPluginInfo strings */ -+ protected static Vector mExtendedPluginInfo = null; -+ //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr"; -+ //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin"; -+ -+ /* actual help messages */ -+ static { -+ mExtendedPluginInfo = new Vector(); -+ -+ mExtendedPluginInfo -+ .add(IExtendedPluginInfo.HELP_TEXT + -+ ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); -+ mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + -+ ";configuration-authentication"); -+ } -+ -+ /////////////////////// -+ // Logger parameters // -+ /////////////////////// -+ -+ /* the system's logger */ -+ private ILogger mLogger = CMS.getLogger(); -+ -+ /* signed audit parameters */ -+ private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -+ private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = -+ "enrollment"; -+ private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = -+ "revocation"; -+ -+ ///////////////////// -+ // default methods // -+ ///////////////////// -+ -+ /** -+ * Default constructor, initialization must follow. -+ */ -+ public CMCUserSignedAuth() { -+ } -+ -+ ////////////////////////// -+ // IAuthManager methods // -+ ////////////////////////// -+ -+ /** -+ * Initializes the CMCUserSignedAuth authentication plug-in. -+ *

    -+ * -+ * @param name The name for this authentication plug-in instance. -+ * @param implName The name of the authentication plug-in. -+ * @param config - The configuration store for this instance. -+ * @exception EBaseException If an error occurs during initialization. -+ */ -+ public void init(String name, String implName, IConfigStore config) -+ throws EBaseException { -+ mName = name; -+ mImplName = implName; -+ mConfig = config; -+ -+ log(ILogger.LL_INFO, "Initialization complete!"); -+ } -+ -+ /** -+ * Authenticates user by their CMC; -+ * resulting AuthToken sets a TOKEN_SUBJECT for the subject name. -+ *

    -+ * -+ *

      -+ *
    • signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed) cert -+ * requests or revocation requests are submitted and signature is verified -+ *
    -+ * -+ * @param authCred Authentication credentials, CRED_UID and CRED_CMC. -+ * @return an AuthToken -+ * @exception com.netscape.certsrv.authentication.EMissingCredential -+ * If a required authentication credential is missing. -+ * @exception com.netscape.certsrv.authentication.EInvalidCredentials -+ * If credentials failed authentication. -+ * @exception com.netscape.certsrv.base.EBaseException -+ * If an internal error occurred. -+ * @see com.netscape.certsrv.authentication.AuthToken -+ */ -+ public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, -+ EBaseException { -+ String method = "CMCUserSignedAuth: authenticate: "; -+ CMS.debug(method + "begins"); -+ -+ String auditMessage = null; -+ String auditSubjectID = auditSubjectID(); -+ String auditReqType = ILogger.UNIDENTIFIED; -+ String auditCertSubject = ILogger.UNIDENTIFIED; -+ String auditSignerInfo = ILogger.UNIDENTIFIED; -+ -+ // ensure that any low-level exceptions are reported -+ // to the signed audit log and stored as failures -+ try { -+ // get the CMC. -+ -+ Object argblock = authCred.getArgBlock(); -+ Object returnVal = null; -+ if (argblock == null) { -+ returnVal = authCred.get("cert_request"); -+ if (returnVal == null) -+ returnVal = authCred.get(CRED_CMC); -+ } else { -+ returnVal = authCred.get("cert_request"); -+ if (returnVal == null) -+ returnVal = authCred.getArgBlock().get(CRED_CMC); -+ } -+ String cmc = (String) returnVal; -+ if (cmc == null) { -+ CMS.debug(method + " Authentication failed. Missing CMC."); -+ -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ throw new EMissingCredential(CMS.getUserMessage( -+ "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); -+ } -+ -+ if (cmc.equals("")) { -+ log(ILogger.LL_FAILURE, -+ "cmc : attempted login with empty CMC."); -+ -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ throw new EInvalidCredentials(CMS.getUserMessage( -+ "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } -+ -+ // authenticate by checking CMC. -+ -+ // everything OK. -+ // now formulate the certificate info. -+ // set the subject name at a minimum. -+ // set anything else like version, extensions, etc. -+ // if nothing except subject name is set the rest of -+ // cert info will be filled in by policies and CA defaults. -+ -+ AuthToken authToken = new AuthToken(this); -+ -+ try { -+ String asciiBASE64Blob; -+ -+ int startIndex = cmc.indexOf(HEADER); -+ int endIndex = cmc.indexOf(TRAILER); -+ if (startIndex != -1 && endIndex != -1) { -+ startIndex = startIndex + HEADER.length(); -+ asciiBASE64Blob = cmc.substring(startIndex, endIndex); -+ } else -+ asciiBASE64Blob = cmc; -+ -+ byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); -+ ByteArrayInputStream cmcBlobIn = new -+ ByteArrayInputStream(cmcBlob); -+ -+ org.mozilla.jss.pkix.cms.ContentInfo cmcReq = -+ (org.mozilla.jss.pkix.cms.ContentInfo) -+ org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( -+ cmcBlobIn); -+ -+ if (!cmcReq.getContentType().equals( -+ org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || -+ !cmcReq.hasContent()) { -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); -+ -+ throw new EBaseException("NO_CMC_CONTENT"); -+ } -+ -+ SignedData cmcFullReq = (SignedData) -+ cmcReq.getInterpretedContent(); -+ -+ IConfigStore cmc_config = CMS.getConfigStore(); -+ boolean checkSignerInfo = -+ cmc_config.getBoolean("cmc.signerInfo.verify", true); -+ String userid = "defUser"; -+ String uid = "defUser"; -+ if (checkSignerInfo) { -+ IAuthToken userToken = verifySignerInfo(authToken, cmcFullReq); -+ if (userToken == null) { -+ CMS.debug(method + " authenticate() userToken null"); -+ throw new EBaseException(method + " verifySignerInfo failure"); -+ } -+ userid = userToken.getInString("userid"); -+ uid = userToken.getInString("cn"); -+ } else { -+ CMS.debug(method + " authenticate() signerInfo verification bypassed"); -+ } -+ // reset value of auditSignerInfo -+ if (uid != null) { -+ auditSignerInfo = uid.trim(); -+ } -+ -+ EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); -+ -+ OBJECT_IDENTIFIER id = ci.getContentType(); -+ -+ if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || -+ !ci.hasContent()) { -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ // throw new ECMSGWException( -+ // CMSGWResources.NO_PKIDATA); -+ -+ throw new EBaseException("NO_PKIDATA"); -+ } -+ -+ OCTET_STRING content = ci.getContent(); -+ -+ ByteArrayInputStream s = new -+ ByteArrayInputStream(content.toByteArray()); -+ PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); -+ -+ SEQUENCE reqSequence = pkiData.getReqSequence(); -+ -+ int numReqs = reqSequence.size(); -+ -+ if (numReqs == 0) { -+ CMS.debug(method + "numReqs 0, assume revocation request"); -+ // revocation request -+ -+ // reset value of auditReqType -+ auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE; -+ -+ SEQUENCE controlSequence = pkiData.getControlSequence(); -+ int controlSize = controlSequence.size(); -+ -+ if (controlSize > 0) { -+ for (int i = 0; i < controlSize; i++) { -+ TaggedAttribute taggedAttribute = -+ (TaggedAttribute) controlSequence.elementAt(i); -+ OBJECT_IDENTIFIER type = taggedAttribute.getType(); -+ -+ if (type.equals( -+ OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { -+/* TODO: user-signed revocation to be handled in next ticket -+ // if( i ==1 ) { -+ // taggedAttribute.getType() == -+ // OBJECT_IDENTIFIER.id_cmc_revokeRequest -+ // } -+ -+ SET values = taggedAttribute.getValues(); -+ int numVals = values.size(); -+ BigInteger[] bigIntArray = null; -+ -+ bigIntArray = new BigInteger[numVals]; -+ for (int j = 0; j < numVals; j++) { -+ // serialNumber INTEGER -+ -+ // SEQUENCE RevRequest = (SEQUENCE) -+ // values.elementAt(j); -+ byte[] encoded = ASN1Util.encode( -+ values.elementAt(j)); -+ org.mozilla.jss.asn1.ASN1Template template = new -+ org.mozilla.jss.pkix.cmmf.RevRequest.Template(); -+ org.mozilla.jss.pkix.cmmf.RevRequest revRequest = -+ (org.mozilla.jss.pkix.cmmf.RevRequest) -+ ASN1Util.decode(template, encoded); -+ -+ // SEQUENCE RevRequest = (SEQUENCE) -+ // ASN1Util.decode( -+ // SEQUENCE.getTemplate(), -+ // ASN1Util.encode( -+ // values.elementAt(j))); -+ -+ // SEQUENCE RevRequest = -+ // values.elementAt(j); -+ // int revReqSize = RevRequest.size(); -+ // if( revReqSize > 3 ) { -+ // INTEGER serialNumber = -+ // new INTEGER((long)0); -+ // } -+ -+ INTEGER temp = revRequest.getSerialNumber(); -+ -+ bigIntArray[j] = temp; -+ authToken.set(TOKEN_CERT_SERIAL, bigIntArray); -+ -+ long reasonCode = revRequest.getReason().getValue(); -+ Integer IntObject = Integer.valueOf((int) reasonCode); -+ authToken.set(REASON_CODE, IntObject); -+ -+ authToken.set("uid", uid); -+ authToken.set("userid", userid); -+ } -+*/ -+ } -+ } -+ -+ } -+ } else { -+ CMS.debug(method + "numReqs not 0, assume enrollment request"); -+ // enrollment request -+ -+ // reset value of auditReqType -+ auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE; -+ -+ X509CertInfo[] certInfoArray = new X509CertInfo[numReqs]; -+ String[] reqIdArray = new String[numReqs]; -+ -+ for (int i = 0; i < numReqs; i++) { -+ // decode message. -+ TaggedRequest taggedRequest = -+ (TaggedRequest) reqSequence.elementAt(i); -+ -+ TaggedRequest.Type type = taggedRequest.getType(); -+ -+ if (type.equals(TaggedRequest.PKCS10)) { -+ CMS.debug(method + " type is PKCS10"); -+ authToken.set("cert_request_type", "cmc-pkcs10"); -+ -+ TaggedCertificationRequest tcr = -+ taggedRequest.getTcr(); -+ int p10Id = tcr.getBodyPartID().intValue(); -+ -+ reqIdArray[i] = String.valueOf(p10Id); -+ -+ CertificationRequest p10 = -+ tcr.getCertificationRequest(); -+ -+ // transfer to sun class -+ ByteArrayOutputStream ostream = -+ new ByteArrayOutputStream(); -+ -+ p10.encode(ostream); -+ boolean sigver = true; -+ boolean tokenSwitched = false; -+ CryptoManager cm = null; -+ CryptoToken signToken = null; -+ CryptoToken savedToken = null; -+ -+ // for PKCS10, "sigver" would offer the POP -+ sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); -+ try { -+ cm = CryptoManager.getInstance(); -+ if (sigver == true) { -+ String tokenName = -+ CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); -+ savedToken = cm.getThreadToken(); -+ signToken = CryptoUtil.getCryptoToken(tokenName); -+ if (!savedToken.getName().equals(signToken.getName())) { -+ cm.setThreadToken(signToken); -+ tokenSwitched = true; -+ } -+ } -+ -+ PKCS10 pkcs10 = -+ new PKCS10(ostream.toByteArray(), sigver); -+ -+ // xxx do we need to do anything else? -+ X509CertInfo certInfo = -+ CMS.getDefaultX509CertInfo(); -+ -+ // fillPKCS10(certInfo,pkcs10,authToken,null); -+ -+ // authToken.set( -+ // pkcs10.getSubjectPublicKeyInfo()); -+ -+ X500Name tempName = pkcs10.getSubjectName(); -+ -+ // reset value of auditCertSubject -+ if (tempName != null) { -+ auditCertSubject = -+ tempName.toString().trim(); -+ if (auditCertSubject.equals("")) { -+ auditCertSubject = -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } -+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, -+ tempName.toString()); -+ } -+ -+ authToken.set("uid", uid); -+ authToken.set("userid", userid); -+ -+ certInfoArray[i] = certInfo; -+ } catch (Exception e) { -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ //throw new ECMSGWException( -+ //CMSGWResources.ERROR_PKCS101, e.toString()); -+ -+ e.printStackTrace(); -+ throw new EBaseException(e.toString()); -+ } finally { -+ if ((sigver == true) && (tokenSwitched == true)){ -+ cm.setThreadToken(savedToken); -+ } -+ } -+ } else if (type.equals(TaggedRequest.CRMF)) { -+ -+ CMS.debug(method + " type is CRMF"); -+ authToken.set("cert_request_type", "cmc-crmf"); -+ try { -+ CertReqMsg crm = -+ taggedRequest.getCrm(); -+ CertRequest certReq = crm.getCertReq(); -+ INTEGER reqID = certReq.getCertReqId(); -+ reqIdArray[i] = reqID.toString(); -+ CertTemplate template = certReq.getCertTemplate(); -+ Name name = template.getSubject(); -+ -+ // xxx do we need to do anything else? -+ X509CertInfo certInfo = -+ CMS.getDefaultX509CertInfo(); -+ -+ // reset value of auditCertSubject -+ if (name != null) { -+ String ss = name.getRFC1485(); -+ -+ auditCertSubject = ss; -+ if (auditCertSubject.equals("")) { -+ auditCertSubject = -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } -+ -+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); -+ authToken.set("uid", uid); -+ authToken.set("userid", userid); -+ } -+ certInfoArray[i] = certInfo; -+ } catch (Exception e) { -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ //throw new ECMSGWException( -+ //CMSGWResources.ERROR_PKCS101, e.toString()); -+ -+ e.printStackTrace(); -+ throw new EBaseException(e.toString()); -+ } -+ } -+ -+ // authToken.set(AgentAuthentication.CRED_CERT, new -+ // com.netscape.certsrv.usrgrp.Certificates( -+ // x509Certs)); -+ } -+ } -+ } catch (Exception e) { -+ CMS.debug(method + e); -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ //Debug.printStackTrace(e); -+ throw new EInvalidCredentials(CMS.getUserMessage( -+ "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } -+ -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.SUCCESS, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ CMS.debug(method + "ends successfully; returning authToken"); -+ return authToken; -+ } catch (EMissingCredential eAudit1) { -+ CMS.debug(method + eAudit1); -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ // rethrow the specific exception to be handled later -+ throw eAudit1; -+ } catch (EInvalidCredentials eAudit2) { -+ CMS.debug(method + eAudit2); -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ // rethrow the specific exception to be handled later -+ throw eAudit2; -+ } catch (EBaseException eAudit3) { -+ CMS.debug(method + eAudit3); -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ -+ // rethrow the specific exception to be handled later -+ throw eAudit3; -+ } -+ } -+ -+ /** -+ * Returns a list of configuration parameter names. -+ * The list is passed to the configuration console so instances of -+ * this implementation can be configured through the console. -+ *

    -+ * -+ * @return String array of configuration parameter names. -+ */ -+ public String[] getConfigParams() { -+ return (mConfigParams); -+ } -+ -+ /** -+ * gets the configuration substore used by this authentication -+ * plug-in -+ *

    -+ * -+ * @return configuration store -+ */ -+ public IConfigStore getConfigStore() { -+ return mConfig; -+ } -+ -+ /** -+ * gets the plug-in name of this authentication plug-in. -+ */ -+ public String getImplName() { -+ return mImplName; -+ } -+ -+ /** -+ * gets the name of this authentication plug-in instance -+ */ -+ public String getName() { -+ return mName; -+ } -+ -+ /** -+ * get the list of required credentials. -+ *

    -+ * -+ * @return list of required credentials as strings. -+ */ -+ public String[] getRequiredCreds() { -+ return (mRequiredCreds); -+ } -+ -+ /** -+ * prepares for shutdown. -+ */ -+ public void shutdown() { -+ } -+ -+ ///////////////////////////////// -+ // IExtendedPluginInfo methods // -+ ///////////////////////////////// -+ -+ /** -+ * Activate the help system. -+ *

    -+ * -+ * @return help messages -+ */ -+ public String[] getExtendedPluginInfo() { -+ String method = "CMCUserSignedAuth: getExtendedPluginInfo: "; -+ CMS.debug(method + " begins"); -+ String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo); -+ -+ CMS.debug(method + " s.length = " + s.length); -+ for (int i = 0; i < s.length; i++) { -+ CMS.debug("" + i + " " + s[i]); -+ } -+ return s; -+ } -+ -+ //////////////////// -+ // Logger methods // -+ //////////////////// -+ -+ /** -+ * Logs a message for this class in the system log file. -+ *

    -+ * -+ * @param level The log level. -+ * @param msg The message to log. -+ * @see com.netscape.certsrv.logging.ILogger -+ */ -+ protected void log(int level, String msg) { -+ if (mLogger == null) -+ return; -+ mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, -+ level, "CMC User Signed Authentication: " + msg); -+ } -+ -+ protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { -+ String method = "CMCUserSignedAuth: verifySignerInfo: "; -+ CMS.debug(method + "begins"); -+ -+ EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); -+ OBJECT_IDENTIFIER id = ci.getContentType(); -+ OCTET_STRING content = ci.getContent(); -+ -+ boolean tokenSwitched = false; -+ CryptoToken signToken = null; -+ CryptoToken savedToken = null; -+ CryptoManager cm = null; -+ try { -+ cm = CryptoManager.getInstance(); -+ ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); -+ PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); -+ -+ SET dais = cmcFullReq.getDigestAlgorithmIdentifiers(); -+ int numDig = dais.size(); -+ Hashtable digs = new Hashtable(); -+ -+ //if request key is used for signing, there MUST be only one signerInfo -+ //object in the signedData object. -+ for (int i = 0; i < numDig; i++) { -+ AlgorithmIdentifier dai = -+ (AlgorithmIdentifier) dais.elementAt(i); -+ String name = -+ DigestAlgorithm.fromOID(dai.getOID()).toString(); -+ -+ MessageDigest md = -+ MessageDigest.getInstance(name); -+ -+ byte[] digest = md.digest(content.toByteArray()); -+ -+ digs.put(name, digest); -+ } -+ -+ SET sis = cmcFullReq.getSignerInfos(); -+ int numSis = sis.size(); -+ -+ for (int i = 0; i < numSis; i++) { -+ org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); -+ -+ String name = si.getDigestAlgorithm().toString(); -+ byte[] digest = digs.get(name); -+ -+ if (digest == null) { -+ MessageDigest md = MessageDigest.getInstance(name); -+ ByteArrayOutputStream ostream = new ByteArrayOutputStream(); -+ -+ pkiData.encode(ostream); -+ digest = md.digest(ostream.toByteArray()); -+ -+ } -+ // signed by previously certified signature key -+ SignerIdentifier sid = si.getSignerIdentifier(); -+ // TODO: need to handle signing key being the matching key from -+ // the request -+ if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { -+ IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); -+ // find from the certs in the signedData -+ java.security.cert.X509Certificate cert = null; -+ -+ if (cmcFullReq.hasCertificates()) { -+ SET certs = cmcFullReq.getCertificates(); -+ int numCerts = certs.size(); -+ java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; -+ byte[] certByteArray = new byte[0]; -+ for (int j = 0; j < numCerts; j++) { -+ Certificate certJss = (Certificate) certs.elementAt(j); -+ CertificateInfo certI = certJss.getInfo(); -+ Name issuer = certI.getIssuer(); -+ -+ byte[] issuerB = ASN1Util.encode(issuer); -+CMS.debug(method + "issuer = " + new String(issuerB)); -+ INTEGER sn = certI.getSerialNumber(); -+ // if this cert is the signer cert, not a cert in the chain -+ if (new String(issuerB).equals(new String( -+ ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) -+ && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) { -+ ByteArrayOutputStream os = new -+ ByteArrayOutputStream(); -+ -+ certJss.encode(os); -+ certByteArray = os.toByteArray(); -+ -+ X509CertImpl tempcert = new X509CertImpl(os.toByteArray()); -+ -+ cert = tempcert; -+ x509Certs[0] = cert; -+ // xxx validate the cert length -+ -+ } -+ } -+ CMS.debug(method + "start checking signature"); -+ if (cert == null) { -+ // find from certDB -+ CMS.debug(method + "verifying signature"); -+ si.verify(digest, id); -+ } else { -+ CMS.debug(method + "found signing cert... verifying"); -+ PublicKey signKey = cert.getPublicKey(); -+ PrivateKey.Type keyType = null; -+ String alg = signKey.getAlgorithm(); -+ -+ PK11PubKey pubK = null; -+ if (alg.equals("RSA")) { -+ CMS.debug(method + "signing key alg=RSA"); -+ keyType = PrivateKey.RSA; -+ pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey()); -+ } else if (alg.equals("EC")) { -+ CMS.debug(method + "signing key alg=EC"); -+ keyType = PrivateKey.EC; -+ byte publicKeyData[] = ((X509Key) signKey).getEncoded(); -+ pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); -+ } else { -+ CMS.debug(method + "unsupported signature algorithm: " + alg); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } -+ -+ String tokenName = -+ CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); -+ // by default JSS will use internal crypto token -+ if (!CryptoUtil.isInternalToken(tokenName)) { -+ savedToken = cm.getThreadToken(); -+ signToken = CryptoUtil.getCryptoToken(tokenName); -+ if(signToken != null) { -+ cm.setThreadToken(signToken); -+ tokenSwitched = true; -+ CMS.debug(method + "verifySignerInfo token switched:"+ tokenName); -+ } else { -+ CMS.debug(method + "verifySignerInfo token not found:"+ tokenName+ ", trying internal"); -+ } -+ } -+ -+ CMS.debug(method + "verifying signature with public key"); -+ si.verify(digest, id, pubK); -+ } -+ CMS.debug(method + "finished checking signature"); -+ // verify signer's certificate using the revocator -+ if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { -+ CMS.debug(method + "CMC signature failed to be verified"); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } else { -+ CMS.debug(method + "CMC signature verified; but signer not yet;"); -+ } -+ // At this point, the signature has been verified; -+ -+ IAuthToken tempToken = new AuthToken(null); -+ netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); -+ String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); -+ CMS.debug(method + " Principal name = " + CN); -+ -+ BigInteger certSerial = x509Certs[0].getSerialNumber(); -+ CMS.debug(method + " verified cert serial=" + certSerial.toString()); -+ authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); -+ tempToken.set("cn", CN); -+ -+ return tempToken; -+ -+ } -+ -+ } else { -+ CMS.debug(method + "unsupported SignerIdentifier type"); -+ } -+ } -+ } catch (InvalidBERException e) { -+ CMS.debug(method + e.toString()); -+ } catch (IOException e) { -+ CMS.debug(method + e.toString()); -+ } catch (NotInitializedException e) { -+ CMS.debug(method + e.toString()); -+ } catch (Exception e) { -+ CMS.debug(method + e.toString()); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } finally { -+ if ((tokenSwitched == true) && (savedToken != null)){ -+ cm.setThreadToken(savedToken); -+ CMS.debug(method + "verifySignerInfo token restored"); -+ } -+ } -+ return null; -+ -+ } -+ -+ public String[] getExtendedPluginInfo(Locale locale) { -+ return null; -+ } -+ -+ // Profile-related methods -+ -+ public void init(IProfile profile, IConfigStore config) -+ throws EProfileException { -+ } -+ -+ /** -+ * Retrieves the localizable name of this policy. -+ */ -+ public String getName(Locale locale) { -+ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME"); -+ } -+ -+ /** -+ * Retrieves the localizable description of this policy. -+ */ -+ public String getText(Locale locale) { -+ return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT"); -+ } -+ -+ /** -+ * Retrieves a list of names of the value parameter. -+ */ -+ public Enumeration getValueNames() { -+ Vector v = new Vector(); -+ v.addElement("cert_request"); -+ return v.elements(); -+ } -+ -+ public boolean isValueWriteable(String name) { -+ return false; -+ } -+ -+ /** -+ * Retrieves the descriptor of the given value -+ * parameter by name. -+ */ -+ public IDescriptor getValueDescriptor(Locale locale, String name) { -+ if (name.equals(CRED_CMC)) { -+ return new Descriptor(IDescriptor.STRING_LIST, null, null, -+ "CMC request"); -+ } -+ return null; -+ } -+ -+ public void populate(IAuthToken token, IRequest request) -+ throws EProfileException { -+ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, -+ token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); -+ } -+ -+ public boolean isSSLClientRequired() { -+ return false; -+ } -+ -+ /** -+ * Signed Audit Log -+ * -+ * This method is called to store messages to the signed audit log. -+ *

    -+ * -+ * @param msg signed audit log message -+ */ -+ private void audit(String msg) { -+ // in this case, do NOT strip preceding/trailing whitespace -+ // from passed-in String parameters -+ -+ if (mSignedAuditLogger == null) { -+ return; -+ } -+ -+ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, -+ null, -+ ILogger.S_SIGNED_AUDIT, -+ ILogger.LL_SECURITY, -+ msg); -+ } -+ -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ -+ /** -+ * Signed Audit Log Subject ID -+ * -+ * This method is called to obtain the "SubjectID" for -+ * a signed audit log message. -+ *

    -+ * -+ * @return id string containing the signed audit log message SubjectID -+ */ -+ private String auditSubjectID() { -+ // if no signed audit object exists, bail -+ if (mSignedAuditLogger == null) { -+ return null; -+ } -+ -+ String subjectID = null; -+ -+ // Initialize subjectID -+ SessionContext auditContext = SessionContext.getExistingContext(); -+ -+ if (auditContext != null) { -+ subjectID = (String) -+ auditContext.get(SessionContext.USER_ID); -+ -+ if (subjectID != null) { -+ subjectID = subjectID.trim(); -+ } else { -+ subjectID = ILogger.NONROLEUSER; -+ } -+ } else { -+ subjectID = ILogger.UNIDENTIFIED; -+ } -+ -+ return subjectID; -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java -index e6fc045..e47c722 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java -@@ -783,6 +783,8 @@ public abstract class BasicProfile implements IProfile { - boolean createConfig) - throws EProfileException { - -+ String method = "BasicProfile: createProfilePolicy: "; -+ CMS.debug(method + "begins"); - // String setId ex: policyset.set1 - // String id Id of policy : examples: p1,p2,p3 - // String defaultClassId : id of the default plugin ex: validityDefaultImpl -@@ -911,19 +913,18 @@ public abstract class BasicProfile implements IProfile { - } - } - } -- - String defaultRoot = id + "." + PROP_DEFAULT; - String constraintRoot = id + "." + PROP_CONSTRAINT; - IPluginInfo defInfo = mRegistry.getPluginInfo("defaultPolicy", - defaultClassId); - - if (defInfo == null) { -- CMS.debug("BasicProfile: Cannot find " + defaultClassId); -+ CMS.debug(method + " Cannot find " + defaultClassId); - throw new EProfileException("Cannot find " + defaultClassId); - } - String defaultClass = defInfo.getClassName(); - -- CMS.debug("BasicProfile: loading default class " + defaultClass); -+ CMS.debug(method + " loading default class " + defaultClass); - IPolicyDefault def = null; - - try { -@@ -931,7 +932,7 @@ public abstract class BasicProfile implements IProfile { - Class.forName(defaultClass).newInstance(); - } catch (Exception e) { - // throw Exception -- CMS.debug("BasicProfile: default policy " + -+ CMS.debug(method + " default policy " + - defaultClass + " " + e.toString()); - } - if (def == null) { -@@ -941,24 +942,30 @@ public abstract class BasicProfile implements IProfile { - - defStore = policyStore.getSubStore(defaultRoot); - def.init(this, defStore); -+ CMS.debug(method + " default class initialized."); - } - - IPluginInfo conInfo = mRegistry.getPluginInfo("constraintPolicy", - constraintClassId); -+ if (conInfo == null) { -+ CMS.debug(method + " Cannot find " + constraintClassId); -+ throw new EProfileException("Cannot find " + constraintClassId); -+ } - String constraintClass = conInfo.getClassName(); -- IPolicyConstraint constraint = null; - -+ CMS.debug(method + " loading constraint class " + constraintClass); -+ IPolicyConstraint constraint = null; - try { - constraint = (IPolicyConstraint) - Class.forName(constraintClass).newInstance(); - } catch (Exception e) { - // throw Exception -- CMS.debug("BasicProfile: constraint policy " + -+ CMS.debug(method + " constraint policy " + - constraintClass + " " + e.toString()); - } - ProfilePolicy policy = null; - if (constraint == null) { -- CMS.debug("BasicProfile: failed to create " + constraintClass); -+ CMS.debug(method + " failed to create " + constraintClass); - } else { - IConfigStore conStore = null; - -@@ -966,9 +973,11 @@ public abstract class BasicProfile implements IProfile { - constraint.init(this, conStore); - policy = new ProfilePolicy(id, def, constraint); - policies.addElement(policy); -+ CMS.debug(method + " constraint class initialized."); - } - - if (createConfig) { -+ CMS.debug(method + " createConfig true; creating..."); - String list = null; - - try { -@@ -996,8 +1005,10 @@ public abstract class BasicProfile implements IProfile { - CMS.debug("BasicProfile: commiting config store " + - e.toString()); - } -+ CMS.debug(method + " config created."); - } - -+ CMS.debug(method + "ends"); - return policy; - } - -@@ -1091,9 +1102,10 @@ public abstract class BasicProfile implements IProfile { - */ - public void populate(IRequest request) - throws EProfileException { -+ String method = "BasicProfile: populate: "; - String setId = getPolicySetId(request); - Vector policies = getPolicies(setId); -- CMS.debug("BasicProfile: populate() policy setid =" + setId); -+ CMS.debug(method + "policy setid =" + setId); - - for (int i = 0; i < policies.size(); i++) { - IProfilePolicy policy = policies.elementAt(i); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 1c44e2c..57f07d1 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -71,6 +71,7 @@ import org.mozilla.jss.pkix.primitive.Name; - import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; - - import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthManager; - import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.authority.IAuthority; -@@ -110,6 +111,7 @@ import netscape.security.x509.CertificateX509Key; - import netscape.security.x509.Extension; - import netscape.security.x509.Extensions; - import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertImpl; - import netscape.security.x509.X509CertInfo; - import netscape.security.x509.X509Key; - -@@ -144,7 +146,8 @@ public abstract class EnrollProfile extends BasicProfile - */ - public IRequest[] createRequests(IProfileContext ctx, Locale locale) - throws EProfileException { -- String method = "EnrollProfile: createRequests"; -+ -+ String method = "EnrollProfile: createRequests: "; - CMS.debug(method + "begins"); - - // determine how many requests should be created -@@ -171,13 +174,20 @@ public abstract class EnrollProfile extends BasicProfile - } - TaggedRequest[] cmc_msgs = null; - if (cert_request_type != null && cert_request_type.startsWith("cmc")) { -- /* -- * TODO: cfu: Phase 2: check if CMCAuth pre-signed request passed. -- * if not, identityProofV2 and/or identification controls -- * are required; -- */ -+ -+ // donePOI true means Proof-Of-Identity is already done. -+ // if the auth manager is the CMCUserSignedAuth, then -+ // the new cert will eventually have the same subject as the -+ // user signing cert -+ // if the auth manager is the CMCAuth (agent pre-approved), -+ // then no changes -+ boolean donePOI = false; -+ String signingUserSerial = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (signingUserSerial != null) { -+ donePOI = true; -+ } - // catch for invalid request -- cmc_msgs = parseCMC(locale, cert_request); -+ cmc_msgs = parseCMC(locale, cert_request, donePOI); - if (cmc_msgs == null) { - CMS.debug(method + "parseCMC returns cmc_msgs null"); - return null; -@@ -209,7 +219,7 @@ public abstract class EnrollProfile extends BasicProfile - } else { - result[i].setExtData(REQUEST_SEQ_NUM, Integer.valueOf(i)); - if ((cmc_msgs != null) && (cmc_msgs[i] != null)) { -- CMS.debug("EnrollProfile: createRequests: setting cmc TaggedRequest in request"); -+ CMS.debug(method + "setting cmc TaggedRequest in request"); - result[i].setExtData( - CTX_CERT_REQUEST, - ASN1Util.encode(cmc_msgs[i])); -@@ -221,9 +231,6 @@ public abstract class EnrollProfile extends BasicProfile - - // set requested CA - result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); -- -- // set user data -- result[i].setExtData(IRequest.USER_DATA, ctx.get(REQUEST_USER_DATA)); - } - return result; - } -@@ -300,7 +307,7 @@ public abstract class EnrollProfile extends BasicProfile - req.setExtData(REQUEST_EXTENSIONS, - new CertificateExtensions()); - -- CMS.debug("EnrollProfile: createRequest " + -+ CMS.debug("EnrollProfile: createEnrollmentRequest " + - req.getRequestId()); - } catch (EBaseException e) { - // raise exception? -@@ -469,6 +476,7 @@ public abstract class EnrollProfile extends BasicProfile - - IRequestQueue queue = getRequestQueue(); - String msg = ""; -+ CMS.debug(method + "begins"); - - boolean popChallengeRequired = - request.getExtDataInBoolean("cmc_POPchallengeRequired", false); -@@ -485,7 +493,7 @@ public abstract class EnrollProfile extends BasicProfile - } - - if (token == null){ -- CMS.debug(method + " auth token is null"); -+ CMS.debug(method + " auth token is null; agent manual approval required;"); - CMS.debug(method + " validating request"); - validate(request); - try { -@@ -500,6 +508,7 @@ public abstract class EnrollProfile extends BasicProfile - // this is encryptedPOP case; defer to require decryptedPOP - CMS.debug(method + " popChallengeRequired, defer to enforce decryptedPOP"); - validate(request); -+ - CMS.debug(method + " about to call setPOPchallenge"); - try { - setPOPchallenge(request); -@@ -521,40 +530,38 @@ public abstract class EnrollProfile extends BasicProfile - } - } - -- /* -- * parseCMC -- * @throws EProfileException in case of error -- * note: returing "null" doesn't mean failure -+ /** -+ * getPKIDataFromCMCblob -+ * -+ * @param certReqBlob cmc b64 encoded blob -+ * @return PKIData - */ -- public TaggedRequest[] parseCMC(Locale locale, String certreq) -+ public PKIData getPKIDataFromCMCblob(Locale locale, String certReqBlob) - throws EProfileException { - -- String method = "EnrollProfile: parseCMC: "; -+ String method = "EnrollProfile: getPKIDataFromCMCblob: "; - String msg = ""; // for capturing debug and throw info - - /* cert request must not be null */ -- if (certreq == null) { -- msg = method + "certreq null"; -+ if (certReqBlob == null) { -+ msg = method + "certReqBlob null"; - CMS.debug(msg); - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + - msg); - } -- //CMS.debug(method + " Start parseCMC(): " + certreq); -+ //CMS.debug(method + " Start: " + certReqBlob); - CMS.debug(method + "starts"); - -- TaggedRequest msgs[] = null; -- -- String creq = normalizeCertReq(certreq); -+ String creq = normalizeCertReq(certReqBlob); - try { - byte data[] = CMS.AtoB(creq); -- ByteArrayInputStream cmcBlobIn = -- new ByteArrayInputStream(data); -+ ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(data); - -- org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) -- org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(cmcBlobIn); -- org.mozilla.jss.pkix.cms.SignedData cmcFullReq = -- (org.mozilla.jss.pkix.cms.SignedData) cmcReq.getInterpretedContent(); -+ org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo -+ .getTemplate().decode(cmcBlobIn); -+ org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq -+ .getInterpretedContent(); - org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - OCTET_STRING content = ci.getContent(); - -@@ -564,6 +571,104 @@ public abstract class EnrollProfile extends BasicProfile - mCMCData = pkiData; - //PKIData pkiData = (PKIData) - // (new PKIData.Template()).decode(cmcBlobIn); -+ -+ return pkiData; -+ } catch (Exception e) { -+ CMS.debug(method + e); -+ throw new EProfileException( -+ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); -+ } -+ } -+ -+ public static CertificateSubjectName getCMCSigningCertSNfromCertSerial( -+ String certSerial) throws Exception { -+ X509CertImpl userCert = getCMCSigningCertFromCertSerial(certSerial); -+ -+ if (userCert != null) { -+ return userCert.getSubjectObj(); -+ } else { -+ return null; -+ } -+ } -+ -+ /** -+ * getCMCSigningCertFromCertSerial is to be used when authentication -+ * was done with CMCUserSignedAuth where the resulting -+ * authToken contains -+ * IAuthManager.CRED_CMC_SIGNING_CERT, serial number -+ * This method takes the serial number -+ * and finds the cert from the CA's certdb -+ */ -+ public static X509CertImpl getCMCSigningCertFromCertSerial( -+ String certSerial) throws Exception { -+ String method = "EnrollProfile: getCMCSigningCertFromCertSerial: "; -+ String msg = ""; -+ -+ X509CertImpl userCert = null; -+ -+ if (certSerial == null || certSerial.equals("")) { -+ msg = method + "certSerial empty"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ // for CMCUserSignedAuth, the signing user is the subject of -+ // the new cert -+ ICertificateAuthority authority = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); -+ try { -+ BigInteger serialNo = new BigInteger(certSerial); -+ userCert = authority.getCertificateRepository().getX509Certificate(serialNo); -+ } catch (NumberFormatException e) { -+ msg = method + e; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } catch (EBaseException e) { -+ msg = method + e + "; signing user cert not found: serial=" + certSerial; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ if (userCert != null) { -+ msg = method + "signing user cert found; serial=" + certSerial; -+ CMS.debug(msg); -+ } else { -+ msg = method + "signing user cert not found: serial=" + certSerial; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ return userCert; -+ } -+ -+ /* -+ * parseCMC -+ * @throws EProfileException in case of error -+ * note: returing "null" doesn't mean failure -+ */ -+ public TaggedRequest[] parseCMC(Locale locale, String certreq) -+ throws EProfileException { -+ return parseCMC(locale, certreq, false); -+ } -+ public TaggedRequest[] parseCMC(Locale locale, String certreq, boolean donePOI) -+ throws EProfileException { -+ -+ String method = "EnrollProfile: parseCMC: "; -+ String msg = ""; // for capturing debug and throw info -+ //CMS.debug(method + " Start parseCMC(): " + certreq); -+ CMS.debug(method + "starts"); -+ -+ /* cert request must not be null */ -+ if (certreq == null) { -+ msg = method + "certreq null"; -+ CMS.debug(msg); -+ throw new EProfileException( -+ CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + -+ msg); -+ } -+ -+ TaggedRequest msgs[] = null; -+ try { -+ PKIData pkiData = getPKIDataFromCMCblob(locale, certreq); - SEQUENCE controlSeq = pkiData.getControlSequence(); - int numcontrols = controlSeq.size(); - SEQUENCE reqSeq = pkiData.getReqSequence(); -@@ -571,6 +676,7 @@ public abstract class EnrollProfile extends BasicProfile - UTF8String ident_s = null; - SessionContext context = SessionContext.getContext(); - if (!context.containsKey("numOfControls")) { -+ CMS.debug(method + "numcontrols="+ numcontrols); - if (numcontrols > 0) { - context.put("numOfControls", Integer.valueOf(numcontrols)); - TaggedAttribute[] attributes = new TaggedAttribute[numcontrols]; -@@ -587,56 +693,45 @@ public abstract class EnrollProfile extends BasicProfile - boolean id_cmc_idPOPLinkRandom = false; - SET vals = null; - -+ /** -+ * pre-process all controls -- -+ * the postponed processing is so that we can capture -+ * the identification, if included -+ */ -+ CMS.debug(method + "about to pre-process controls"); - for (int i = 0; i < numcontrols; i++) { - attributes[i] = (TaggedAttribute) controlSeq.elementAt(i); - OBJECT_IDENTIFIER oid = attributes[i].getType(); - if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) { -- CMS.debug(method + " decryptedPOP found"); -+ CMS.debug(method + " id_cmc_decryptedPOP found"); - id_cmc_decryptedPOP = true; - decPopVals = attributes[i].getValues(); - } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identification)) { -+ CMS.debug(method + " id_cmc_identification found"); - id_cmc_identification = true; - ident = attributes[i].getValues(); - } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProofV2)) { -+ CMS.debug(method + " id_cmc_identityProofV2 found"); - id_cmc_identityProofV2 = true; - attr = attributes[i]; - } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProof)) { -+ CMS.debug(method + " id_cmc_identityProof found"); - id_cmc_identityProof = true; - attr = attributes[i]; - } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) { -- CMS.debug(method + "id_cmc_idPOPLinkRandom true"); -+ CMS.debug(method + "id_cmc_idPOPLinkRandom found"); - id_cmc_idPOPLinkRandom = true; - vals = attributes[i].getValues(); - } else { -+ CMS.debug(method + "unknown control found"); - context.put(attributes[i].getType(), attributes[i]); - } - } //for - - /** - * now do the actual control processing -- * (the postponed processing is so that we can capture -- * the identification, if included) - */ -- -- if (id_cmc_decryptedPOP) { -- if (decPopVals != null) { -- -- DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(), -- ASN1Util.encode(decPopVals.elementAt(0)))); -- CMS.debug(method + "DecryptedPOP encoded"); -- -- Integer reqId = verifyDecryptedPOP(locale, decPop); -- if (reqId != null) { -- context.put("decryptedPopReqId", reqId); -- } -- } else { //decPopVals == null -- msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; -- CMS.debug(method + msg); -- SEQUENCE bpids = getRequestBpids(reqSeq); -- context.put("decryptedPOP", bpids); -- } -- return null; -- } -+ CMS.debug(method + "processing controls..."); - - if (id_cmc_identification) { - if (ident == null) { -@@ -666,8 +761,22 @@ public abstract class EnrollProfile extends BasicProfile - } - } - -- // either V2 or not V2; can't be both -- if (id_cmc_identityProofV2 && (attr != null)) { -+ // checking Proof Of Identity, if not pre-signed -+ -+ if (donePOI) { -+ // for logging purposes -+ if (id_cmc_identityProofV2) { -+ CMS.debug(method -+ + "pre-signed CMC request, but id_cmc_identityProofV2 found...ignore; no further proof of identification check"); -+ } else if (id_cmc_identityProof) { -+ CMS.debug(method -+ + "pre-signed CMC request, but id_cmc_identityProof found...ignore; no further proof of identification check"); -+ } else { -+ CMS.debug(method + "pre-signed CMC request; no further proof of identification check"); -+ } -+ } else if (id_cmc_identityProofV2 && (attr != null)) { -+ // either V2 or not V2; can't be both -+ CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProofV2;"); - if (!id_cmc_identification) { - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identification", bpids); -@@ -685,23 +794,57 @@ public abstract class EnrollProfile extends BasicProfile - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identityProofV2", bpids); - -- msg = " in verifyIdentityProofV2"; -+ msg = " after verifyIdentityProofV2"; - CMS.debug(method + msg); - throw new EProfileException(CMS.getUserMessage(locale, -- "CMS_POI_VERIFICATION_ERROR")+ msg); -+ "CMS_POI_VERIFICATION_ERROR") + msg); -+ } else { -+ CMS.debug(method + "passed verifyIdentityProofV2; Proof of Identity successful;"); - } - } else if (id_cmc_identityProof && (attr != null)) { -+ CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProof;"); - boolean valid = verifyIdentityProof(attr, - reqSeq); - if (!valid) { - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identityProof", bpids); - -- msg = " in verifyIdentityProof"; -+ msg = " after verifyIdentityProof"; - CMS.debug(method + msg); - throw new EProfileException(CMS.getUserMessage(locale, -- "CMS_POI_VERIFICATION_ERROR")+ msg); -+ "CMS_POI_VERIFICATION_ERROR") + msg); -+ } else { -+ CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;"); - } -+ } else { -+ msg = "not pre-signed CMC request; missing Proof of Identification control"; -+ CMS.debug(method + msg); -+ throw new EProfileException(CMS.getUserMessage(locale, -+ "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg); -+ } -+ -+ if (id_cmc_decryptedPOP) { -+ if (decPopVals != null) { -+ -+ DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(), -+ ASN1Util.encode(decPopVals.elementAt(0)))); -+ CMS.debug(method + "DecryptedPOP encoded"); -+ -+ Integer reqId = verifyDecryptedPOP(locale, decPop); -+ if (reqId != null) { -+ context.put("cmcDecryptedPopReqId", reqId); -+ } -+ } else { //decPopVals == null -+ msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; -+ CMS.debug(method + msg); -+ SEQUENCE bpids = getRequestBpids(reqSeq); -+ context.put("decryptedPOP", bpids); -+ } -+ -+ // decryptedPOP is expected to return null; -+ // POPLinkWitnessV2 would have to be checked in -+ // round one, if required -+ return null; - } - - if (id_cmc_idPOPLinkRandom && vals != null) { -@@ -725,61 +868,65 @@ public abstract class EnrollProfile extends BasicProfile - } - } - -- int nummsgs = reqSeq.size(); -- if (nummsgs > 0) { -+ /** -+ * in CS.cfg, cmc.popLinkWitnessRequired=true -+ * will enforce popLinkWitness (or V2); -+ */ -+ boolean popLinkWitnessRequired = false; -+ try { -+ String configName = "cmc.popLinkWitnessRequired"; -+ CMS.debug(method + "getting :" + configName); -+ popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, false); -+ } catch (Exception e) { -+ // unlikely to get here -+ msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; -+ CMS.debug(msg); -+ throw new EProfileException(method + msg); -+ } - -+ int nummsgs = reqSeq.size(); -+ if (!popLinkWitnessRequired) { -+ CMS.debug(method + "popLinkWitnessRequired false, skip check"); -+ } else if (nummsgs > 0) { -+ CMS.debug(method + "cmc.popLinkWitnessRequired is true"); -+ CMS.debug(method + "nummsgs =" + nummsgs); - msgs = new TaggedRequest[reqSeq.size()]; - SEQUENCE bpids = new SEQUENCE(); - -- /* TODO: add this in CS.cfg later: cmc.popLinkWitnessRequired=true -- // enforce popLinkWitness (or V2) -- boolean popLinkWitnessRequired = true; -- try { -- String configName = "cmc.popLinkWitnessRequired"; -- CMS.debug(method + "getting :" + configName); -- popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, true); -- CMS.debug(method + "cmc.popLinkWitnessRequired is " + popLinkWitnessRequired); -- } catch (Exception e) { -- // unlikely to get here -- msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; -- CMS.debug(msg); -- throw new EProfileException(method + msg); -- } --*/ -- - boolean valid = true; - for (int i = 0; i < nummsgs; i++) { - msgs[i] = (TaggedRequest) reqSeq.elementAt(i); - if (!context.containsKey("POPLinkWitnessV2") && - !context.containsKey("POPLinkWitness")) { -- if (randomSeed != null) { -- // verifyPOPLinkWitness() will determine if this is -- // POPLinkWitnessV2 or POPLinkWitness -- // If failure, context is set in verifyPOPLinkWitness -- valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context); -- if (valid == false) { -- if (context.containsKey("POPLinkWitnessV2")) -- msg = " in POPLinkWitnessV2"; -- else if (context.containsKey("POPLinkWitness")) -- msg = " in POPLinkWitness"; -- else -- msg = " unspecified failure from verifyPOPLinkWitness"; -- -- CMS.debug(method + msg); -- throw new EProfileException(CMS.getUserMessage(locale, -- "MS_POP_LINK_WITNESS_VERIFICATION_ERROR")+ msg); -- } -- /* TODO: for next cmc ticket, eliminate the extra trip of parseCMC if possible, or figure a way out to bypass this on 2nd trip -- } else if (popLinkWitnessRequired == true) { -- //popLinkWitnessRequired == true, must have randomSeed -- CMS.debug(method + "popLinkWitness(V2) required; no randomSeed found"); -+ CMS.debug(method + "popLinkWitness(V2) required"); -+ if (randomSeed == null) { -+ CMS.debug(method + "no randomSeed found"); - context.put("POPLinkWitnessV2", bpids); -- return null;*/ -- } //randomSeed != null -+ return null; -+ } -+ -+ // verifyPOPLinkWitness() will determine if this is -+ // POPLinkWitnessV2 or POPLinkWitness -+ // If failure, context is set in verifyPOPLinkWitness -+ valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context); -+ if (valid == false) { -+ if (context.containsKey("POPLinkWitnessV2")) -+ msg = " in POPLinkWitnessV2"; -+ else if (context.containsKey("POPLinkWitness")) -+ msg = " in POPLinkWitness"; -+ else -+ msg = " unspecified failure from verifyPOPLinkWitness"; -+ -+ CMS.debug(method + msg); -+ throw new EProfileException(CMS.getUserMessage(locale, -+ "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg); -+ } - } -- } -- } else -+ } //for -+ } else { -+ CMS.debug(method + "nummsgs 0; returning..."); - return null; -+ } - - CMS.debug(method + "ends"); - return msgs; -@@ -1398,6 +1545,9 @@ public abstract class EnrollProfile extends BasicProfile - public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, - IRequest req) - throws EProfileException { -+ String auditMessage = null; -+ String auditSubjectID = auditSubjectID(); -+ - String method = "EnrollProfile: fillTaggedRequest: "; - CMS.debug(method + "begins"); - TaggedRequest.Type type = tagreq.getType(); -@@ -1409,16 +1559,19 @@ public abstract class EnrollProfile extends BasicProfile - } - - if (type.equals(TaggedRequest.PKCS10)) { -- CMS.debug(method + " TaggedRequest type == pkcs10"); -+ String methodPos = method + "PKCS10: "; -+ CMS.debug(methodPos + " TaggedRequest type == pkcs10"); - boolean sigver = true; - boolean tokenSwitched = false; - CryptoManager cm = null; - CryptoToken signToken = null; - CryptoToken savedToken = null; - try { -+ // for PKCS10, "sigver" would provide the POP - sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); - cm = CryptoManager.getInstance(); - if (sigver == true) { -+ CMS.debug(methodPos + "sigver true, POP is to be verified"); - String tokenName = - CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); - savedToken = cm.getThreadToken(); -@@ -1427,6 +1580,12 @@ public abstract class EnrollProfile extends BasicProfile - cm.setThreadToken(signToken); - tokenSwitched = true; - } -+ } else { -+ // normally, you would not get here, as you almost always -+ // would want to verify the PKCS10 signature when it's -+ // already there instead of taking a 2nd trip -+ CMS.debug(methodPos + "sigver false, POP is not to be verified now, but instead will be challenged"); -+ req.setExtData("cmc_POPchallengeRequired", "true"); - } - - TaggedCertificationRequest tcr = tagreq.getTcr(); -@@ -1440,13 +1599,17 @@ public abstract class EnrollProfile extends BasicProfile - fillPKCS10(locale, pkcs10, info, req); - } catch (Exception e) { - CMS.debug(method + e); -+ // this will throw -+ popFailed(locale, auditSubjectID, auditMessage, e); - } finally { - if ((sigver == true) && (tokenSwitched == true)){ - cm.setThreadToken(savedToken); - } - } -+ CMS.debug(methodPos + "done"); - } else if (type.equals(TaggedRequest.CRMF)) { -- CMS.debug(method + " TaggedRequest type == crmf"); -+ String methodPos = method + "CRMF: "; -+ CMS.debug(methodPos + " TaggedRequest type == crmf"); - CertReqMsg crm = tagreq.getCrm(); - SessionContext context = SessionContext.getContext(); - Integer nums = (Integer) (context.get("numOfControls")); -@@ -1454,12 +1617,12 @@ public abstract class EnrollProfile extends BasicProfile - boolean verifyAllow = false; //disable RA by default - try { - String configName = "cmc.lraPopWitness.verify.allow"; -- CMS.debug(method + "getting :" + configName); -+ CMS.debug(methodPos + "getting :" + configName); - verifyAllow = CMS.getConfigStore().getBoolean(configName, false); -- CMS.debug(method + "cmc.lraPopWitness.verify.allow is " + verifyAllow); -+ CMS.debug(methodPos + "cmc.lraPopWitness.verify.allow is " + verifyAllow); - } catch (Exception e) { - // unlikely to get here -- String msg = method + " Failed to retrieve cmc.lraPopWitness.verify.allow"; -+ String msg = methodPos + " Failed to retrieve cmc.lraPopWitness.verify.allow"; - CMS.debug(msg); - throw new EProfileException(method + msg); - } -@@ -1471,23 +1634,23 @@ public abstract class EnrollProfile extends BasicProfile - parseLRAPopWitness(locale, crm, attr); - } else { - CMS.debug( -- method + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); -+ methodPos + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); - if (crm.hasPop()) { -- CMS.debug(method + " hasPop true"); -+ CMS.debug(methodPos + " hasPop true"); - verifyPOP(locale, crm); - } else { // no signing POP, then do it the hard way -- CMS.debug(method + "hasPop false, need to challenge"); -+ CMS.debug(methodPos + "hasPop false, need to challenge"); - req.setExtData("cmc_POPchallengeRequired", "true"); - } - } - } else { - CMS.debug( -- method + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); -+ methodPos + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); - if (crm.hasPop()) { -- CMS.debug(method + " hasPop true"); -+ CMS.debug(methodPos + " hasPop true"); - verifyPOP(locale, crm); - } else { // no signing POP, then do it the hard way -- CMS.debug(method + "hasPop false, need to challenge"); -+ CMS.debug(methodPos + "hasPop false, need to challenge"); - req.setExtData("cmc_POPchallengeRequired", "true"); - } - } -@@ -1495,10 +1658,10 @@ public abstract class EnrollProfile extends BasicProfile - } else { //!verifyAllow - - if (crm.hasPop()) { -- CMS.debug(method + " hasPop true"); -+ CMS.debug(methodPos + " hasPop true"); - verifyPOP(locale, crm); - } else { // no signing POP, then do it the hard way -- CMS.debug(method + "hasPop false, need to challenge"); -+ CMS.debug(methodPos + "hasPop false, need to challenge"); - req.setExtData("cmc_POPchallengeRequired", "true"); - } - } -@@ -1835,6 +1998,8 @@ public abstract class EnrollProfile extends BasicProfile - - public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req) - throws EProfileException { -+ String method = "EnrollProfile: fillPKCS10: "; -+ CMS.debug(method + "begins"); - X509Key key = pkcs10.getSubjectPublicKeyInfo(); - - try { -@@ -1869,7 +2034,7 @@ public abstract class EnrollProfile extends BasicProfile - PKCS10Attribute p10Attr = p10Attrs.getAttribute(CertificateExtensions.NAME); - if (p10Attr != null && p10Attr.getAttributeId().equals( - PKCS9Attribute.EXTENSION_REQUEST_OID)) { -- CMS.debug("Found PKCS10 extension"); -+ CMS.debug(method + "Found PKCS10 extension"); - Extensions exts0 = (Extensions) - (p10Attr.getAttributeValue()); - DerOutputStream extOut = new DerOutputStream(); -@@ -1879,24 +2044,22 @@ public abstract class EnrollProfile extends BasicProfile - DerInputStream extIn = new DerInputStream(extB); - CertificateExtensions exts = new CertificateExtensions(extIn); - if (exts != null) { -- CMS.debug("Set extensions " + exts); -+ CMS.debug(method + "Set extensions " + exts); - // info.set(X509CertInfo.EXTENSIONS, exts); - req.setExtData(REQUEST_EXTENSIONS, exts); - } - } else { -- CMS.debug("PKCS10 extension Not Found"); -+ CMS.debug(method + "PKCS10 extension Not Found"); - } - } - -- CMS.debug("Finish parsePKCS10 - " + pkcs10.getSubjectName()); -+ CMS.debug(method + "Finish parsePKCS10 - " + pkcs10.getSubjectName()); - } catch (IOException e) { -- CMS.debug("EnrollProfile: Unable to fill PKCS #10: " + e); -- CMS.debug(e); -+ CMS.debug(method + "Unable to fill PKCS #10: " + e); - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); - } catch (CertificateException e) { -- CMS.debug("EnrollProfile: Unable to fill PKCS #10: " + e); -- CMS.debug(e); -+ CMS.debug(method + "Unable to fill PKCS #10: " + e); - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e); - } -@@ -2074,8 +2237,11 @@ public abstract class EnrollProfile extends BasicProfile - - public void populate(IRequest request) - throws EProfileException { -- super.populate(request); - -+ String method = "EnrollProfile: populate: "; -+ CMS.debug(method + "begins"); -+ -+ super.populate(request); - } - - /** -@@ -2240,7 +2406,7 @@ public abstract class EnrollProfile extends BasicProfile - public void verifyPOP(Locale locale, CertReqMsg certReqMsg) - throws EProfileException { - String method = "EnrollProfile: verifyPOP: "; -- CMS.debug(method + "for signing keys"); -+ CMS.debug(method + "for signing keys begins."); - - String auditMessage = null; - String auditSubjectID = auditSubjectID(); -@@ -2261,10 +2427,10 @@ public abstract class EnrollProfile extends BasicProfile - CryptoToken verifyToken = null; - String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); - if (CryptoUtil.isInternalToken(tokenName)) { -- CMS.debug("POP verification using internal token"); -+ CMS.debug(method + "POP verification using internal token"); - certReqMsg.verify(); - } else { -- CMS.debug("POP verification using token:" + tokenName); -+ CMS.debug(method + "POP verification using token:" + tokenName); - verifyToken = CryptoUtil.getCryptoToken(tokenName); - certReqMsg.verify(verifyToken); - } -@@ -2279,7 +2445,7 @@ public abstract class EnrollProfile extends BasicProfile - CMS.debug(method + "Unable to verify POP: " + e); - popFailed(locale, auditSubjectID, auditMessage, e); - } -- CMS.debug(method + "ends."); -+ CMS.debug(method + "done."); - } - - private void popFailed(Locale locale, String auditSubjectID, String auditMessage) -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java -new file mode 100644 -index 0000000..c71b670 ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java -@@ -0,0 +1,141 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.cms.profile.constraint; -+ -+import java.util.Locale; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthManager; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.profile.EProfileException; -+import com.netscape.certsrv.profile.ERejectException; -+import com.netscape.certsrv.profile.IPolicyDefault; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+import com.netscape.cms.profile.common.EnrollProfile; -+import com.netscape.cms.profile.def.CMCUserSignedSubjectNameDefault; -+ -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertInfo; -+ -+/** -+ * This class implements the user subject name constraint for user-signed cmc requests. -+ * It makes sure the signing cert's subjectDN and the rsulting cert match -+ * -+ * @author cfu -+ * @version $Revision$, $Date$ -+ */ -+public class CMCUserSignedSubjectNameConstraint extends EnrollConstraint { -+ -+ public CMCUserSignedSubjectNameConstraint() { -+ } -+ -+ public void init(IProfile profile, IConfigStore config) -+ throws EProfileException { -+ super.init(profile, config); -+ } -+ -+ public IDescriptor getConfigDescriptor(Locale locale, String name) { -+ return null; -+ } -+ -+ public String getDefaultConfig(String name) { -+ return null; -+ } -+ -+ /** -+ * Validates the request. The request is not modified -+ * during the validation. User encoded subject name -+ * is copied into the certificate template. -+ */ -+ public void validate(IRequest request, X509CertInfo info) -+ throws ERejectException { -+ String method = "CMCUserSignedSubjectNameConstraint: "; -+ String msg = ""; -+ -+ CMS.debug(method + "validate start"); -+ CertificateSubjectName infoCertSN = null; -+ CertificateSubjectName authTokenCertSN = null; -+ -+ -+ try { -+ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); -+ if (infoCertSN == null) { -+ msg = method + "infoCertSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ CMS.debug(method + "validate user subject ="+ -+ infoCertSN.toString()); -+ String certSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (certSerial == null) { -+ msg = method + "certSerial null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ authTokenCertSN = -+ EnrollProfile.getCMCSigningCertSNfromCertSerial(certSerial); -+ if (authTokenCertSN == null) { -+ msg = method + "authTokenCertSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); -+ if (infoCertName == null) { -+ msg = method + "infoCertName null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ X500Name authTokenCertName = (X500Name) authTokenCertSN.get(CertificateSubjectName.DN_NAME); -+ if (authTokenCertName == null) { -+ msg = method + "authTokenCertName null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ if (infoCertName.equals(authTokenCertName)) { -+ CMS.debug(method + "names match"); -+ } else { -+ msg = method + "names do not match"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ } catch (Exception e) { -+ throw new ERejectException( -+ CMS.getUserMessage(getLocale(request), -+ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); -+ } -+ } -+ -+ public String getText(Locale locale) { -+ return CMS.getUserMessage(locale, -+ "CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT"); -+ } -+ -+ public boolean isApplicable(IPolicyDefault def) { -+ String method = "CMCUserSignedSubjectNameConstraint: isApplicable: "; -+ if (def instanceof CMCUserSignedSubjectNameDefault) { -+ CMS.debug(method + "true"); -+ return true; -+ } -+ CMS.debug(method + "false"); -+ return false; -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -new file mode 100644 -index 0000000..a0816ea ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -@@ -0,0 +1,159 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2007 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.cms.profile.def; -+ -+import java.io.IOException; -+import java.util.Locale; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthManager; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.profile.EProfileException; -+import com.netscape.certsrv.profile.IEnrollProfile; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.property.Descriptor; -+import com.netscape.certsrv.property.EPropertyException; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+import com.netscape.cms.profile.common.EnrollProfile; -+ -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertInfo; -+ -+/** -+ * This class implements an enrollment default policy -+ * that populates a CMC signing user's subject name -+ * into the certificate template. -+ * -+ * @author cfu -+ * @version $Revision$, $Date$ -+ */ -+public class CMCUserSignedSubjectNameDefault extends EnrollDefault { -+ -+ public static final String VAL_NAME = "name"; -+ -+ public CMCUserSignedSubjectNameDefault() { -+ super(); -+ addValueName(VAL_NAME); -+ } -+ -+ public void init(IProfile profile, IConfigStore config) -+ throws EProfileException { -+ super.init(profile, config); -+ } -+ -+ public IDescriptor getValueDescriptor(Locale locale, String name) { -+ if (name.equals(VAL_NAME)) { -+ return new Descriptor(IDescriptor.STRING, null, null, -+ CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME")); -+ } else { -+ return null; -+ } -+ } -+ -+ public void setValue(String name, Locale locale, -+ X509CertInfo info, String value) -+ throws EPropertyException { -+ if (name == null) { -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } -+ if (name.equals(VAL_NAME)) { -+ X500Name x500name = null; -+ -+ try { -+ x500name = new X500Name(value); -+ } catch (IOException e) { -+ CMS.debug(e.toString()); -+ // failed to build x500 name -+ } -+ CMS.debug("SubjectNameDefault: setValue name=" + x500name); -+ try { -+ info.set(X509CertInfo.SUBJECT, -+ new CertificateSubjectName(x500name)); -+ } catch (Exception e) { -+ // failed to insert subject name -+ CMS.debug("CMCUserSignedSubjectNameDefault: setValue " + e.toString()); -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } -+ } else { -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } -+ } -+ -+ public String getValue(String name, Locale locale, -+ X509CertInfo info) -+ throws EPropertyException { -+ if (name == null) { -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } -+ if (name.equals(VAL_NAME)) { -+ CertificateSubjectName sn = null; -+ -+ try { -+ sn = (CertificateSubjectName) -+ info.get(X509CertInfo.SUBJECT); -+ return sn.toString(); -+ } catch (Exception e) { -+ // nothing -+ } -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } else { -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } -+ } -+ -+ public String getText(Locale locale) { -+ return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_CMC_USER_SIGNED_SUBJECT_NAME"); -+ } -+ -+ /** -+ * Populates the request with this policy default. -+ */ -+ public void populate(IRequest request, X509CertInfo info) -+ throws EProfileException { -+ String method = "CMCUserSignedSubjectNameDefault: populate: "; -+ String msg = ""; -+ CMS.debug(method + "begins"); -+ -+ String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (info == null) { -+ msg = method + "info null"; -+ CMS.debug(msg); -+ throw new EProfileException(msg); -+ } -+ -+ CertificateSubjectName certSN = null; -+ try { -+ certSN = EnrollProfile.getCMCSigningCertSNfromCertSerial(signingUserSerial); -+ info.set(X509CertInfo.SUBJECT, certSN); -+ CMS.debug(method + "subjectDN set in X509CertInfo"); -+ } catch (Exception e) { -+ msg = method + "exception thrown:" + e; -+ throw new EProfileException(e.toString()); -+ } -+ request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); -+ CMS.debug(method + "ends"); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -index 00d669e..1d5bfc4 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -@@ -214,17 +214,18 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe - */ - public void populate(IRequest request) - throws EProfileException { -+ String method = "EnrollDefault: populate: "; - String name = getClass().getName(); - - name = name.substring(name.lastIndexOf('.') + 1); -- CMS.debug(name + ": populate start"); -+ CMS.debug(method + name + ": start"); - X509CertInfo info = - request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); - - populate(request, info); - - request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); -- CMS.debug(name + ": populate end"); -+ CMS.debug(method + name + ": end"); - } - - public void addValueName(String name) { -diff --git a/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java b/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java -index a62d6e9..0a9cae1 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java -+++ b/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java -@@ -21,6 +21,8 @@ import java.util.Locale; - - import netscape.security.x509.X509CertInfo; - -+import org.mozilla.jss.asn1.SEQUENCE; -+import org.mozilla.jss.pkix.cmc.PKIData; - import org.mozilla.jss.pkix.cmc.TaggedRequest; - - import com.netscape.certsrv.apps.CMS; -@@ -85,19 +87,32 @@ public class CMCCertReqInput extends EnrollInput implements IProfileInput { - */ - public void populate(IProfileContext ctx, IRequest request) - throws EProfileException { -+ String method = "CMCCertReqInput: populate: "; -+ CMS.debug(method + "begins"); -+ - String cert_request = ctx.get(VAL_CERT_REQUEST); - X509CertInfo info = - request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); - - if (cert_request == null) { -- CMS.debug("CMCCertReqInput: populate - invalid certificate request"); -+ CMS.debug(method + "invalid certificate request"); - throw new EProfileException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); - } -- TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); -+ // cfu: getPKIDataFromCMCblob() is extracted from parseCMC -+ // so it's less confusing -+ //TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); -+ PKIData pkiData = mEnrollProfile.getPKIDataFromCMCblob(getLocale(request), cert_request); -+ SEQUENCE reqSeq = pkiData.getReqSequence(); -+ int nummsgs = reqSeq.size(); // for now we only handle one anyways -+ CMS.debug(method + "pkiData.getReqSequence() called; nummsgs =" + nummsgs); -+ TaggedRequest[] msgs = new TaggedRequest[reqSeq.size()]; -+ for (int i = 0; i < nummsgs; i++) { -+ msgs[i] = (TaggedRequest) reqSeq.elementAt(i); -+ } - - if (msgs == null) { -- CMS.debug("CMCCertReqInput: populate - parseCMC returns null TaggedRequest msgs"); -+ CMS.debug(method + "TaggedRequest msgs null after getPKIDataFromCMCblob"); - return; - } - // This profile only handle the first request in CRMF -diff --git a/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java b/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java -index e67f5b5..fabd2aa 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java -+++ b/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java -@@ -19,10 +19,8 @@ package com.netscape.cms.profile.input; - - import java.util.Locale; - --import netscape.security.pkcs.PKCS10; --import netscape.security.util.DerInputStream; --import netscape.security.x509.X509CertInfo; -- -+import org.mozilla.jss.asn1.SEQUENCE; -+import org.mozilla.jss.pkix.cmc.PKIData; - import org.mozilla.jss.pkix.cmc.TaggedRequest; - import org.mozilla.jss.pkix.crmf.CertReqMsg; - -@@ -37,6 +35,10 @@ import com.netscape.certsrv.property.IDescriptor; - import com.netscape.certsrv.request.IRequest; - import com.netscape.cms.profile.common.EnrollProfile; - -+import netscape.security.pkcs.PKCS10; -+import netscape.security.util.DerInputStream; -+import netscape.security.x509.X509CertInfo; -+ - /** - * This class implements the certificate request input. - * This input populates 2 main fields to the enrollment page: -@@ -89,13 +91,16 @@ public class CertReqInput extends EnrollInput implements IProfileInput { - */ - public void populate(IProfileContext ctx, IRequest request) - throws EProfileException { -+ String method = "CertReqInput: populate: "; -+ CMS.debug(method + "begins"); -+ - String cert_request_type = ctx.get(VAL_CERT_REQUEST_TYPE); - String cert_request = ctx.get(VAL_CERT_REQUEST); - X509CertInfo info = - request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); - - if (cert_request_type == null) { -- CMS.debug("CertReqInput: populate - invalid cert request type " + -+ CMS.debug(method + "invalid cert request type " + - ""); - throw new EProfileException( - CMS.getUserMessage(getLocale(request), -@@ -103,12 +108,14 @@ public class CertReqInput extends EnrollInput implements IProfileInput { - "")); - } - if (cert_request == null) { -- CMS.debug("CertReqInput: populate - invalid certificate request"); -+ CMS.debug(method + "invalid certificate request"); - throw new EProfileException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); - } - - if (cert_request_type.equals(EnrollProfile.REQ_TYPE_PKCS10)) { -+ CMS.debug(method + "cert_request_type= REQ_TYPE_PKCS10"); -+ - PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), cert_request); - - if (pkcs10 == null) { -@@ -118,6 +125,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput { - - mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); - } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { -+ CMS.debug(method + "cert_request_type= REQ_TYPE_KEYGEN"); - DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), cert_request); - - if (keygen == null) { -@@ -127,6 +135,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput { - - mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); - } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { -+ CMS.debug(method + "cert_request_type= REQ_TYPE_CRMF"); - CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), cert_request); - - if (msgs == null) { -@@ -142,7 +151,18 @@ public class CertReqInput extends EnrollInput implements IProfileInput { - mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request - ); - } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { -- TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); -+ CMS.debug(method + "cert_request_type= REQ_TYPE_CMC"); -+ // cfu: getPKIDataFromCMCblob() is extracted from parseCMC -+ // so it's less confusing -+ //TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); -+ PKIData pkiData = mEnrollProfile.getPKIDataFromCMCblob(getLocale(request), cert_request); -+ SEQUENCE reqSeq = pkiData.getReqSequence(); -+ int nummsgs = reqSeq.size(); // for now we only handle one anyways -+ CMS.debug(method + "pkiData.getReqSequence() called; nummsgs =" + nummsgs); -+ TaggedRequest[] msgs = new TaggedRequest[reqSeq.size()]; -+ for (int i = 0; i < nummsgs; i++) { -+ msgs[i] = (TaggedRequest) reqSeq.elementAt(i); -+ } - - if (msgs == null) { - throw new EProfileException(CMS.getUserMessage( -@@ -159,7 +179,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput { - mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); - } else { - // error -- CMS.debug("CertReqInput: populate - invalid cert request type " + -+ CMS.debug(method + "invalid cert request type " + - cert_request_type); - throw new EProfileException( - CMS.getUserMessage(getLocale(request), -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 26ca2a4..1e128d0 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -39,6 +39,7 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; - import org.mozilla.jss.pkix.cmc.TaggedAttribute; - - import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthManager; - import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.base.EBaseException; -@@ -443,6 +444,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - /////////////////////////////////////////////// - // create request - /////////////////////////////////////////////// -+ String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (tmpCertSerialS != null) { -+ // unlikely to happenm, but do this just in case -+ CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); -+ CMS.debug("ProfileSubmitCMCServlet: null it out"); -+ ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); -+ } -+ String signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (signingCertSerialS != null) { -+ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); -+ ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); -+ } - try { - reqs = profile.createRequests(ctx, locale); - } catch (EProfileException e) { -@@ -512,7 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - IRequest provedReq = null; - if (reqs == null) { - // handling DecryptedPOP request here -- Integer reqID = (Integer) context.get("decryptedPopReqId"); -+ Integer reqID = (Integer) context.get("cmcDecryptedPopReqId"); - provedReq = profile.getRequestQueue().findRequest(new RequestId(reqID.toString())); - if (provedReq == null) { - -@@ -568,6 +581,19 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - } - } -+ -+ tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (tmpCertSerialS != null) { -+ // unlikely to happenm, but do this just in case -+ CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS); -+ CMS.debug("ProfileSubmitCMCServlet: null it out"); -+ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, ""); -+ } -+ // put CMCUserSignedAuth authToken in request -+ if (signingCertSerialS != null) { -+ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); -+ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); -+ } - } - - // put profile framework parameters into the request -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 7572db4..d3ac06a 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2235,6 +2235,7 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification - - # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST - # - used for TPS to TKS to get random challenge data -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index bf96f90..ff56465 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -951,6 +951,7 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing - CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0} - CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only - CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only -+CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only - CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days. - CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0} - CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate. -@@ -994,6 +995,7 @@ CMS_PROFILE_DEF_USER_KEY=This default populates a User-Supplied Certificate Key - CMS_PROFILE_DEF_USER_SIGNING_ALGORITHM=This default populates a User-Supplied Certificate Signing Algorithm to the request. - CMS_PROFILE_DEF_AUTHZ_REALM=This default populates an authorization realm. - CMS_PROFILE_DEF_USER_SUBJECT_NAME=This default populates a User-Supplied Certificate Subject Name to the request. -+CMS_PROFILE_DEF_CMC_USER_SIGNED_SUBJECT_NAME=This default populates a User-Supplied Certificate Subject Name to the request. - CMS_PROFILE_DEF_USER_VALIDITY=This default populates a User-Supplied Certificate Validity to the request. - CMS_PROFILE_DEF_VALIDITY=This default populates a Certificate Validity to the request. The default values are Range={0} in days - CMS_PROFILE_CERTIFICATE_POLICIES_ID=Certificate Policies ID --- -1.8.3.1 - - -From f31ad87440332845e7e5a1d6ea1f092fefd9eef1 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 28 Apr 2017 20:05:44 -0700 -Subject: [PATCH 46/49] Ticket #2617 added the new caFullCMCUserSignedCert - profile in CS.cfg - ---- - base/ca/shared/conf/CS.cfg | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index b29802c..078abee 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -970,7 +970,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 - oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension - oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 - os.userid=nobody --profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment -+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment - profile.caUUIDdeviceCert.class_id=caEnrollImpl - profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg - profile.caManualRenewal.class_id=caEnrollImpl -@@ -1015,6 +1015,8 @@ profile.caRAagentCert.class_id=caEnrollImpl - profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAagentCert.cfg - profile.caFullCMCUserCert.class_id=caEnrollImpl - profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg -+profile.caFullCMCUserSignedCert.class_id=caEnrollImpl -+profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg - profile.caInternalAuthOCSPCert.class_id=caEnrollImpl - profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg - profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl --- -1.8.3.1 - - -From 633c7c6519c925af7e3700adff29961d72435c7f Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 23 Mar 2017 14:34:31 +1100 -Subject: [PATCH 47/49] PKCS12Util: use AES to encrypt private keys - -Update PKCS12Util to use AES-256-CBC to encrypt private keys. -Use JSS CryptoStore methods to ensure that all key wrapping and -unwrapping is done on the token. - -Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the -previous process where a symmetric key was generated, the private -key wrapped to the symmetric key, then decryted into Dogtag's -memory, then re-encrypted under the supplied passphrase. Now the -key gets wrapped directly to the supplied passphrase. - -Similarly, for import, the EncryptedPrivateKeyInfo was decrypted -using the supplied passphrase, then encrypted to a freshly generated -symmetric key, which was then used to unwrap the key into the token. -Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is -used to unwrap the EncryptedPrivateKeyInfo directly into the token, -using the supplied passphrase. - -As a result, the PKCS12KeyInfo class, which previously stored -unencrypted key material (a PrivateKeyInfo object), it now only -deals with PrivateKey (an opaque handle to an PKCS #11 object) -on export and encoded (byte[]) EncryptedPrivateKeyInfo data on -import. This split suggests that PKCS12KeyInfo should be decomposed -into two classes - one containing a PrivateKey and the other -containing a byte[] encryptedPrivateKeyInfo - but this refactoring -is left for another day. - -Part of: https://pagure.io/dogtagpki/issue/2610 - -Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70 -(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92) ---- - .../netscape/cmstools/pkcs12/PKCS12ImportCLI.java | 4 +- - .../com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java | 1 - - .../src/netscape/security/pkcs/PKCS12KeyInfo.java | 29 +++-- - .../src/netscape/security/pkcs/PKCS12Util.java | 122 ++++++++------------- - 4 files changed, 65 insertions(+), 91 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java -index da5478c..de43284 100644 ---- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java -@@ -124,12 +124,12 @@ public class PKCS12ImportCLI extends CLI { - - if (nicknames.length == 0) { - // store all certificates -- util.storeIntoNSS(pkcs12, overwrite); -+ util.storeIntoNSS(pkcs12, password, overwrite); - - } else { - // load specified certificates - for (String nickname : nicknames) { -- util.storeCertIntoNSS(pkcs12, nickname, overwrite); -+ util.storeCertIntoNSS(pkcs12, password, nickname, overwrite); - } - } - -diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java -index fbebdda..e74b63a 100644 ---- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java -@@ -38,6 +38,5 @@ public class PKCS12KeyCLI extends CLI { - - System.out.println(" Key ID: " + keyInfo.getID().toString(16)); - System.out.println(" Subject DN: " + keyInfo.getSubjectDN()); -- System.out.println(" Algorithm: " + keyInfo.getPrivateKeyInfo().getAlgorithm()); - } - } -diff --git a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java -index c7e84f0..f180cf2 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java -+++ b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java -@@ -19,31 +19,40 @@ package netscape.security.pkcs; - - import java.math.BigInteger; - --import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; -+import org.mozilla.jss.crypto.PrivateKey; - - public class PKCS12KeyInfo { - -+ private PrivateKey privateKey; -+ private byte[] epkiBytes; - BigInteger id; -- PrivateKeyInfo privateKeyInfo; - String subjectDN; - - public PKCS12KeyInfo() { - } - -- public BigInteger getID() { -- return id; -+ public PKCS12KeyInfo(PrivateKey k) { -+ this.privateKey = k; - } - -- public void setID(BigInteger id) { -- this.id = id; -+ public PKCS12KeyInfo(byte[] epkiBytes) { -+ this.epkiBytes = epkiBytes; -+ } -+ -+ public PrivateKey getPrivateKey() { -+ return this.privateKey; - } - -- public PrivateKeyInfo getPrivateKeyInfo() { -- return privateKeyInfo; -+ public byte[] getEncryptedPrivateKeyInfoBytes() { -+ return epkiBytes; - } - -- public void setPrivateKeyInfo(PrivateKeyInfo privateKeyInfo) { -- this.privateKeyInfo = privateKeyInfo; -+ public BigInteger getID() { -+ return id; -+ } -+ -+ public void setID(BigInteger id) { -+ this.id = id; - } - - public String getSubjectDN() { -diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java -index 0b164aa..9f9a35e 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS12Util.java -+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java -@@ -33,27 +33,19 @@ import java.util.Collection; - import org.apache.commons.lang.StringUtils; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.ANY; --import org.mozilla.jss.asn1.ASN1Util; - import org.mozilla.jss.asn1.ASN1Value; - import org.mozilla.jss.asn1.BMPString; - import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; - import org.mozilla.jss.asn1.OCTET_STRING; - import org.mozilla.jss.asn1.SEQUENCE; - import org.mozilla.jss.asn1.SET; --import org.mozilla.jss.crypto.Cipher; - import org.mozilla.jss.crypto.CryptoStore; - import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.EncryptionAlgorithm; --import org.mozilla.jss.crypto.IVParameterSpec; - import org.mozilla.jss.crypto.InternalCertificate; --import org.mozilla.jss.crypto.KeyGenAlgorithm; --import org.mozilla.jss.crypto.KeyWrapAlgorithm; --import org.mozilla.jss.crypto.KeyWrapper; - import org.mozilla.jss.crypto.NoSuchItemOnTokenException; - import org.mozilla.jss.crypto.ObjectNotFoundException; --import org.mozilla.jss.crypto.PBEAlgorithm; - import org.mozilla.jss.crypto.PrivateKey; --import org.mozilla.jss.crypto.SymmetricKey; - import org.mozilla.jss.crypto.X509Certificate; - import org.mozilla.jss.pkcs12.AuthenticatedSafes; - import org.mozilla.jss.pkcs12.CertBag; -@@ -61,14 +53,10 @@ import org.mozilla.jss.pkcs12.PFX; - import org.mozilla.jss.pkcs12.PasswordConverter; - import org.mozilla.jss.pkcs12.SafeBag; - import org.mozilla.jss.pkix.primitive.Attribute; --import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo; --import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; - import org.mozilla.jss.util.Password; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - --import com.netscape.cmsutil.crypto.CryptoUtil; -- - import netscape.ldap.LDAPDN; - import netscape.ldap.util.DN; - import netscape.security.x509.X509CertImpl; -@@ -114,41 +102,30 @@ public class PKCS12Util { - icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2])); - } - -- byte[] getEncodedKey(PrivateKey privateKey) throws Exception { -- CryptoManager cm = CryptoManager.getInstance(); -- CryptoToken token = cm.getInternalKeyStorageToken(); -- -- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- IVParameterSpec param = new IVParameterSpec(iv); -- -- SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); -- byte[] enckey = CryptoUtil.wrapUsingSymmetricKey( -- token, -- sk, -- privateKey, -- param, -- KeyWrapAlgorithm.DES3_CBC_PAD); -- -- Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); -- c.initDecrypt(sk, param); -- return c.doFinal(enckey); -- } -- - public void addKeyBag(PKCS12KeyInfo keyInfo, Password password, - SEQUENCE encSafeContents) throws Exception { -+ PrivateKey k = keyInfo.getPrivateKey(); -+ if (k == null) { -+ logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN); -+ return; -+ } - - logger.debug("Creating key bag for " + keyInfo.subjectDN); - - PasswordConverter passConverter = new PasswordConverter(); -- byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; -- -- EncryptedPrivateKeyInfo encPrivateKeyInfo = EncryptedPrivateKeyInfo.createPBE( -- PBEAlgorithm.PBE_SHA1_DES3_CBC, -- password, salt, 1, passConverter, keyInfo.privateKeyInfo); -+ byte[] epkiBytes = CryptoManager.getInstance() -+ .getInternalKeyStorageToken() -+ .getCryptoStore() -+ .getEncryptedPrivateKeyInfo( -+ /* NSS has a bug that causes any AES CBC encryption -+ * to use AES-256, but AlgorithmID contains chosen -+ * alg. To avoid mismatch, use AES_256_CBC. */ -+ passConverter, password, EncryptionAlgorithm.AES_256_CBC, 0, k); - - SET keyAttrs = createKeyBagAttrs(keyInfo); - -- SafeBag safeBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, encPrivateKeyInfo, keyAttrs); -+ SafeBag safeBag = new SafeBag( -+ SafeBag.PKCS8_SHROUDED_KEY_BAG, new ANY(epkiBytes), keyAttrs); - encSafeContents.addElement(safeBag); - } - -@@ -318,14 +295,10 @@ public class PKCS12Util { - PrivateKey privateKey = cm.findPrivKeyByCert(cert); - logger.debug("Certificate \"" + nickname + "\" has private key"); - -- PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(); -+ PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(privateKey); - keyInfo.id = id; - keyInfo.subjectDN = cert.getSubjectDN().toString(); - -- byte[] privateData = getEncodedKey(privateKey); -- keyInfo.privateKeyInfo = (PrivateKeyInfo) -- ASN1Util.decode(PrivateKeyInfo.getTemplate(), privateData); -- - pkcs12.addKeyInfo(keyInfo); - - } catch (ObjectNotFoundException e) { -@@ -375,11 +348,7 @@ public class PKCS12Util { - - public PKCS12KeyInfo getKeyInfo(SafeBag bag, Password password) throws Exception { - -- PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(); -- -- // get private key info -- EncryptedPrivateKeyInfo encPrivateKeyInfo = (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent(); -- keyInfo.privateKeyInfo = encPrivateKeyInfo.decrypt(password, new PasswordConverter()); -+ PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(bag.getBagContent().getEncoded()); - - // get key attributes - SET bagAttrs = bag.getBagAttributes(); -@@ -491,7 +460,7 @@ public class PKCS12Util { - - public void getKeyInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception { - -- logger.debug("Load private keys:"); -+ logger.debug("Load encrypted private keys:"); - - AuthenticatedSafes safes = pfx.getAuthSafes(); - -@@ -590,20 +559,12 @@ public class PKCS12Util { - - public void importKey( - PKCS12 pkcs12, -+ Password password, -+ String nickname, - PKCS12KeyInfo keyInfo) throws Exception { - - logger.debug("Importing private key " + keyInfo.subjectDN); - -- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- IVParameterSpec param = new IVParameterSpec(iv); -- -- PrivateKeyInfo privateKeyInfo = keyInfo.privateKeyInfo; -- -- // encode private key -- ByteArrayOutputStream bos = new ByteArrayOutputStream(); -- privateKeyInfo.encode(bos); -- byte[] privateKey = bos.toByteArray(); -- - PKCS12CertInfo certInfo = pkcs12.getCertInfoByID(keyInfo.getID()); - if (certInfo == null) { - logger.debug("Private key has no certificate, ignore"); -@@ -619,26 +580,29 @@ public class PKCS12Util { - // get public key - PublicKey publicKey = cert.getPublicKey(); - -- // delete the cert again -+ byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes(); -+ if (epkiBytes == null) { -+ logger.debug( -+ "No EncryptedPrivateKeyInfo for key '" -+ + keyInfo.subjectDN + "'; skipping key"); -+ } -+ store.importEncryptedPrivateKeyInfo( -+ new PasswordConverter(), password, nickname, publicKey, epkiBytes); -+ -+ // delete the cert again (it will be imported again later -+ // with the correct nickname) - try { - store.deleteCert(cert); - } catch (NoSuchItemOnTokenException e) { - // this is OK - } -- -- // encrypt private key -- SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); -- byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey( -- token, sk, privateKey, EncryptionAlgorithm.DES3_CBC_PAD, param); -- -- // unwrap private key to load into database -- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); -- wrapper.initUnwrap(sk, param); -- wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey); - } - -- public void storeCertIntoNSS(PKCS12 pkcs12, PKCS12CertInfo certInfo, boolean overwrite) throws Exception { -- -+ public void storeCertIntoNSS( -+ PKCS12 pkcs12, Password password, -+ PKCS12CertInfo certInfo, boolean overwrite) -+ throws Exception -+ { - CryptoManager cm = CryptoManager.getInstance(); - CryptoToken ct = cm.getInternalKeyStorageToken(); - CryptoStore store = ct.getCryptoStore(); -@@ -656,7 +620,7 @@ public class PKCS12Util { - X509Certificate cert; - if (keyInfo != null) { // cert has key - logger.debug("Importing user key for " + certInfo.nickname); -- importKey(pkcs12, keyInfo); -+ importKey(pkcs12, password, certInfo.nickname, keyInfo); - - logger.debug("Importing user certificate " + certInfo.nickname); - cert = cm.importUserCACertPackage(certInfo.cert.getEncoded(), certInfo.nickname); -@@ -671,19 +635,21 @@ public class PKCS12Util { - setTrustFlags(cert, certInfo.trustFlags); - } - -- public void storeCertIntoNSS(PKCS12 pkcs12, String nickname, boolean overwrite) throws Exception { -+ public void storeCertIntoNSS(PKCS12 pkcs12, Password password, String nickname, boolean overwrite) throws Exception { - Collection certInfos = pkcs12.getCertInfosByNickname(nickname); - for (PKCS12CertInfo certInfo : certInfos) { -- storeCertIntoNSS(pkcs12, certInfo, overwrite); -+ storeCertIntoNSS(pkcs12, password, certInfo, overwrite); - } - } - -- public void storeIntoNSS(PKCS12 pkcs12, boolean overwrite) throws Exception { -- -+ public void storeIntoNSS( -+ PKCS12 pkcs12, Password password, boolean overwrite) -+ throws Exception -+ { - logger.info("Storing data into NSS database"); - - for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) { -- storeCertIntoNSS(pkcs12, certInfo, overwrite); -+ storeCertIntoNSS(pkcs12, password, certInfo, overwrite); - } - } - } --- -1.8.3.1 - - -From 118f648961e502f55d6997f59f6cf8f355218da5 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 28 Apr 2017 19:45:53 +1000 -Subject: [PATCH 48/49] PKCS12Util: add some much-needed comments - -Part of: https://pagure.io/dogtagpki/issue/2610 - -Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6 -(cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8) ---- - .../src/netscape/security/pkcs/PKCS12KeyInfo.java | 19 +++++++++++++++++++ - base/util/src/netscape/security/pkcs/PKCS12Util.java | 17 +++++++++++++++++ - 2 files changed, 36 insertions(+) - -diff --git a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java -index f180cf2..ddcc3db 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java -+++ b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java -@@ -21,6 +21,17 @@ import java.math.BigInteger; - - import org.mozilla.jss.crypto.PrivateKey; - -+/** -+ * This object is used for carrying key info around. -+ * -+ * It does not handle raw key material (but it used to). -+ * -+ * FIXME: A clear refactoring opportunity exists. The 'privateKey' -+ * field (and associated constructor) is only used during export, -+ * and the 'epkiBytes' field (and associated constructor) is only -+ * used during import. Therefore this should be two different -+ * types. -+ */ - public class PKCS12KeyInfo { - - private PrivateKey privateKey; -@@ -31,10 +42,18 @@ public class PKCS12KeyInfo { - public PKCS12KeyInfo() { - } - -+ /** -+ * Construct with a PrivateKey. This constructor is used -+ * for moving the PrivateKey handle around during export. -+ */ - public PKCS12KeyInfo(PrivateKey k) { - this.privateKey = k; - } - -+ /** Construct with a (serialised) EncrypedPrivateKeyInfo. This -+ * constructor is used for moving the EPKI data around during -+ * import. -+ */ - public PKCS12KeyInfo(byte[] epkiBytes) { - this.epkiBytes = epkiBytes; - } -diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java -index 9f9a35e..31c7126 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS12Util.java -+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java -@@ -102,6 +102,14 @@ public class PKCS12Util { - icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2])); - } - -+ /** -+ * Used during EXPORT to add a private key to the PKCS12. -+ * -+ * The private key is exported directly from the token, into -+ * an EncryptedPrivateKeyInfo value, then added as a -+ * "Shrouded Key Bag" to the PKCS #12 object. Unencrypted -+ * key material is never seen. -+ */ - public void addKeyBag(PKCS12KeyInfo keyInfo, Password password, - SEQUENCE encSafeContents) throws Exception { - PrivateKey k = keyInfo.getPrivateKey(); -@@ -346,6 +354,12 @@ public class PKCS12Util { - } - } - -+ /** -+ * Loads key bags (for IMPORT and other operations on existing -+ * PKCS #12 files). Does not decrypt EncryptedPrivateKeyInfo -+ * values, but stores them in PKCS12KeyInfo objects for possible -+ * later use. -+ */ - public PKCS12KeyInfo getKeyInfo(SafeBag bag, Password password) throws Exception { - - PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(bag.getBagContent().getEncoded()); -@@ -598,6 +612,9 @@ public class PKCS12Util { - } - } - -+ /** -+ * Store a certificate (and key, if present) in NSSDB. -+ */ - public void storeCertIntoNSS( - PKCS12 pkcs12, Password password, - PKCS12CertInfo certInfo, boolean overwrite) --- -1.8.3.1 - - -From 012718d24aff8c37713f42f2ca69c5bd7aec97df Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 6 Apr 2017 13:27:56 +1000 -Subject: [PATCH 49/49] KRA: use AES in PKCS #12 recovery for wrapped keys - -The KRA has two private key recovery code paths: one dealing with -keys wrapped to the storage key, and one dealing with symmetrically -encrypted keys. Each has a separate function for constructing a -PKCS #12 file for the recovered key. - -This commit updates the PKCS #12 generation for wrapped keys to use -AES encryption. The JSS PBE facility is not expressive enough to -handle PBES2 encryption, which is necessary for many algorithms -including AES, so we now use CryptoStore.getEncryptedPrivateKeyInfo. - -Part of: https://pagure.io/dogtagpki/issue/2610 - -Change-Id: Iba67f15642338316e4a6d09f78504327e8853b85 -(cherry picked from commit 8e663b6270d9a9409a04bfcb445318a6d5622b52) ---- - base/kra/src/com/netscape/kra/RecoveryService.java | 24 ++++++++++++---------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java -index 5609b19..eee800a 100644 ---- a/base/kra/src/com/netscape/kra/RecoveryService.java -+++ b/base/kra/src/com/netscape/kra/RecoveryService.java -@@ -31,6 +31,7 @@ import java.util.Random; - - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.ASN1Util; -+import org.mozilla.jss.asn1.ANY; - import org.mozilla.jss.asn1.ASN1Value; - import org.mozilla.jss.asn1.BMPString; - import org.mozilla.jss.asn1.OCTET_STRING; -@@ -38,6 +39,7 @@ import org.mozilla.jss.asn1.SEQUENCE; - import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.PBEAlgorithm; -+import org.mozilla.jss.crypto.EncryptionAlgorithm; - import org.mozilla.jss.crypto.PrivateKey; - import org.mozilla.jss.pkcs12.AuthenticatedSafes; - import org.mozilla.jss.pkcs12.CertBag; -@@ -484,20 +486,20 @@ public class RecoveryService implements IService { - SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new - PasswordConverter(); -- Random ran = new SecureRandom(); -- byte[] salt = new byte[20]; -- ran.nextBytes(salt); - -- ASN1Value key = EncryptedPrivateKeyInfo.createPBE( -- PBEAlgorithm.PBE_SHA1_DES3_CBC, -- pass, salt, 1, passConverter, priKey, ct); -- CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned"); -- if (key == null) { -- CMS.debug("RecoverService: createPFX() key null"); -- throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed"); -+ byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( -+ /* NSS has a bug that causes any AES CBC encryption -+ * to use AES-256, but AlgorithmID contains chosen -+ * alg. To avoid mismatch, use AES_256_CBC. */ -+ passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); -+ CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); -+ if (epkiBytes == null) { -+ CMS.debug("RecoverService: createPFX() epkiBytes null"); -+ throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); - } else { -- CMS.debug("RecoverService: createPFX() key not null"); -+ CMS.debug("RecoverService: createPFX() epkiBytes not null"); - } -+ ASN1Value key = new ANY(epkiBytes); - - SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), --- -1.8.3.1 - diff --git a/SOURCES/pki-core-cmc-plugin-default-change.patch b/SOURCES/pki-core-cmc-plugin-default-change.patch deleted file mode 100644 index 2a9b5aa..0000000 --- a/SOURCES/pki-core-cmc-plugin-default-change.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7c075ba00c81dd01ebdb3ee455a07a2fe1256f13 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 29 Jun 2017 15:44:13 -0700 -Subject: [PATCH] Ticket #2779 cmc plugin default change - -(cherry picked from commit 876d13c6d20e7e1235b9efbd601b47315debb492) ---- - base/ca/shared/conf/CS.cfg | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 4da7429..5a244d7 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -735,8 +735,8 @@ ca.publish.rule.instance.LdapXCertRule.predicate= - ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher - ca.publish.rule.instance.LdapXCertRule.type=xcert - cmc.popLinkWitnessRequired=false --cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret --cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -+#cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -+#cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret - cmc.token=internal - cms.passwordlist=internaldb,replicationdb - cms.password.ignore.publishing.failure=true --- -1.8.3.1 - diff --git a/SOURCES/pki-core-enable-non-pkiuser.patch b/SOURCES/pki-core-enable-non-pkiuser.patch deleted file mode 100644 index 16b8855..0000000 --- a/SOURCES/pki-core-enable-non-pkiuser.patch +++ /dev/null @@ -1,692 +0,0 @@ -From 8cbeb62e6b4f492047719d7c6e0cfa69c15ceaa4 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Fri, 8 Dec 2017 17:17:34 -0700 -Subject: [PATCH 1/6] Fix nuxwdog to work on all platforms - -- dogtagpki Pagure Issue #2874 - nuxwdog won't start on Fedora - -Change-Id: I5ff65c75087aeb939cb58ee7cf888bbbacb57ad5 -(cherry picked from commit 19f04606cb58f7dc6e2872e39f62d3dad427ae22) ---- - base/server/sbin/pki-server-nuxwdog | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog -index ead925303..cb8993821 100755 ---- a/base/server/sbin/pki-server-nuxwdog -+++ b/base/server/sbin/pki-server-nuxwdog -@@ -41,8 +41,8 @@ nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf" - touch ${nux_fname} - chown pkiuser: ${nux_fname} - --echo "ExeFile ${JAVACMD}" > $nux_fname --echo "ExeArgs ${JAVACMD} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname -+echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname -+echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname - echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname - echo "ChildSecurity 1" >> $nux_fname - echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname --- -2.14.3 - - -From e688a788f6cb9fd6e488ea5475c50c21583b9c87 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 2 Jan 2018 13:38:40 -0500 -Subject: [PATCH 2/6] Modified systemd invocations in pkispawn to handle - nuxwdog - -The systemd invocations in pkispawn/pkidestroy did not account for -nuxwdog enabled instances. This patch allows pkispawn/pkidestroy to -use the right service name if the nuxwdog service unit files exist. - -Also modified instance_layout deployment script to delete the right -systemd link. - -Change-Id: I25eac0555aad022784d7728913ae4a335eab3463 -(cherry picked from commit c7c907c07599ef1d9b52638c25153f7bd82de999) ---- - .../python/pki/server/deployment/pkihelper.py | 55 ++++++++++------------ - .../deployment/scriptlets/instance_layout.py | 5 +- - 2 files changed, 28 insertions(+), 32 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 9bb0dfc0e..2cc36f4a2 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -3495,17 +3495,28 @@ class Systemd(object): - - Args: - deployer (dictionary): PKI Deployment name/value parameters -- -- Attributes: -- -- Returns: -- -- Raises: -- -- Examples: -- - """ - self.mdict = deployer.mdict -+ instance_name = deployer.mdict['pki_instance_name'] -+ -+ unit_file = 'pki-tomcatd@%s.service' % instance_name -+ systemd_link = os.path.join( -+ '/etc/systemd/system/pki-tomcatd.target.wants', -+ unit_file) -+ -+ nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name -+ nuxwdog_systemd_link = os.path.join( -+ '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants', -+ nuxwdog_unit_file) -+ -+ if os.path.exists(nuxwdog_systemd_link): -+ self.is_nuxwdog_enabled = True -+ self.service_name = nuxwdog_unit_file -+ self.systemd_link = nuxwdog_systemd_link -+ else: -+ self.is_nuxwdog_enabled = False -+ self.service_name = unit_file -+ self.systemd_link = systemd_link - - def daemon_reload(self, critical_failure=True): - """PKI Deployment execution management lifecycle function. -@@ -3579,7 +3590,7 @@ class Systemd(object): - command = ["rm", "/etc/rc3.d/*" + - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "disable", "pki-tomcatd.target"] -+ command = ["systemctl", "disable", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3629,7 +3640,7 @@ class Systemd(object): - command = ["ln", "-s", "/etc/init.d/pki-tomcatd", - "/etc/rc3.d/S89" + self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "enable", "pki-tomcatd.target"] -+ command = ["systemctl", "enable", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3673,20 +3684,15 @@ class Systemd(object): - - """ - try: -- service = None - # Execute the "systemd daemon-reload" management lifecycle command - if reload_daemon: - self.daemon_reload(critical_failure) -- # Compose this "systemd" execution management command -- service = "pki-tomcatd" + "@" +\ -- self.mdict['pki_instance_name'] + "." +\ -- "service" - - if pki.system.SYSTEM_TYPE == "debian": - command = ["/etc/init.d/pki-tomcatd", "start", - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "start", service] -+ command = ["systemctl", "start", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3726,17 +3732,11 @@ class Systemd(object): - - """ - try: -- service = None -- # Compose this "systemd" execution management command -- service = "pki-tomcatd" + "@" +\ -- self.mdict['pki_instance_name'] + "." +\ -- "service" -- - if pki.system.SYSTEM_TYPE == "debian": - command = ["/etc/init.d/pki-tomcatd", "stop", - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "stop", service] -+ command = ["systemctl", "stop", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3777,21 +3777,16 @@ class Systemd(object): - - """ - try: -- service = None - # Compose this "systemd" execution management command - # Execute the "systemd daemon-reload" management lifecycle command - if reload_daemon: - self.daemon_reload(critical_failure) - -- service = "pki-tomcatd" + "@" +\ -- self.mdict['pki_instance_name'] + "." +\ -- "service" -- - if pki.system.SYSTEM_TYPE == "debian": - command = ["/etc/init.d/pki-tomcatd", "restart", - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "restart", service] -+ command = ["systemctl", "restart", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index a9a2840c7..b225d653b 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Link /etc/pki//logging.properties - # to /usr/share/pki/server/conf/logging.properties. - deployer.symlink.create( -- os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), -+ os.path.join(deployer.mdict['pki_source_server_path'], -+ "logging.properties"), - os.path.join(deployer.mdict['pki_instance_configuration_path'], - "logging.properties")) - -@@ -173,7 +174,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - if len(deployer.instance.tomcat_instance_subsystems()) == 0: - - # remove Tomcat instance systemd service link -- deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) -+ deployer.symlink.delete(deployer.systemd.systemd_link) - - # remove Tomcat instance base - deployer.directory.delete(deployer.mdict['pki_instance_path']) --- -2.14.3 - - -From 98851261dd164bc586c78d0b96df712918c336e8 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 2 Jan 2018 14:52:32 -0500 -Subject: [PATCH 3/6] Allow prompting for token passwords if not present - -Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff -(cherry picked from commit 6716b82ecc38b23de81c8f0fe18863e1df4bfddb) ---- - .../python/pki/server/deployment/__init__.py | 4 +++- - .../python/pki/server/deployment/pkihelper.py | 27 ++++++++-------------- - base/server/sbin/pkidestroy | 2 +- - base/server/sbin/pkispawn | 2 +- - 4 files changed, 15 insertions(+), 20 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py -index 709fe7014..f9b05dd42 100644 ---- a/base/server/python/pki/server/deployment/__init__.py -+++ b/base/server/python/pki/server/deployment/__init__.py -@@ -66,6 +66,7 @@ class PKIDeployer: - self.systemd = None - self.tps_connector = None - self.config_client = None -+ self.parser = None - - # Set installation time - ticks = time.time() -@@ -88,7 +89,7 @@ class PKIDeployer: - if not len(self.dns_domainname): - self.dns_domainname = self.hostname - -- def init(self): -+ def init(self, parser): - - # Utility objects - self.identity = util.Identity(self) -@@ -111,6 +112,7 @@ class PKIDeployer: - self.systemd = util.Systemd(self) - self.tps_connector = util.TPSConnector(self) - self.config_client = util.ConfigClient(self) -+ self.parser = parser - - def flatten_master_dict(self): - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 2cc36f4a2..8049e61fc 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -2057,6 +2057,7 @@ class Password: - - def __init__(self, deployer): - self.mdict = deployer.mdict -+ self.deployer = deployer - - def create_password_conf(self, path, pin, pin_sans_token=False, - overwrite_flag=False, critical_failure=True): -@@ -2146,7 +2147,7 @@ class Password: - raise - return - -- def get_password(self, path, token_name, critical_failure=True): -+ def get_password(self, path, token_name): - token_pwd = None - if os.path.exists(path) and os.path.isfile(path) and\ - os.access(path, os.R_OK): -@@ -2159,16 +2160,11 @@ class Password: - token_pwd = tokens[token_name] - - if token_pwd is None or token_pwd == '': -- # TODO prompt for this password -- config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1, -- token_name, -- extra=config.PKI_INDENTATION_LEVEL_2) -- if critical_failure: -- raise Exception( -- log.PKIHELPER_PASSWORD_NOT_FOUND_1 % -- token_name) -- else: -- return -+ self.deployer.parser.read_password( -+ 'Password for token {}'.format(token_name), -+ self.deployer.subsystem_name, -+ 'token_pwd') -+ token_pwd = self.mdict['token_pwd'] - return token_pwd - - -@@ -2998,8 +2994,7 @@ class KRAConnector: - - token_pwd = self.password.get_password( - self.mdict['pki_shared_password_conf'], -- token_name, -- critical_failure) -+ token_name) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( -@@ -3203,8 +3198,7 @@ class TPSConnector: - - token_pwd = self.password.get_password( - self.mdict['pki_shared_password_conf'], -- token_name, -- critical_failure) -+ token_name) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( -@@ -3441,8 +3435,7 @@ class SecurityDomain: - - token_pwd = self.password.get_password( - self.mdict['pki_shared_password_conf'], -- token_name, -- critical_failure) -+ token_name) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 4a0c6a0b8..58d49698a 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -227,7 +227,7 @@ def main(argv): - - # Process the various "scriptlets" to remove the specified PKI subsystem. - pki_subsystem_scriptlets = parser.mdict['destroy_scriplets'].split() -- deployer.init() -+ deployer.init(parser) - - try: - for scriptlet_name in pki_subsystem_scriptlets: -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index 1aa7079e8..6d387b2d8 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -519,7 +519,7 @@ def main(argv): - - # Process the various "scriptlets" to create the specified PKI subsystem. - pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split() -- deployer.init() -+ deployer.init(parser) - - try: - for scriptlet_name in pki_subsystem_scriptlets: --- -2.14.3 - - -From 25439301773d2bf80a7eb871c8e1161bdbdb0315 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 17 Jan 2018 18:31:19 -0500 -Subject: [PATCH 4/6] Allow instances to be created with custom users - -Some folks want to run instances under a different user and -group (ie. not pkiuser). They may even want a different user for -each instance. The way to do this in systemd is to create systemd -override files for the specific instance. - -The deployment scriptlets have been updated to create (and delete) -these override files. - -Change-Id: Icb0b6d15c6c8542dbbd565987d5fb3f1bddf6037 -(cherry picked from commit afe0a2525cace41a1bef2ff7fe0f8f53aa5990e5) ---- - .../python/pki/server/deployment/pkihelper.py | 55 ++++++++++++++++++++++ - .../deployment/scriptlets/instance_layout.py | 18 +++++++ - 2 files changed, 73 insertions(+) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 8049e61fc..2b18f003c 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -21,6 +21,12 @@ - # System Imports - from __future__ import absolute_import - from __future__ import print_function -+ -+try: -+ import configparser -+except ImportError: -+ import ConfigParser as configparser -+ - import errno - import sys - import os -@@ -3490,26 +3496,75 @@ class Systemd(object): - deployer (dictionary): PKI Deployment name/value parameters - """ - self.mdict = deployer.mdict -+ self.deployer = deployer - instance_name = deployer.mdict['pki_instance_name'] - - unit_file = 'pki-tomcatd@%s.service' % instance_name - systemd_link = os.path.join( - '/etc/systemd/system/pki-tomcatd.target.wants', - unit_file) -+ override_dir = '/etc/systemd/system/pki-tomcatd@{}.service.d'.format( -+ instance_name) -+ self.base_override_dir = override_dir - - nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name - nuxwdog_systemd_link = os.path.join( - '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants', - nuxwdog_unit_file) -+ nuxwdog_override_dir = ( -+ '/etc/systemd/system/pki-tomcatd-nuxwdog@{}.service.d'.format( -+ instance_name)) -+ self.nuxwdog_override_dir = nuxwdog_override_dir -+ -+ # self.overrides will be a hash of ConfigParsers indexed by filename -+ # once the overrides have been constructed, the caller should call -+ # write_overrides() -+ self.overrides = {} - - if os.path.exists(nuxwdog_systemd_link): - self.is_nuxwdog_enabled = True - self.service_name = nuxwdog_unit_file - self.systemd_link = nuxwdog_systemd_link -+ self.override_dir = nuxwdog_override_dir - else: - self.is_nuxwdog_enabled = False - self.service_name = unit_file - self.systemd_link = systemd_link -+ self.override_dir = override_dir -+ -+ def create_override_directory(self): -+ self.deployer.directory.create(self.override_dir, uid=0, gid=0) -+ -+ def create_override_file(self, fname): -+ self.create_override_directory() -+ self.deployer.file.create( -+ os.path.join(self.override_dir, fname), -+ uid=0, gid=0 -+ ) -+ -+ def set_override(self, section, param, value, fname='local.conf'): -+ if fname not in self.overrides: -+ parser = configparser.ConfigParser() -+ parser.optionxform = str -+ override_file = os.path.join(self.override_dir, fname) -+ if os.path.exists(override_file): -+ parser.read(override_file) -+ self.overrides[fname] = parser -+ else: -+ parser = self.overrides[fname] -+ -+ if not parser.has_section(section): -+ parser.add_section(section) -+ -+ parser[section][param] = value -+ -+ def write_overrides(self): -+ for fname, parser in self.overrides.items(): -+ override_file = os.path.join(self.override_dir, fname) -+ if not os.path.exists(override_file): -+ self.create_override_file(override_file) -+ with open(override_file, 'w') as fp: -+ parser.write(fp, space_around_delimiters=False) - - def daemon_reload(self, critical_failure=True): - """PKI Deployment execution management lifecycle function. -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index b225d653b..bb9919f34 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -144,10 +144,21 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.symlink.create( - deployer.mdict['pki_tomcat_bin_path'], - deployer.mdict['pki_tomcat_bin_link']) -+ -+ # create systemd links - deployer.symlink.create( - deployer.mdict['pki_tomcat_systemd'], - deployer.mdict['pki_instance_systemd_link'], - uid=0, gid=0) -+ user = deployer.mdict['pki_user'] -+ group = deployer.mdict['pki_group'] -+ if user != 'pkiuser' or group != 'pkiuser': -+ deployer.systemd.set_override( -+ 'Service', 'User', user, 'user.conf') -+ deployer.systemd.set_override( -+ 'Service', 'Group', group, 'user.conf') -+ deployer.systemd.write_overrides() -+ deployer.systemd.daemon_reload() - - # establish shared NSS security databases for this instance - deployer.directory.create(deployer.mdict['pki_database_path']) -@@ -176,6 +187,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # remove Tomcat instance systemd service link - deployer.symlink.delete(deployer.systemd.systemd_link) - -+ # delete systemd override directories -+ if deployer.directory.exists(deployer.systemd.base_override_dir): -+ deployer.directory.delete(deployer.systemd.base_override_dir) -+ if deployer.directory.exists(deployer.systemd.nuxwdog_override_dir): -+ deployer.directory.delete(deployer.systemd.nuxwdog_override_dir) -+ deployer.systemd.daemon_reload() -+ - # remove Tomcat instance base - deployer.directory.delete(deployer.mdict['pki_instance_path']) - # remove Tomcat instance logs --- -2.14.3 - - -From dc0af568a913d06ced134e6685b5dec1bafb5153 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 16 Jan 2018 15:10:15 -0500 -Subject: [PATCH 5/6] Make sure tomcat is running as pki user with nuxwdog - -The nuxwdog process needs to run as a privileged user to be able -to retrieve the passwords from the systemd tty agent in systemctl. -Therefore, the nuxwdog unit file should NOT specify the PKI user -there. - -However, we have added an option to nuxwdog to specify the user -in the nuxwdog config file, so that the process that nuxwdog spawns -(ie. tomcat) will run as the specified user. - -The code changes in this patch ensure that when the nuxwdog conf -file is created, the user is set correctly as the value of the -variable TOMCAT_USER. - -Change-Id: I0b4f8caedb048aaedf6a8a8f72b24fab39ad7bbf -(cherry picked from commit 96e99209b278b5ba380a61486a5b6ce6a87326a0) ---- - base/server/sbin/pki-server-nuxwdog | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog -index cb8993821..ffdbc3394 100755 ---- a/base/server/sbin/pki-server-nuxwdog -+++ b/base/server/sbin/pki-server-nuxwdog -@@ -39,7 +39,7 @@ set_javacmd - # create the nuxwdog config file - nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf" - touch ${nux_fname} --chown pkiuser: ${nux_fname} -+chown ${TOMCAT_USER}: ${nux_fname} - - echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname - echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname -@@ -50,4 +50,5 @@ echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname - echo "ExeBackground 1" >> $nux_fname - echo "PidFile $NUXWDOG_PID" >> $nux_fname - echo "ChildPidFile $CATALINA_PID" >> $nux_fname -+echo "User ${TOMCAT_USER}" >> $nux_fname - --- -2.14.3 - - -From 73faa356531a529e13e55800861598bb6cc8ab6a Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 1 Feb 2018 13:02:03 -0500 -Subject: [PATCH 6/6] More fixes for non-standard users - -Needed to fix some python code that was added that works only on Python 3. -The top level directories for the registry should be owned by -root and be world readable/executable so that different users -can read the registry. - -Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282 -cherry-pick from 79e8a8e99a3c9c6d16b63bb5d4b2b18a4b828b11 - -(cherry picked from commit e37ddfbc8b54e17dbe081221f6c849732a30ebe2) ---- - base/common/CMakeLists.txt | 12 ++++++++++++ - base/server/python/pki/server/deployment/pkihelper.py | 8 ++------ - .../server/deployment/scriptlets/infrastructure_layout.py | 14 ++++++++++---- - .../pki/server/deployment/scriptlets/instance_layout.py | 5 +++-- - 4 files changed, 27 insertions(+), 12 deletions(-) - -diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt -index d7856e1aa..3e8659da6 100644 ---- a/base/common/CMakeLists.txt -+++ b/base/common/CMakeLists.txt -@@ -133,6 +133,18 @@ install( - ${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd-nuxwdog.target.wants - ) - -+install( -+ DIRECTORY -+ DESTINATION -+ /etc/sysconfig/pki -+) -+ -+install( -+ DIRECTORY -+ DESTINATION -+ /etc/sysconfig/pki/tomcat -+) -+ - install( - DIRECTORY - man/ -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 2b18f003c..2e92b5956 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -1024,8 +1024,6 @@ class Instance: - raise - - def get_instance_status(self, secure_connection=True): -- pki_protocol = None -- pki_port = None - if secure_connection: - pki_protocol = "https" - pki_port = self.mdict['pki_https_port'] -@@ -2931,7 +2929,6 @@ class ServerCertNickConf: - try: - # overwrite value inside 'serverCertNick.conf' - with open(self.servercertnick_conf, "w") as fd: -- ssl_server_nickname = None - if self.step_two: - # use final HSM name - ssl_server_nickname = (self.token_name + ":" + -@@ -3556,7 +3553,7 @@ class Systemd(object): - if not parser.has_section(section): - parser.add_section(section) - -- parser[section][param] = value -+ parser.set(section, param, value) - - def write_overrides(self): - for fname, parser in self.overrides.items(): -@@ -3564,7 +3561,7 @@ class Systemd(object): - if not os.path.exists(override_file): - self.create_override_file(override_file) - with open(override_file, 'w') as fp: -- parser.write(fp, space_around_delimiters=False) -+ parser.write(fp) - - def daemon_reload(self, critical_failure=True): - """PKI Deployment execution management lifecycle function. -@@ -4142,7 +4139,6 @@ class ConfigClient: - os.path.dirname(self.mdict['pki_external_admin_csr_path'])) - with open(self.mdict['pki_external_admin_csr_path'], "w") as f: - f.write("-----BEGIN CERTIFICATE REQUEST-----\n") -- admin_certreq = None - with open(os.path.join( - self.mdict['pki_client_database_dir'], - "admin_pkcs10.bin.asc"), "r") as f: -diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -index b105378f8..7322ac392 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -@@ -53,9 +53,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # registry directories for storage of a copy of the original - # deployment configuration file used to spawn this instance, - # and save a copy of this file -- deployer.directory.create(deployer.mdict['pki_registry_path']) -- deployer.directory.create( -- deployer.mdict['pki_instance_type_registry_path']) -+ # -+ # Unless a prefix is used, the top level directories should exist -+ # and be owned by the rpm -+ if deployer.mdict['pki_root_prefix'] != "": -+ deployer.directory.create(deployer.mdict['pki_registry_path']) -+ deployer.directory.create( -+ deployer.mdict['pki_instance_type_registry_path']) -+ - deployer.directory.create(deployer.mdict['pki_instance_registry_path']) - deployer.directory.create( - deployer.mdict['pki_subsystem_registry_path']) -@@ -123,4 +128,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.directory.delete( - deployer.mdict['pki_configuration_path']) - # remove top-level infrastructure registry -- deployer.directory.delete(deployer.mdict['pki_registry_path']) -+ if deployer.mdict['pki_root_prefix'] != "": -+ deployer.directory.delete(deployer.mdict['pki_registry_path']) -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index bb9919f34..b24e9b728 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -211,8 +211,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.mdict['pki_instance_registry_path']) - # remove Tomcat PKI registry (if empty) - if deployer.instance.tomcat_instances() == 0: -- deployer.directory.delete( -- deployer.mdict['pki_instance_type_registry_path']) -+ if deployer.mdict['pki_root_prefix'] != "": -+ deployer.directory.delete( -+ deployer.mdict['pki_instance_type_registry_path']) - - - # Callback only when the /usr/share/pki/server/conf directory --- -2.14.3 - diff --git a/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch b/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch deleted file mode 100644 index 721c49f..0000000 --- a/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch +++ /dev/null @@ -1,278 +0,0 @@ -From 609b98cccc77fa8b8e8d307c2f84651429068ec6 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Mon, 9 Oct 2017 16:26:21 +1100 -Subject: [PATCH 1/5] CMSServlet.renderFinalError: log exception - -renderFinalError is a "last resort" error handler that writes an -error message back to the client. If the exception was not already -logged, the call stack will be discarded after renderFinalError is -finished with the exception. - -Log the exception so that the call stack information is not lost. - -Part of: https://pagure.io/dogtagpki/issue/2557 - -Change-Id: I2fd608adf205e3f72b67d822b1966fdb1b8bc60f -(cherry picked from commit 386357c347f8433e14ccd8637576f4c4a4e42492) -(cherry picked from commit 3af42c306446ddc931fc0d44505cd237aa2267d7) ---- - base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -index 65dc06a..fe18ee1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java -@@ -763,6 +763,8 @@ public abstract class CMSServlet extends HttpServlet { - - public void renderFinalError(CMSRequest cmsReq, Exception ex) - throws IOException { -+ CMS.debug("Caught exception in renderFinalError:"); -+ CMS.debug(ex); - // this template is the last resort for all other unexpected - // errors in other templates so we can only output text. - HttpServletResponse httpResp = cmsReq.getHttpResp(); --- -1.8.3.1 - - -From c160d49e0b61d650a14eae9be38e5f381aeb0b24 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Mon, 9 Oct 2017 16:45:51 +1100 -Subject: [PATCH 2/5] TokenAuthenticate: avoid NPE on null session table - -If the security domain session table is null for some reason, detect -this condition, log it, and return cleanly instead of throwing a -NullPointerException. - -Part of: https://pagure.io/dogtagpki/issue/2557 - -Change-Id: Ie487492ed6eec913f0271221fd12842fe7128ceb -(cherry picked from commit bc329a0162ae9af382c81e75742b282ea8c5df0d) -(cherry picked from commit 76d85a648bc6be0f690d36341e6a11d64a3ff6b6) ---- - .../cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java -index 27f4782..1d98693 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java -@@ -81,7 +81,11 @@ public class TokenAuthenticate extends CMSServlet { - String uid = ""; - String gid = ""; - CMS.debug("TokenAuthentication: checking session in the session table"); -- if (table.sessionExists(sessionId)) { -+ if (table == null) { -+ CMS.debug("TokenAuthentication: session table is null"); -+ outputError(httpResp, "Error: session table is null"); -+ return; -+ } else if (table.sessionExists(sessionId)) { - CMS.debug("TokenAuthentication: found session"); - if (checkIP) { - String hostname = table.getIP(sessionId); --- -1.8.3.1 - - -From 275d3b1ad88721e1a5a5bfd8b5013a14d3db2263 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 10 Oct 2017 00:21:57 +1100 -Subject: [PATCH 3/5] TokenAuthentication: log error message on error - -If a TokenAuthenticate response indicates failure (state != 0), log -the error string in addition to the status code. - -Part of: https://pagure.io/dogtagpki/issue/2557 - -Change-Id: I22ba44be109a06f33ae6015e62393a2ef575b6b2 -(cherry picked from commit 9eb354883c9d965bb271223bf870839bb756db26) -(cherry picked from commit c9908785df9f22b1ca4f507c9f51bf904193a143) ---- - .../cms/src/com/netscape/cms/authentication/TokenAuthentication.java | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java -index ebda0b6..2aa32d4 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java -@@ -183,6 +183,7 @@ public class TokenAuthentication implements IAuthManager, - CMS.debug("TokenAuthentication: status=" + status); - if (!status.equals("0")) { - String error = parser.getValue("Error"); -+ CMS.debug("TokenAuthentication: error: " + error); - throw new EBaseException(error); - } - --- -1.8.3.1 - - -From 2a8f26e1169f8840a59f1707964d98b47619ca1c Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 11 Oct 2017 15:41:15 +1100 -Subject: [PATCH 4/5] Sleep after security domain login during configuration - -Clone installation can fail due to security domain token -authentication failure that arises because: - -1. The security domain session gets created on the replica's CA - instance. - -2. The "updateNumberRange" is performed against the subsystem being - cloned, and results in a token authentication request to the CA - subsystem on the same host. - -3. LDAP replication lag means that the master does not yet see - the security domain session that was created on the replica. - -To avoid this problem, introduce a small delay after logging into -the security domain, to allow for replication to occur. The delay -is configurable and defaults to 5 seconds. - -Fixes: https://pagure.io/dogtagpki/issue/2557 -Change-Id: Ib11c077518c40b3b16699c9170b61085f55a1913 -(cherry picked from commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3) -(cherry picked from commit 5fae20defb5e938a621fc40f92954eb7daba1c7b) ---- - .../netscape/certsrv/system/ConfigurationRequest.java | 14 ++++++++++++++ - .../org/dogtagpki/server/rest/SystemConfigService.java | 17 ++++++++++++++++- - 2 files changed, 30 insertions(+), 1 deletion(-) - -diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java -index 26f45f0..03dbfa6 100644 ---- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java -+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java -@@ -244,6 +244,11 @@ public class ConfigurationRequest { - @XmlElement - protected String signingCertSerialNumber; - -+ /** Seconds to sleep after logging into the Security Domain, -+ * so that replication of the session data may complete. */ -+ @XmlElement -+ protected Long securityDomainPostLoginSleepSeconds; -+ - public ConfigurationRequest() { - // required for JAXB - } -@@ -974,6 +979,14 @@ public class ConfigurationRequest { - this.signingCertSerialNumber = signingCertSerialNumber; - } - -+ public Long getSecurityDomainPostLoginSleepSeconds() { -+ return securityDomainPostLoginSleepSeconds; -+ } -+ -+ public void setSecurityDomainPostLoginSleepSeconds(Long d) { -+ securityDomainPostLoginSleepSeconds = d; -+ } -+ - @Override - public String toString() { - return "ConfigurationRequest [pin=XXXX" + -@@ -983,6 +996,7 @@ public class ConfigurationRequest { - ", securityDomainName=" + securityDomainName + - ", securityDomainUser=" + securityDomainUser + - ", securityDomainPassword=XXXX" + -+ ", securityDomainPostLoginSleepSeconds=" + securityDomainPostLoginSleepSeconds + - ", isClone=" + isClone + - ", cloneUri=" + cloneUri + - ", subsystemName=" + subsystemName + -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -index afbb24a..9ffb6e3 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -@@ -950,7 +950,22 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - - getInstallToken(data, host, port); - -- return getDomainXML(host, port); -+ String domainXML = getDomainXML(host, port); -+ -+ /* Sleep for a bit to allow security domain session to replicate -+ * to other clones. In the future we can use signed tokens -+ * (ticket https://pagure.io/dogtagpki/issue/2831) but we need to -+ * be mindful of working with older versions, too. -+ * -+ * The default sleep time is 5s. -+ */ -+ Long d = data.getSecurityDomainPostLoginSleepSeconds(); -+ if (null == d || d <= 0) -+ d = new Long(5); -+ CMS.debug("Logged into security domain; sleeping for " + d + "s"); -+ Thread.sleep(d * 1000); -+ -+ return domainXML; - } - - private String getDomainXML(String host, int port) { --- -1.8.3.1 - - -From 2cf5ab35f9fda67405b209ae46891232c38eb4f0 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 11 Oct 2017 18:12:04 +1100 -Subject: [PATCH 5/5] pkispawn: make security domain login sleep duration - configurable - -Add the pki_security_domain_post_login_sleep_seconds pkispawn -config, so that the administrator may set a duration other than the -default. - -Part of: https://pagure.io/dogtagpki/issue/2557 - -Change-Id: I74f16ea15621773e0742f709adc87df559cb530a -(cherry picked from commit 8c0a7eee3bbfe01b2d965dbe09e95221c5031c8b) -(cherry picked from commit 32ec33f8e49d1085ac1b28657a8321547a6bf910) ---- - base/server/man/man8/pkispawn.8 | 7 +++++++ - base/server/python/pki/server/deployment/pkihelper.py | 7 +++++++ - 2 files changed, 14 insertions(+) - -diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 -index 002520a..1d4ae24 100644 ---- a/base/server/man/man8/pkispawn.8 -+++ b/base/server/man/man8/pkispawn.8 -@@ -956,6 +956,7 @@ pki_security_domain_password=\fISecret123\fP - pki_security_domain_hostname= - pki_security_domain_https_port= - pki_security_domain_user=caadmin -+pki_security_domain_post_login_sleep_seconds=\fI5\fP - - [Tomcat] - pki_clone=True -@@ -997,6 +998,12 @@ and the \fBpki_backup_password\fP is set. The PKCS#12 file is then found under - be generated at any time post-installation using \fBPKCS12Export\fP. - - .PP -+The \fBpki_security_domain_post_login_sleep_seconds\fP config specifies sleep -+duration after logging into a security domain, to allow the security domain -+session data to be replicated to subsystems on other hosts. It is optional and -+defaults to 5 seconds. -+ -+.PP - An example invocation showing the export of the system certificates and keys, - copying the keys to the replica subsystem, and setting the relevant SELinux and - file permissions is shown below. \fBpwfile\fP is a text file containing the -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index cf2a748..9bb0dfc 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -4045,6 +4045,13 @@ class ConfigClient: - if self.subordinate: - self.set_subca_security_domain(data) - -+ try: -+ d = int(self.mdict['pki_security_domain_post_login_sleep_seconds']) -+ if d > 0: -+ data.securityDomainPostLoginSleepSeconds = d -+ except (KeyError, ValueError): -+ pass -+ - # database - if self.subsystem != "RA": - self.set_database_parameters(data) --- -1.8.3.1 - diff --git a/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch b/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch deleted file mode 100644 index 4514c7b..0000000 --- a/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5f62e2db4a1a9040758a806095e1b4da5d0a0d1d Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 6 Oct 2017 11:21:48 +1100 -Subject: [PATCH] Fix issuance when CA cert lacks Subject Key ID ext - -If the CA signing cert does not have the Subject Key Identifier -extension, issuance of certificates fails. Although such a CA -certificate is not compliant with RFC 5280, this does happen in the -wild, and we previously handled this case by computing the SHA-1 -digest of the signing key as a last resort. This behaviour was -removed by 3c43b1119ca978c296a38a9fe404e1c0cdcdab63, breaking cert -issuance in installations with CA certs that lack the SKI extention. - -Restore this behaviour. - -Fixes: https://pagure.io/dogtagpki/issue/2829 -Change-Id: I2f590abe258c0f9405549945b89e3c25c32c2a00 -(cherry picked from commit 8ec0cbd1bef372ed50e19f6c5b6332b75209beb0) -(cherry picked from commit 119f4ee0288c1e6e6996847a66f617f04dd42ae6) ---- - base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java -index 635c044..8d5361e 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java -@@ -95,6 +95,6 @@ public abstract class CAEnrollDefault extends EnrollDefault { - "CryptoUtil.generateKeyIdentifier returns null"); - return null; - } -- return null; -+ return new KeyIdentifier(hash); - } - } --- -1.8.3.1 - diff --git a/SOURCES/pki-core-platform-dependent-python-import.patch b/SOURCES/pki-core-platform-dependent-python-import.patch deleted file mode 100644 index c36bd3a..0000000 --- a/SOURCES/pki-core-platform-dependent-python-import.patch +++ /dev/null @@ -1,30 +0,0 @@ -From dfbd7c8d54dc27957438a722bc43e37b1b2057b6 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Thu, 22 Jun 2017 12:50:21 -0600 -Subject: [PATCH] dogtagpki Pagure Issue #2745 - Platform Dependent Python - Import - -(cherry picked from commit 9d63a7a6b1abb42595b6a24296a39a79441ba8df) ---- - base/common/python/pki/client.py | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py -index 805d0fa..e1a4d3f 100644 ---- a/base/common/python/pki/client.py -+++ b/base/common/python/pki/client.py -@@ -25,7 +25,10 @@ import functools - import warnings - - import requests --from requests.packages.urllib3.exceptions import InsecureRequestWarning -+try: -+ from requests.packages.urllib3.exceptions import InsecureRequestWarning -+except ImportError: -+ from urllib3.exceptions import InsecureRequestWarning - - - def catch_insecure_warning(func): --- -1.8.3.1 - diff --git a/SOURCES/pki-core-post-beta.patch b/SOURCES/pki-core-post-beta.patch deleted file mode 100644 index 49bb244..0000000 --- a/SOURCES/pki-core-post-beta.patch +++ /dev/null @@ -1,1733 +0,0 @@ -From c95cff5899e2975b16db61b811b626742e5e7114 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 1 May 2017 17:48:33 -0700 -Subject: [PATCH 01/10] Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false - would cause error This patch would fix the issue. It also adds the - CMCUserSignedAuth authentication instance that was missed in the CS.cfg - ---- - base/ca/shared/conf/CS.cfg | 1 + - .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 8 +++----- - 2 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 078abee..3eb5b1b 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -180,6 +180,7 @@ auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAu - auths.instance.TokenAuth.pluginName=TokenAuth - auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents - auths.instance.AgentCertAuth.pluginName=AgentCertAuth -+auths.instance.CMCUserSignedAuth.pluginName=CMCUserSignedAuth - auths.instance.raCertAuth.agentGroup=Registration Manager Agents - auths.instance.raCertAuth.pluginName=AgentCertAuth - auths.instance.flatFileAuth.pluginName=FlatFileAuth -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 57f07d1..7d52fc8 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -885,10 +885,7 @@ public abstract class EnrollProfile extends BasicProfile - } - - int nummsgs = reqSeq.size(); -- if (!popLinkWitnessRequired) { -- CMS.debug(method + "popLinkWitnessRequired false, skip check"); -- } else if (nummsgs > 0) { -- CMS.debug(method + "cmc.popLinkWitnessRequired is true"); -+ if (nummsgs > 0) { - CMS.debug(method + "nummsgs =" + nummsgs); - msgs = new TaggedRequest[reqSeq.size()]; - SEQUENCE bpids = new SEQUENCE(); -@@ -896,7 +893,8 @@ public abstract class EnrollProfile extends BasicProfile - boolean valid = true; - for (int i = 0; i < nummsgs; i++) { - msgs[i] = (TaggedRequest) reqSeq.elementAt(i); -- if (!context.containsKey("POPLinkWitnessV2") && -+ if (popLinkWitnessRequired && -+ !context.containsKey("POPLinkWitnessV2") && - !context.containsKey("POPLinkWitness")) { - CMS.debug(method + "popLinkWitness(V2) required"); - if (randomSeed == null) { --- -1.8.3.1 - - -From 220e35d2b5610cb051831b990451b3b3ff53604e Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 2 May 2017 21:44:36 +1000 -Subject: [PATCH 02/10] CAInfoService: retrieve info from KRA - -The CAInfoService returns CA configuration info, including -KRA-related values the CA clients may need to know (e.g. for -generating a CRMF cert request that will cause keys to be archived -in KRA). Currently that information is statically configured and -does not respect the actual configuration of the KRA. - -Update the service to retrieve info from the KRA, which is queried -according to the KRA Connector configuration. After the KRA has -been successfully contacted, the recorded KRA-related settings are -regarded as authoritative. - -The KRA is contacted ONLY if the current info is NOT authoritative, -otherwise the currently recorded values are used. This means that -any change to relevant KRA configuration (which should occur seldom -if ever) necessitates restart of the CA subsystem. - -If this is unsuccessful (e.g. if the KRA is down or the connector is -misconfigured) we use the default values, which may be incorrect. - -Fixes: https://pagure.io/dogtagpki/issue/2665 -Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746 ---- - .../org/dogtagpki/server/rest/CAInfoService.java | 143 ++++++++++++++++++--- - 1 file changed, 126 insertions(+), 17 deletions(-) - -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -index f4724a6..398f499 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -@@ -18,26 +18,63 @@ - - package org.dogtagpki.server.rest; - -+import java.net.MalformedURLException; -+import java.net.URISyntaxException; -+ - import javax.servlet.http.HttpSession; - import javax.ws.rs.core.Response; - - import org.dogtagpki.common.CAInfo; - import org.dogtagpki.common.CAInfoResource; -+import org.dogtagpki.common.KRAInfo; -+import org.dogtagpki.common.KRAInfoClient; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.base.PKIException; -+import com.netscape.certsrv.client.ClientConfig; -+import com.netscape.certsrv.client.PKIClient; -+import com.netscape.certsrv.system.KRAConnectorInfo; -+import com.netscape.cms.servlet.admin.KRAConnectorProcessor; - import com.netscape.cms.servlet.base.PKIService; - - /** - * @author Ade Lee -+ * -+ * This class returns CA info, including KRA-related values the CA -+ * clients may need to know (e.g. for generating a CRMF cert request -+ * that will cause keys to be archived in KRA). -+ * -+ * The KRA-related info is read from the KRAInfoService, which is -+ * queried according to the KRA Connector configuration. After -+ * the KRAInfoService has been successfully contacted, the recorded -+ * KRA-related settings are regarded as authoritative. -+ * -+ * The KRA is contacted ONLY if the current info is NOT -+ * authoritative, otherwise the currently recorded values are used. -+ * This means that any change to relevant KRA configuration (which -+ * should occur seldom if ever) necessitates restart of the CA -+ * subsystem. -+ * -+ * If this is unsuccessful (e.g. if the KRA is down or the -+ * connector is misconfigured) we use the default values, which -+ * may be incorrect. - */ - public class CAInfoService extends PKIService implements CAInfoResource { - - private static Logger logger = LoggerFactory.getLogger(InfoService.class); - -+ // is the current KRA-related info authoritative? -+ private static boolean kraInfoAuthoritative = false; -+ -+ // KRA-related fields (the initial values are only used if we -+ // did not yet receive authoritative info from KRA) -+ private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM; -+ private static String wrappingKeySet = "0"; -+ - @Override - public Response getInfo() throws Exception { - -@@ -45,30 +82,102 @@ public class CAInfoService extends PKIService implements CAInfoResource { - logger.debug("CAInfoService.getInfo(): session: " + session.getId()); - - CAInfo info = new CAInfo(); -- String archivalMechanism = getArchivalMechanism(); -- -- if (archivalMechanism != null) -- info.setArchivalMechanism(getArchivalMechanism()); - -- info.setWrappingKeySet(getWrappingKeySet()); -+ addKRAInfo(info); - - return createOKResponse(info); - } - -- String getArchivalMechanism() throws EBaseException { -- IConfigStore cs = CMS.getConfigStore(); -- boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); -- if (!kra_present) return null; -- -- boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); -- return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM; -+ /** -+ * Add KRA fields if KRA is configured, querying the KRA -+ * if necessary. -+ * -+ * Apart from reading 'headers', this method doesn't access -+ * any instance data. -+ */ -+ private void addKRAInfo(CAInfo info) { -+ KRAConnectorInfo connInfo = null; -+ try { -+ KRAConnectorProcessor processor = -+ new KRAConnectorProcessor(getLocale(headers)); -+ connInfo = processor.getConnectorInfo(); -+ } catch (Throwable e) { -+ // connInfo remains as null -+ } -+ boolean kraEnabled = -+ connInfo != null -+ && "true".equalsIgnoreCase(connInfo.getEnable()); -+ -+ if (kraEnabled) { -+ if (!kraInfoAuthoritative) { -+ // KRA is enabled but we are yet to successfully -+ // query the KRA-related info. Do it now. -+ queryKRAInfo(connInfo); -+ } -+ -+ info.setArchivalMechanism(archivalMechanism); -+ info.setWrappingKeySet(wrappingKeySet); -+ } - } - -- String getWrappingKeySet() throws EBaseException { -- IConfigStore cs = CMS.getConfigStore(); -- boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); -- if (!kra_present) return null; -+ private static void queryKRAInfo(KRAConnectorInfo connInfo) { -+ try { -+ KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo(); -+ -+ archivalMechanism = kraInfo.getArchivalMechanism(); -+ -+ // request succeeded; the KRA is 10.4 or higher, -+ // therefore supports key set v1 -+ wrappingKeySet = "1"; -+ -+ // mark info as authoritative -+ kraInfoAuthoritative = true; -+ } catch (PKIException e) { -+ if (e.getCode() == 404) { -+ // The KRAInfoResource was added in 10.4, -+ // so we are talking to a pre-10.4 KRA -+ -+ // pre-10.4 only supports key set v0 -+ wrappingKeySet = "0"; -+ -+ // pre-10.4 KRA does not advertise the archival -+ // mechanism; look for the old knob in CA's config -+ // or fall back to the default -+ IConfigStore cs = CMS.getConfigStore(); -+ boolean encrypt_archival; -+ try { -+ encrypt_archival = cs.getBoolean( -+ "kra.allowEncDecrypt.archival", false); -+ } catch (EBaseException e1) { -+ encrypt_archival = false; -+ } -+ archivalMechanism = encrypt_archival -+ ? KRAInfoService.ENCRYPT_MECHANISM -+ : KRAInfoService.KEYWRAP_MECHANISM; -+ -+ // mark info as authoritative -+ kraInfoAuthoritative = true; -+ } else { -+ CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e); -+ CMS.debug(e); -+ } -+ } catch (Throwable e) { -+ CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e); -+ CMS.debug(e); -+ } -+ } - -- return cs.getString("kra.wrappingKeySet", "1"); -+ /** -+ * Construct KRAInfoClient given KRAConnectorInfo -+ */ -+ private static KRAInfoClient getKRAInfoClient(KRAConnectorInfo connInfo) -+ throws MalformedURLException, URISyntaxException, EBaseException { -+ ClientConfig config = new ClientConfig(); -+ int port = Integer.parseInt(connInfo.getPort()); -+ config.setServerURL("https", connInfo.getHost(), port); -+ config.setCertDatabase( -+ CMS.getConfigStore().getString("instanceRoot") + "/alias"); -+ return new KRAInfoClient(new PKIClient(config), "kra"); - } -+ - } --- -1.8.3.1 - - -From c64d6331d52dcf07108226c5dff26bd8b6c41e70 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Thu, 4 May 2017 10:36:49 +0200 -Subject: [PATCH 03/10] pki.authority: Don't send header as POST body - -pki.authority was mistakenly sending headers as POST body instead of -sending an empty POST body with right headers. - -Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae -Signed-off-by: Christian Heimes ---- - base/common/python/pki/authority.py | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py -index 9fa459c..0d83a4b 100644 ---- a/base/common/python/pki/authority.py -+++ b/base/common/python/pki/authority.py -@@ -140,7 +140,7 @@ class AuthorityClient(object): - url = self.ca_url + '/' + str(aid) - headers = {'Content-type': 'application/json', - 'Accept': 'application/json'} -- r = self.connection.get(url, headers) -+ r = self.connection.get(url, headers=headers) - return AuthorityData.from_json(r.json()) - - @pki.handle_exceptions() -@@ -167,7 +167,7 @@ class AuthorityClient(object): - raise ValueError( - "Invalid format passed in - PEM or DER expected.") - -- r = self.connection.get(url, headers) -+ r = self.connection.get(url, headers=headers) - return r.text - - @pki.handle_exceptions() -@@ -189,7 +189,7 @@ class AuthorityClient(object): - elif output_format == "PKCS7": - headers['Accept'] = "application/pkcs7-mime" - -- r = self.connection.get(url, headers) -+ r = self.connection.get(url, headers=headers) - return r.text - - @pki.handle_exceptions() -@@ -238,7 +238,7 @@ class AuthorityClient(object): - response = self.connection.post( - self.ca_url, - create_request, -- headers) -+ headers=headers) - - new_ca = AuthorityData.from_json(response.json()) - return new_ca -@@ -257,7 +257,7 @@ class AuthorityClient(object): - headers = {'Content-type': 'application/json', - 'Accept': 'application/json'} - -- self.connection.post(url, headers) -+ self.connection.post(url, None, headers=headers) - - @pki.handle_exceptions() - def disable_ca(self, aid): -@@ -272,7 +272,7 @@ class AuthorityClient(object): - headers = {'Content-type': 'application/json', - 'Accept': 'application/json'} - -- self.connection.post(url, headers) -+ self.connection.post(url, None, headers=headers) - - @pki.handle_exceptions() - def delete_ca(self, aid): -@@ -287,7 +287,7 @@ class AuthorityClient(object): - headers = {'Content-type': 'application/json', - 'Accept': 'application/json'} - -- self.connection.delete(url, headers) -+ self.connection.delete(url, headers=headers) - - - encoder.NOTYPES['AuthorityData'] = AuthorityData --- -1.8.3.1 - - -From 62a78bfa227b5e75a7cb931d7e65e824f5fe01ec Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 5 May 2017 19:54:15 +1000 -Subject: [PATCH 04/10] Fix PKCS #12 import during clone installation - -PKCS #12 export was updated to use AES / PBES2 encryption for the -key bags, but an import code path used when spawning a clone was -missed, and now fails (because it doesn't grok PBES2). - -Update it to use CryptoStore.importEncryptedPrivateKeyInfo() -instead, fixing the problem. - -Fixes: https://pagure.io/dogtagpki/issue/2677 -Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9 ---- - .../cms/servlet/csadmin/ConfigurationUtils.java | 32 +++++++--------------- - 1 file changed, 10 insertions(+), 22 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index ee1984b..07c64af 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -886,9 +886,7 @@ public class ConfigurationUtils { - if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { - - CMS.debug(" - Bag #" + j + ": key"); -- EncryptedPrivateKeyInfo privkeyinfo = -- (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent(); -- PrivateKeyInfo pkeyinfo = privkeyinfo.decrypt(password, new PasswordConverter()); -+ byte[] epki = bag.getBagContent().getEncoded(); - - SET bagAttrs = bag.getBagAttributes(); - String subjectDN = null; -@@ -910,9 +908,10 @@ public class ConfigurationUtils { - } - } - -- // pkeyinfo_v stores private key (PrivateKeyInfo) and subject DN (String) -+ // pkeyinfo_v stores EncryptedPrivateKeyInfo -+ // (byte[]) and subject DN (String) - Vector pkeyinfo_v = new Vector(); -- pkeyinfo_v.addElement(pkeyinfo); -+ pkeyinfo_v.addElement(epki); - if (subjectDN != null) - pkeyinfo_v.addElement(subjectDN); - -@@ -971,7 +970,7 @@ public class ConfigurationUtils { - } - } - -- importKeyCert(pkeyinfo_collection, cert_collection); -+ importKeyCert(password, pkeyinfo_collection, cert_collection); - } - - public static void verifySystemCertificates() throws Exception { -@@ -1012,6 +1011,7 @@ public class ConfigurationUtils { - } - - public static void importKeyCert( -+ Password password, - Vector> pkeyinfo_collection, - Vector> cert_collection - ) throws Exception { -@@ -1028,7 +1028,7 @@ public class ConfigurationUtils { - CMS.debug("Importing new keys:"); - for (int i = 0; i < pkeyinfo_collection.size(); i++) { - Vector pkeyinfo_v = pkeyinfo_collection.elementAt(i); -- PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0); -+ byte[] epki = (byte[]) pkeyinfo_v.elementAt(0); - String nickname = (String) pkeyinfo_v.elementAt(1); - CMS.debug("- Key: " + nickname); - -@@ -1037,11 +1037,6 @@ public class ConfigurationUtils { - continue; - } - -- // encode private key -- ByteArrayOutputStream bos = new ByteArrayOutputStream(); -- pkeyinfo.encode(bos); -- byte[] pkey = bos.toByteArray(); -- - CMS.debug(" Find cert with subject DN " + nickname); - // TODO: use better mechanism to find the cert - byte[] x509cert = getX509Cert(nickname, cert_collection); -@@ -1063,16 +1058,9 @@ public class ConfigurationUtils { - // this is OK - } - -- // encrypt private key -- SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); -- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- IVParameterSpec param = new IVParameterSpec(iv); -- byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey(token, sk, pkey, EncryptionAlgorithm.DES3_CBC_PAD, param); -- -- // unwrap private key to load into database -- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); -- wrapper.initUnwrap(sk, param); -- wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey); -+ // import private key into database -+ store.importEncryptedPrivateKeyInfo( -+ new PasswordConverter(), password, nickname, publicKey, epki); - } - - CMS.debug("Importing new certificates:"); --- -1.8.3.1 - - -From 3fb95590cdf0e45418fa0be7a020691567ef152a Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 5 May 2017 20:13:07 +1000 -Subject: [PATCH 05/10] Delete unused methods - -Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203 ---- - .../cms/servlet/csadmin/ConfigurationUtils.java | 103 --------------------- - 1 file changed, 103 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index 07c64af..c9a375f 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -1203,13 +1203,6 @@ public class ConfigurationUtils { - return null; - } - -- public static org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) { -- if (pubkey.getAlgorithm().equals("EC")) { -- return org.mozilla.jss.crypto.PrivateKey.Type.EC; -- } -- return org.mozilla.jss.crypto.PrivateKey.Type.RSA; -- } -- - public static boolean isCASigningCert(String name) throws EBaseException { - IConfigStore cs = CMS.getConfigStore(); - try { -@@ -3495,102 +3488,6 @@ public class ConfigurationUtils { - } - } - -- public static void addKeyBag(PrivateKey pkey, X509Certificate x509cert, -- Password pass, byte[] localKeyId, SEQUENCE safeContents) -- throws NoSuchAlgorithmException, InvalidBERException, InvalidKeyException, -- InvalidAlgorithmParameterException, NotInitializedException, TokenException, IllegalStateException, -- IllegalBlockSizeException, BadPaddingException, CharConversionException { -- -- PasswordConverter passConverter = new PasswordConverter(); -- -- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -- byte salt[] = random.generateSeed(4); // 4 bytes salt -- byte[] priData = getEncodedKey(pkey); -- -- PrivateKeyInfo pki = (PrivateKeyInfo) -- ASN1Util.decode(PrivateKeyInfo.getTemplate(), priData); -- ASN1Value key = EncryptedPrivateKeyInfo.createPBE( -- PBEAlgorithm.PBE_SHA1_DES3_CBC, -- pass, salt, 1, passConverter, pki); -- SET keyAttrs = createBagAttrs( -- x509cert.getSubjectDN().toString(), localKeyId); -- SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, -- key, keyAttrs); -- safeContents.addElement(keyBag); -- -- } -- -- public static byte[] addCertBag(X509Certificate x509cert, String nickname, -- SEQUENCE safeContents) throws CertificateEncodingException, NoSuchAlgorithmException, -- CharConversionException { -- byte[] localKeyId = null; -- -- ASN1Value cert = new OCTET_STRING(x509cert.getEncoded()); -- localKeyId = createLocalKeyId(x509cert); -- SET certAttrs = null; -- if (nickname != null) -- certAttrs = createBagAttrs(nickname, localKeyId); -- SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, -- new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs); -- safeContents.addElement(certBag); -- -- return localKeyId; -- } -- -- public static byte[] getEncodedKey(PrivateKey pkey) throws NotInitializedException, NoSuchAlgorithmException, -- TokenException, IllegalStateException, CharConversionException, InvalidKeyException, -- InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException { -- CryptoManager cm = CryptoManager.getInstance(); -- CryptoToken token = cm.getInternalKeyStorageToken(); -- KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); -- SymmetricKey sk = kg.generate(); -- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); -- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- IVParameterSpec param = new IVParameterSpec(iv); -- wrapper.initWrap(sk, param); -- byte[] enckey = wrapper.wrap(pkey); -- Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); -- c.initDecrypt(sk, param); -- byte[] recovered = c.doFinal(enckey); -- return recovered; -- } -- -- public static byte[] createLocalKeyId(X509Certificate cert) -- throws NoSuchAlgorithmException, CertificateEncodingException { -- -- // SHA1 hash of the X509Cert der encoding -- byte certDer[] = cert.getEncoded(); -- -- MessageDigest md = MessageDigest.getInstance("SHA"); -- -- md.update(certDer); -- return md.digest(); -- -- } -- -- public static SET createBagAttrs(String nickName, byte localKeyId[]) throws CharConversionException { -- -- SET attrs = new SET(); -- SEQUENCE nickNameAttr = new SEQUENCE(); -- -- nickNameAttr.addElement(SafeBag.FRIENDLY_NAME); -- SET nickNameSet = new SET(); -- -- nickNameSet.addElement(new BMPString(nickName)); -- nickNameAttr.addElement(nickNameSet); -- attrs.addElement(nickNameAttr); -- SEQUENCE localKeyAttr = new SEQUENCE(); -- -- localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID); -- SET localKeySet = new SET(); -- -- localKeySet.addElement(new OCTET_STRING(localKeyId)); -- localKeyAttr.addElement(localKeySet); -- attrs.addElement(localKeyAttr); -- return attrs; -- -- } -- - public static void createAdminCertificate(String certRequest, String certRequestType, String subject) - throws Exception { - IConfigStore cs = CMS.getConfigStore(); --- -1.8.3.1 - - -From f26b3aaee1cf36941f387b464b937ffee1403048 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Fri, 5 May 2017 11:44:17 -0700 -Subject: [PATCH 06/10] Non server keygen issue in SCP03. - -Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663 - -We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue. ---- - .../server/tps/channel/SecureChannel.java | 4 +- - .../server/tps/processor/TPSProcessor.java | 51 +++++++++++++++------- - 2 files changed, 37 insertions(+), 18 deletions(-) - -diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java -index fc5472c..5e5646b 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java -+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java -@@ -148,8 +148,8 @@ public class SecureChannel { - - CMS.debug("SecureChannel.SecureChannel: For SCP03. : "); - -- CMS.debug("kekDesKey: " + kekDesKey.toHexString()); -- CMS.debug("keyCheck: " + keyCheck.toHexString()); -+ if (keyCheck != null) -+ CMS.debug("keyCheck: " + keyCheck.toHexString()); - - this.platProtInfo = platformInfo; - this.processor = processor; -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index 0cfac59..0f96915 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -33,6 +33,8 @@ import java.util.List; - import java.util.Map; - import java.util.Set; - -+import netscape.security.x509.RevocationReason; -+ - import org.dogtagpki.server.tps.TPSSession; - import org.dogtagpki.server.tps.TPSSubsystem; - import org.dogtagpki.server.tps.authentication.AuthUIParameter; -@@ -100,8 +102,6 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.symkey.SessionKey; - --import netscape.security.x509.RevocationReason; -- - public class TPSProcessor { - - public static final int RESULT_NO_ERROR = 0; -@@ -923,20 +923,39 @@ public class TPSProcessor { - TPSBuffer drmDesKeyBuff = resp.getDRM_Trans_DesKey(); - TPSBuffer kekDesKeyBuff = resp.getKekWrappedDesKey(); - -- CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString()); -- CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString()); -- CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString()); -- CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString()); -- CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString()); -- CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString()); -- CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString()); -- -- encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, -- encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); -- macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, -- macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); -- kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, -- kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); -+ if (encSessionKeyBuff != null) -+ CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString()); -+ -+ if (kekSessionKeyBuff != null) -+ CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString()); -+ -+ if (macSessionKeyBuff != null) -+ CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString()); -+ -+ if (hostCryptogramBuff != null) -+ CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString()); -+ -+ if (keyCheckBuff != null) -+ CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString()); -+ -+ if (drmDesKeyBuff != null) -+ CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString()); -+ -+ if (kekDesKeyBuff != null) -+ CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString()); -+ -+ -+ if (encSessionKeyBuff != null) -+ encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, -+ encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); -+ -+ if (macSessionKeyBuff != null) -+ macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, -+ macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); -+ -+ if (kekSessionKeyBuff != null) -+ kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, -+ kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); - - channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03, - drmDesKeyBuff, kekDesKeyBuff, --- -1.8.3.1 - - -From f84bfab30647ae1492fcdca0a026bfa4d91350c9 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Mon, 1 May 2017 15:56:58 -0400 -Subject: [PATCH 07/10] Make sure generated asym keys are extractable - -In HSMs, we were not able to retrieve asym keys that were -generated from the AsymKeyGenService, because the right -flags were not set (ie. set like in the server side -keygen case). - -To do this, I extracted the key generation function from -NetKeygenService to KeyRecoveryAuthority, so that it could -be used by both services. - -Bugzilla BZ# 1386303 - -Change-Id: I13b5f4b602217a685acada94091e91df75e25eff ---- - .../certsrv/kra/IKeyRecoveryAuthority.java | 17 ++ - .../src/com/netscape/kra/AsymKeyGenService.java | 23 +-- - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 184 ++++++++++++++++++++ - .../src/com/netscape/kra/NetkeyKeygenService.java | 185 +-------------------- - 4 files changed, 213 insertions(+), 196 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java -index a12d773..4f709e9 100644 ---- a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java -+++ b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java -@@ -17,12 +17,15 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.certsrv.kra; - -+import java.security.KeyPair; - import java.util.Enumeration; - import java.util.Hashtable; - import java.util.Vector; - - import org.dogtagpki.legacy.policy.IPolicyProcessor; - import org.mozilla.jss.crypto.CryptoToken; -+import org.mozilla.jss.crypto.KeyPairGeneratorSpi; -+import org.mozilla.jss.crypto.PQGParams; - - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.ISubsystem; -@@ -337,4 +340,18 @@ public interface IKeyRecoveryAuthority extends ISubsystem { - * @return - */ - public boolean isRetrievalSynchronous(String realm); -+ -+ /** -+ * Generate an asymmetric key pair. -+ * -+ * @param alg -+ * @param keySize -+ * @param keyCurve -+ * @param pqg -+ * @param usageList - RSA only for now -+ * @return key pair -+ * @throws EBaseException -+ */ -+ public KeyPair generateKeyPair(String alg, int keySize, String keyCurve, -+ PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException; - } -diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -index 9528972..7351d50 100644 ---- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -@@ -19,14 +19,10 @@ package com.netscape.kra; - - import java.math.BigInteger; - import java.security.KeyPair; --import java.security.NoSuchAlgorithmException; - - import org.mozilla.jss.crypto.CryptoToken; --import org.mozilla.jss.crypto.KeyPairAlgorithm; --import org.mozilla.jss.crypto.KeyPairGenerator; - import org.mozilla.jss.crypto.KeyPairGeneratorSpi; - import org.mozilla.jss.crypto.PrivateKey; --import org.mozilla.jss.crypto.TokenException; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; -@@ -42,7 +38,6 @@ import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; - import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.security.IStorageKeyUnit; --import com.netscape.cms.servlet.key.KeyRequestDAO; - import com.netscape.cmscore.dbs.KeyRecord; - - import netscape.security.util.WrappingParams; -@@ -132,8 +127,6 @@ public class AsymKeyGenService implements IService { - CMS.debug("AsymKeyGenService.serviceRequest. Request id: " + request.getRequestId()); - CMS.debug("AsymKeyGenService.serviceRequest algorithm: " + algorithm); - -- KeyPairAlgorithm keyPairAlgorithm = KeyRequestDAO.ASYMKEY_GEN_ALGORITHMS.get(algorithm.toUpperCase()); -- - String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); - String auditSubjectID = owner; - -@@ -141,16 +134,18 @@ public class AsymKeyGenService implements IService { - CryptoToken token = kra.getKeygenToken(); - - // Generating the asymmetric keys -- KeyPairGenerator keyPairGen = null; - KeyPair kp = null; - - try { -- keyPairGen = token.getKeyPairGenerator(keyPairAlgorithm); -- keyPairGen.initialize(keySize); -- if (usageList != null) -- keyPairGen.setKeyPairUsages(usageList, usageList); -- kp = keyPairGen.genKeyPair(); -- } catch (NoSuchAlgorithmException | TokenException e) { -+ kp = kra.generateKeyPair( -+ algorithm.toUpperCase(), -+ keySize, -+ null, // keyCurve for ECC, not yet supported -+ null, // PQG not yet supported -+ usageList -+ ); -+ -+ } catch (EBaseException e) { - CMS.debugStackTrace(); - auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), - clientKeyId, null, "Failed to generate Asymmetric key"); -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index ec920e6..54953d1 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -20,6 +20,10 @@ package com.netscape.kra; - import java.io.ByteArrayOutputStream; - import java.io.IOException; - import java.math.BigInteger; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.InvalidParameterException; -+import java.security.KeyPair; -+import java.security.NoSuchAlgorithmException; - import java.security.cert.CertificateEncodingException; - import java.security.cert.CertificateException; - import java.security.cert.X509Certificate; -@@ -32,6 +36,12 @@ import org.dogtagpki.legacy.kra.KRAPolicy; - import org.dogtagpki.legacy.policy.IPolicyProcessor; - import org.mozilla.jss.NoSuchTokenException; - import org.mozilla.jss.crypto.CryptoToken; -+import org.mozilla.jss.crypto.KeyPairAlgorithm; -+import org.mozilla.jss.crypto.KeyPairGenerator; -+import org.mozilla.jss.crypto.KeyPairGeneratorSpi; -+import org.mozilla.jss.crypto.PQGParamGenException; -+import org.mozilla.jss.crypto.PQGParams; -+import org.mozilla.jss.crypto.TokenException; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authority.IAuthority; -@@ -1816,4 +1826,178 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - return agents; - } -+ -+ public KeyPair generateKeyPair(String alg, int keySize, String keyCurve, -+ PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException { -+ KeyPairAlgorithm kpAlg = null; -+ -+ if (alg.equals("RSA")) -+ kpAlg = KeyPairAlgorithm.RSA; -+ else if (alg.equals("EC")) -+ kpAlg = KeyPairAlgorithm.EC; -+ else -+ kpAlg = KeyPairAlgorithm.DSA; -+ -+ try { -+ KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg, usageList); -+ -+ return kp; -+ } catch (InvalidParameterException e) { -+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS", -+ "" + keySize)); -+ } catch (PQGParamGenException e) { -+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED")); -+ } catch (NoSuchAlgorithmException e) { -+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", -+ kpAlg.toString())); -+ } catch (TokenException e) { -+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString())); -+ } catch (InvalidAlgorithmParameterException e) { -+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA")); -+ } -+ } -+ -+ public KeyPair generateKeyPair( -+ KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg, -+ KeyPairGeneratorSpi.Usage[] usageList ) -+ throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, -+ InvalidParameterException, PQGParamGenException { -+ -+ CryptoToken token = getKeygenToken(); -+ -+ CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName()); -+ -+ /* -+ make it temporary so can work with HSM -+ netHSM works with -+ temporary == true -+ sensitive == -+ extractable == -+ LunaSA2 works with -+ temporary == true -+ sensitive == true -+ extractable == true -+ */ -+ KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg); -+ IConfigStore config = CMS.getConfigStore(); -+ IConfigStore kgConfig = config.getSubStore("kra.keygen"); -+ boolean tp = false; -+ boolean sp = false; -+ boolean ep = false; -+ if ((kgConfig != null) && (!kgConfig.equals(""))) { -+ try { -+ tp = kgConfig.getBoolean("temporaryPairs", false); -+ sp = kgConfig.getBoolean("sensitivePairs", false); -+ ep = kgConfig.getBoolean("extractablePairs", false); -+ CMS.debug("NetkeyKeygenService: found config store: kra.keygen"); -+ // by default, let nethsm work -+ if ((tp == false) && (sp == false) && (ep == false)) { -+ if (kpAlg == KeyPairAlgorithm.EC) { -+ // set to what works for nethsm -+ tp = true; -+ sp = false; -+ ep = true; -+ } else -+ tp = true; -+ } -+ } catch (Exception e) { -+ CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); -+ // by default, let nethsm work -+ tp = true; -+ } -+ } else { -+ // by default, let nethsm work -+ CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true"); -+ if (kpAlg == KeyPairAlgorithm.EC) { -+ // set to what works for nethsm -+ tp = true; -+ sp = false; -+ ep = true; -+ } else { -+ tp = true; -+ } -+ } -+ -+ if (kpAlg == KeyPairAlgorithm.EC) { -+ -+ boolean isECDHE = false; -+ KeyPair pair = null; -+ -+ // used with isECDHE == true -+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = { -+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE -+ }; -+ -+ // used with isECDHE == false -+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = { -+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, -+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER -+ }; -+ -+ try { -+ pair = CryptoUtil.generateECCKeyPair(token.getName(), -+ keyCurve /*ECC_curve default*/, -+ null, -+ (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH, -+ tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/); -+ CMS.debug("NetkeyKeygenService: after key pair generation" ); -+ } catch (Exception e) { -+ CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString()); -+ } -+ return pair; -+ -+ } else { // !EC -+ //only specified to "true" will it be set -+ if (tp == true) { -+ CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); -+ kpGen.temporaryPairs(true); -+ } -+ -+ if (sp == true) { -+ CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); -+ kpGen.sensitivePairs(true); -+ } -+ -+ if (ep == true) { -+ CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); -+ kpGen.extractablePairs(true); -+ } -+ -+ if (kpAlg == KeyPairAlgorithm.DSA) { -+ if (pqg == null) { -+ kpGen.initialize(keySize); -+ } else { -+ kpGen.initialize(pqg); -+ } -+ } else { -+ kpGen.initialize(keySize); -+ } -+ -+ if (usageList != null) -+ kpGen.setKeyPairUsages(usageList, usageList); -+ -+ if (pqg == null) { -+ KeyPair kp = null; -+ synchronized (new Object()) { -+ CMS.debug("NetkeyKeygenService: key pair generation begins"); -+ kp = kpGen.genKeyPair(); -+ CMS.debug("NetkeyKeygenService: key pair generation done"); -+ addEntropy(true); -+ } -+ return kp; -+ } else { -+ // DSA -+ KeyPair kp = null; -+ -+ /* no DSA for now... netkey prototype -+ do { -+ // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair -+ kp = kpGen.genKeyPair(); -+ } -+ while (isBadDSAKeyPair(kp)); -+ */ -+ return kp; -+ } -+ } -+ } - } -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index e09eb42..f068a4a 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -23,11 +23,8 @@ import java.io.FilterOutputStream; - import java.io.IOException; - import java.io.PrintStream; - import java.math.BigInteger; --import java.security.InvalidAlgorithmParameterException; - import java.security.InvalidKeyException; --import java.security.InvalidParameterException; - import java.security.KeyPair; --import java.security.NoSuchAlgorithmException; - import java.security.SecureRandom; - - import org.mozilla.jss.asn1.ASN1Util; -@@ -35,21 +32,15 @@ import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.EncryptionAlgorithm; - import org.mozilla.jss.crypto.IVParameterSpec; - import org.mozilla.jss.crypto.KeyGenAlgorithm; --import org.mozilla.jss.crypto.KeyPairAlgorithm; --import org.mozilla.jss.crypto.KeyPairGenerator; - import org.mozilla.jss.crypto.KeyWrapAlgorithm; --import org.mozilla.jss.crypto.PQGParamGenException; --import org.mozilla.jss.crypto.PQGParams; - import org.mozilla.jss.crypto.PrivateKey; - import org.mozilla.jss.crypto.SymmetricKey; --import org.mozilla.jss.crypto.TokenException; - import org.mozilla.jss.pkcs11.PK11SymKey; - import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; - import org.mozilla.jss.util.Base64OutputStream; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; --import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.MetaInfo; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; -@@ -122,177 +113,6 @@ public class NetkeyKeygenService implements IService { - return archOpts; - } - -- public KeyPair generateKeyPair( -- KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg) -- throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, -- InvalidParameterException, PQGParamGenException { -- -- CryptoToken token = mKRA.getKeygenToken(); -- -- CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName()); -- -- /* -- make it temporary so can work with HSM -- netHSM works with -- temporary == true -- sensitive == -- extractable == -- LunaSA2 works with -- temporary == true -- sensitive == true -- extractable == true -- */ -- KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg); -- IConfigStore config = CMS.getConfigStore(); -- IConfigStore kgConfig = config.getSubStore("kra.keygen"); -- boolean tp = false; -- boolean sp = false; -- boolean ep = false; -- if ((kgConfig != null) && (!kgConfig.equals(""))) { -- try { -- tp = kgConfig.getBoolean("temporaryPairs", false); -- sp = kgConfig.getBoolean("sensitivePairs", false); -- ep = kgConfig.getBoolean("extractablePairs", false); -- CMS.debug("NetkeyKeygenService: found config store: kra.keygen"); -- // by default, let nethsm work -- if ((tp == false) && (sp == false) && (ep == false)) { -- if (kpAlg == KeyPairAlgorithm.EC) { -- // set to what works for nethsm -- tp = true; -- sp = false; -- ep = true; -- } else -- tp = true; -- } -- } catch (Exception e) { -- CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); -- // by default, let nethsm work -- tp = true; -- } -- } else { -- // by default, let nethsm work -- CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true"); -- if (kpAlg == KeyPairAlgorithm.EC) { -- // set to what works for nethsm -- tp = true; -- sp = false; -- ep = true; -- } else { -- tp = true; -- } -- } -- -- if (kpAlg == KeyPairAlgorithm.EC) { -- -- boolean isECDHE = false; -- KeyPair pair = null; -- -- // used with isECDHE == true -- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = { -- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE -- }; -- -- // used with isECDHE == false -- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = { -- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, -- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER -- }; -- -- try { -- pair = CryptoUtil.generateECCKeyPair(token.getName(), -- keyCurve /*ECC_curve default*/, -- null, -- (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH, -- tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/); -- CMS.debug("NetkeyKeygenService: after key pair generation" ); -- } catch (Exception e) { -- CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString()); -- } -- return pair; -- -- } else { // !EC -- //only specified to "true" will it be set -- if (tp == true) { -- CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); -- kpGen.temporaryPairs(true); -- } -- -- if (sp == true) { -- CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); -- kpGen.sensitivePairs(true); -- } -- -- if (ep == true) { -- CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); -- kpGen.extractablePairs(true); -- } -- -- if (kpAlg == KeyPairAlgorithm.DSA) { -- if (pqg == null) { -- kpGen.initialize(keySize); -- } else { -- kpGen.initialize(pqg); -- } -- } else { -- kpGen.initialize(keySize); -- } -- -- if (pqg == null) { -- KeyPair kp = null; -- synchronized (new Object()) { -- CMS.debug("NetkeyKeygenService: key pair generation begins"); -- kp = kpGen.genKeyPair(); -- CMS.debug("NetkeyKeygenService: key pair generation done"); -- mKRA.addEntropy(true); -- } -- return kp; -- } else { -- // DSA -- KeyPair kp = null; -- -- /* no DSA for now... netkey prototype -- do { -- // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair -- kp = kpGen.genKeyPair(); -- } -- while (isBadDSAKeyPair(kp)); -- */ -- return kp; -- } -- } -- } -- -- public KeyPair generateKeyPair(String alg, -- int keySize, String keyCurve, PQGParams pqg) throws EBaseException { -- -- KeyPairAlgorithm kpAlg = null; -- -- if (alg.equals("RSA")) -- kpAlg = KeyPairAlgorithm.RSA; -- else if (alg.equals("EC")) -- kpAlg = KeyPairAlgorithm.EC; -- else -- kpAlg = KeyPairAlgorithm.DSA; -- -- try { -- KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg); -- -- return kp; -- } catch (InvalidParameterException e) { -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS", -- "" + keySize)); -- } catch (PQGParamGenException e) { -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED")); -- } catch (NoSuchAlgorithmException e) { -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", -- kpAlg.toString())); -- } catch (TokenException e) { -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString())); -- } catch (InvalidAlgorithmParameterException e) { -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA")); -- } -- } -- - private static String base64Encode(byte[] bytes) throws IOException { - // All this streaming is lame, but Base64OutputStream needs a - // PrintStream -@@ -430,10 +250,11 @@ public class NetkeyKeygenService implements IService { - - CMS.debug("NetkeyKeygenService: about to generate key pair"); - -- keypair = generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */, -+ keypair = mKRA.generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */, - keysize /*Integer.parseInt(len)*/, - rKeycurve /* for "EC" only */, -- null /*pqgParams*/); -+ null /*pqgParams*/, -+ null /* usageList*/); - - if (keypair == null) { - CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid); --- -1.8.3.1 - - -From bea446868e282955d9c70028be657530eaccbe29 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Mon, 1 May 2017 18:25:59 -0400 -Subject: [PATCH 08/10] Use AES-CBC in storage unit for archival in key - wrapping - -When AES-KW or AES-KWP is not available, we need to be sure to use -a key wrap algorithm that is available for keywrap. This would -be AES-CBC. Removes some TODOs. - -Refactor so that getWrappingParams is only defined on the StorageUnit, -which is where it makes sense in any case. - -Part of Bugzilla BZ# 1386303 - -Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51 ---- - .../src/com/netscape/certsrv/security/IEncryptionUnit.java | 2 -- - .../src/com/netscape/certsrv/security/IStorageKeyUnit.java | 6 ++++++ - base/kra/src/com/netscape/kra/AsymKeyGenService.java | 11 +++-------- - base/kra/src/com/netscape/kra/EncryptionUnit.java | 2 -- - base/kra/src/com/netscape/kra/EnrollmentService.java | 2 +- - base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 7 +++++-- - base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 2 +- - base/kra/src/com/netscape/kra/StorageKeyUnit.java | 12 +++++++++++- - base/kra/src/com/netscape/kra/SymKeyGenService.java | 7 +++++-- - base/kra/src/com/netscape/kra/TransportKeyUnit.java | 4 ---- - 10 files changed, 32 insertions(+), 23 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java -index add15cb..e55713d 100644 ---- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java -+++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java -@@ -63,7 +63,5 @@ public interface IEncryptionUnit extends IToken { - SymmetricKey.Usage usage, WrappingParams params) throws Exception; - - -- public WrappingParams getWrappingParams() throws Exception; -- - public WrappingParams getOldWrappingParams(); - } -diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java -index cd94143..bfc6012 100644 ---- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java -+++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java -@@ -174,4 +174,10 @@ public interface IStorageKeyUnit extends IEncryptionUnit { - public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary, - WrappingParams params) throws Exception; - -+ /** -+ * Get the wrapping parameters for this storage unit -+ * -+ */ -+ public WrappingParams getWrappingParams(boolean encrypt) throws Exception; -+ - } -diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -index 7351d50..cfee504 100644 ---- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -@@ -20,7 +20,6 @@ package com.netscape.kra; - import java.math.BigInteger; - import java.security.KeyPair; - --import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.KeyPairGeneratorSpi; - import org.mozilla.jss.crypto.PrivateKey; - -@@ -68,7 +67,7 @@ public class AsymKeyGenService implements IService { - - @Override - public boolean serviceRequest(IRequest request) throws EBaseException { -- IConfigStore cs = CMS.getConfigStore(); -+ IConfigStore configStore = CMS.getConfigStore(); - String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); - String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM); - -@@ -77,7 +76,7 @@ public class AsymKeyGenService implements IService { - - String realm = request.getRealm(); - -- boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); -+ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); - - KeyPairGeneratorSpi.Usage[] usageList = null; - String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES); -@@ -130,9 +129,6 @@ public class AsymKeyGenService implements IService { - String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); - String auditSubjectID = owner; - -- // Get the token -- CryptoToken token = kra.getKeygenToken(); -- - // Generating the asymmetric keys - KeyPair kp = null; - -@@ -162,8 +158,7 @@ public class AsymKeyGenService implements IService { - WrappingParams params = null; - - try { -- // TODO(alee) What happens if key wrap algorithm is not supported? -- params = storageUnit.getWrappingParams(); -+ params = storageUnit.getWrappingParams(allowEncDecrypt_archival); - privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params); - } catch (Exception e) { - CMS.debug("Failed to generate security data to archive: " + e); -diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java -index 02a4ca1..b460c9e 100644 ---- a/base/kra/src/com/netscape/kra/EncryptionUnit.java -+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java -@@ -67,8 +67,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { - - public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert); - -- public abstract WrappingParams getWrappingParams() throws Exception; -- - public WrappingParams getOldWrappingParams() { - return new WrappingParams( - SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index a200c34..e413a06 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -396,7 +396,7 @@ public class EnrollmentService implements IService { - WrappingParams params = null; - - try { -- params = mStorageUnit.getWrappingParams(); -+ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); - if (allowEncDecrypt_archival == true) { - privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped, params); - } else { -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index f068a4a..636e93e 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -41,6 +41,7 @@ import org.mozilla.jss.util.Base64OutputStream; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.MetaInfo; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; -@@ -155,6 +156,9 @@ public class NetkeyKeygenService implements IService { - - IVParameterSpec algParam = new IVParameterSpec(iv); - -+ IConfigStore configStore = CMS.getConfigStore(); -+ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); -+ - wrapped_des_key = null; - boolean archive = true; - byte[] publicKeyData = null; -@@ -405,8 +409,7 @@ public class NetkeyKeygenService implements IService { - WrappingParams params = null; - - try { -- // TODO(alee) What happens if key wrap algorithm is not supported? -- params = mStorageUnit.getWrappingParams(); -+ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); - privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); - } catch (Exception e) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 701b611..95d07c4 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -217,7 +217,7 @@ public class SecurityDataProcessor { - boolean doEncrypt = false; - - try { -- params = storageUnit.getWrappingParams(); -+ params = storageUnit.getWrappingParams(allowEncDecrypt_archival); - if (securitySymKey != null && unwrapped == null) { - privateSecurityData = storageUnit.wrap(securitySymKey, params); - } else if (unwrapped != null && allowEncDecrypt_archival == true) { -diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java -index 3e7f1de..1df30f6 100644 ---- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java -+++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java -@@ -133,7 +133,7 @@ public class StorageKeyUnit extends EncryptionUnit implements - throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION")); - } - -- public WrappingParams getWrappingParams() throws Exception { -+ public WrappingParams getWrappingParams(boolean encrypt) throws Exception { - String choice = null; - try { - choice = mConfig.getString(PROP_WRAPPING_CHOICE); -@@ -177,6 +177,16 @@ public class StorageKeyUnit extends EncryptionUnit implements - KeyRecordParser.OUT_PL_WRAP_IV_LEN); - if (iv != null) params.setPayloadWrappingIV(new IVParameterSpec(iv)); - -+ if (encrypt) { -+ // Some HSMs have not yet implemented AES-KW. Use AES-CBC-PAD instead -+ if (params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP) || -+ params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD)) { -+ params.setPayloadWrapAlgorithm(KeyWrapAlgorithm.AES_CBC_PAD); -+ iv = CryptoUtil.getNonceData(16); -+ params.setPayloadWrappingIV(new IVParameterSpec(iv)); -+ } -+ } -+ - return params; - } - -diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java -index c1830ec..bf350d5 100644 ---- a/base/kra/src/com/netscape/kra/SymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java -@@ -29,6 +29,7 @@ import org.mozilla.jss.crypto.SymmetricKey; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.key.KeyRequestResource; -@@ -107,6 +108,9 @@ public class SymKeyGenService implements IService { - throw new EBaseException("Bad data in SymKeyGenService.serviceRequest"); - } - -+ IConfigStore configStore = CMS.getConfigStore(); -+ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); -+ - CryptoToken token = mStorageUnit.getToken(); - KeyGenAlgorithm kgAlg = KeyRequestDAO.SYMKEY_GEN_ALGORITHMS.get(algorithm); - if (kgAlg == null) { -@@ -170,8 +174,7 @@ public class SymKeyGenService implements IService { - } - - try { -- // TODO(alee) what happens if key wrap algorithm is not supported? -- params = mStorageUnit.getWrappingParams(); -+ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); - privateSecurityData = mStorageUnit.wrap(sk, params); - } catch (Exception e) { - CMS.debug("Failed to generate security data to archive: " + e); -diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java -index 513c0b2..fc66e66 100644 ---- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java -+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java -@@ -115,10 +115,6 @@ public class TransportKeyUnit extends EncryptionUnit implements - } - } - -- public WrappingParams getWrappingParams() { -- return getOldWrappingParams(); -- } -- - public CryptoToken getInternalToken() { - try { - return CryptoManager.getInstance().getInternalKeyStorageToken(); --- -1.8.3.1 - - -From 00c17b3e2f81c9df12e1a89fc85dc2e3d4c3a2b1 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 5 May 2017 21:30:15 -0400 -Subject: [PATCH 09/10] Fix symmetic key retrieval in HSM - -When using an HSM, AES KeyWrapping is not available and so -some different code paths were exercised. Fixing bugs in those -paths uncovered a case where we were calling unwrapSymmetric() -with bits and not bytes for the key length. - -This does not matter for 3DES, where JSS expects a length of 0, -but very much matters for AES. Fixing this - and the KeyClient -to actually use the returned wrapping algorithm to unwrap, allows -us now to return generated symmetric keys correctly. - -Bugzilla BZ#1448521 -Pagure: 2690 - -Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890 ---- - base/common/src/com/netscape/certsrv/key/KeyClient.java | 4 ++-- - base/kra/src/com/netscape/kra/EncryptionUnit.java | 2 +- - base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 12 ++++++++++++ - base/kra/src/com/netscape/kra/TransportKeyUnit.java | 4 ++-- - base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 ++-- - 5 files changed, 19 insertions(+), 7 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java -index 2c99e1c..9a69372 100644 ---- a/base/common/src/com/netscape/certsrv/key/KeyClient.java -+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java -@@ -429,7 +429,7 @@ public class KeyClient extends Client { - bytes = crypto.unwrapSymmetricKeyWithSessionKey( - data.getEncryptedData(), - sessionKey, -- wrapAlgorithm, -+ KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()), - data.getNonceData(), - data.getAlgorithm(), - data.getSize()); -@@ -446,7 +446,7 @@ public class KeyClient extends Client { - bytes = crypto.unwrapAsymmetricKeyWithSessionKey( - data.getEncryptedData(), - sessionKey, -- wrapAlgorithm, -+ KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()), - data.getNonceData(), - pubKey); - } -diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java -index b460c9e..eb8a2f8 100644 ---- a/base/kra/src/com/netscape/kra/EncryptionUnit.java -+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java -@@ -84,7 +84,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { - return CryptoUtil.unwrap( - token, - params.getSkType(), -- 0, -+ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), - usage, wrappingKey, - encSymmKey, - params.getSkWrapAlgorithm()); -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 95d07c4..344f376 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -411,6 +411,18 @@ public class SecurityDataProcessor { - String payloadWrapName = (String) params.get(IRequest.SECURITY_DATA_PL_WRAPPING_NAME); - String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm(); - -+ if (allowEncDecrypt_recovery) { -+ if (payloadWrapName == null) { -+ // assume old client -+ payloadWrapName = "DES3/CBC/Pad"; -+ } else if (payloadWrapName.equals("AES KeyWrap/Padding") || -+ payloadWrapName.equals("AES KeyWrap")) { -+ // Some HSMs have not implemented AES-KW yet -+ // Make sure we select an algorithm that is supported. -+ payloadWrapName = "AES/CBC/PKCS5Padding"; -+ } -+ } -+ - byte[] iv = null; - byte[] iv_wrap = null; - try { -diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java -index fc66e66..d0ad8b3 100644 ---- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java -+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java -@@ -289,7 +289,7 @@ public class TransportKeyUnit extends EncryptionUnit implements - SymmetricKey sk = CryptoUtil.unwrap( - token, - params.getSkType(), -- 0, -+ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), - SymmetricKey.Usage.DECRYPT, - wrappingKey, - encSymmKey, -@@ -360,7 +360,7 @@ public class TransportKeyUnit extends EncryptionUnit implements - SymmetricKey sk = CryptoUtil.unwrap( - token, - params.getSkType(), -- 0, -+ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), - SymmetricKey.Usage.UNWRAP, - wrappingKey, - encSymmKey, -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index d22856d..e529a0f 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -2346,7 +2346,7 @@ public class CryptoUtil { - KeyWrapAlgorithm wrapAlgorithm, IVParameterSpec wrappingIV) throws Exception { - KeyWrapper wrapper = token.getKeyWrapper(wrapAlgorithm); - wrapper.initUnwrap(wrappingKey, wrappingIV); -- return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength); -+ return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8); - } - - public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Type keyType, -@@ -2355,7 +2355,7 @@ public class CryptoUtil { - KeyWrapper keyWrapper = token.getKeyWrapper(wrapAlgorithm); - keyWrapper.initUnwrap(wrappingKey, null); - -- return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength); -+ return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8); - } - - public static PrivateKey unwrap(CryptoToken token, PublicKey pubKey, boolean temporary, --- -1.8.3.1 - - -From c0bb0ee8e36a85673e30352a7205414b215196a5 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 8 May 2017 18:53:26 +0200 -Subject: [PATCH 10/10] pkispawn: wait after final restart - -The finalization scriptlet now waits after service has been restarted. - -Change-Id: Id462728386b9d7e6b3364e1651ef6676115dd1de -Bugzilla: BZ#1446364 -Pagure: 2644 -Signed-off-by: Christian Heimes ---- - .travis/40-spawn-ca | 5 ----- - .travis/50-spawn-kra | 5 ----- - .../server/python/pki/server/deployment/scriptlets/finalization.py | 7 +++++++ - 3 files changed, 7 insertions(+), 10 deletions(-) - -diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca -index d6771db..d57e6b7 100755 ---- a/.travis/40-spawn-ca -+++ b/.travis/40-spawn-ca -@@ -2,8 +2,3 @@ - set -e - - pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA -- --echo "Waiting for port 8080" --for i in {1..20}; do -- curl http://localhost:8080 && break || sleep 1 --done -diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra -index 93f2f4c..f7e8fc1 100755 ---- a/.travis/50-spawn-kra -+++ b/.travis/50-spawn-kra -@@ -2,8 +2,3 @@ - set -e - - pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA -- --echo "Waiting for port 8080" --for i in {1..20}; do -- curl http://localhost:8080 && break || sleep 1 --done -diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py -index 3dc7f66..941691c 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/finalization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py -@@ -57,6 +57,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Optionally, programmatically 'restart' the configured PKI instance - if config.str2bool(deployer.mdict['pki_restart_configured_instance']): - deployer.systemd.restart() -+ # wait for startup -+ status = deployer.instance.wait_for_startup(60) -+ if status is None: -+ config.pki_log.error( -+ "server failed to restart", -+ extra=config.PKI_INDENTATION_LEVEL_1) -+ raise RuntimeError("server failed to restart") - - # Optionally, 'purge' the entire temporary client infrastructure - # including the client NSS security databases and password files --- -1.8.3.1 - diff --git a/SOURCES/pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch b/SOURCES/pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch deleted file mode 100644 index 9d3f9c7..0000000 --- a/SOURCES/pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 7f29261148fa4a27824cb2006c515d376288ec64 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 20 Jun 2017 15:04:12 -0700 -Subject: [PATCH] Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison - -(cherry picked from commit 2d69d9332eea7ddc5205dc9e44d15452be4be61f) ---- - .../com/netscape/cms/profile/constraint/UniqueKeyConstraint.java | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -index 030995a..2614576 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -@@ -240,11 +240,7 @@ public class UniqueKeyConstraint extends EnrollConstraint { - } - // only VALID or EXPIRED certs could have reached here - X509CertImpl origCert = rec.getCertificate(); -- String certDN = -- origCert.getSubjectDN().toString(); -- CMS.debug(method + " cert retrieved from ldap has subject DN =" + certDN); -- -- sjname_in_db = new X500Name(certDN); -+ sjname_in_db = (X500Name) origCert.getSubjectDN(); - - if (sjname_in_db.equals(sjname_in_req) == false) { - msg = msg + "subject name not match in same key renewal;"; --- -1.8.3.1 - diff --git a/SOURCES/pki-core-server-access-banner-retrieval-validation.patch b/SOURCES/pki-core-server-access-banner-retrieval-validation.patch deleted file mode 100644 index a4a20d7..0000000 --- a/SOURCES/pki-core-server-access-banner-retrieval-validation.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 384cd35c5298010386047b62d6db64916dd6689c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 18 Aug 2017 23:05:24 +0200 -Subject: [PATCH] Added banner validation in InfoService. - -Previously banner was only validated during server startup. Since -banner can be modified anytime, the InfoService has been changed -such that it validates the banner on each banner retrieval. - -https://pagure.io/dogtagpki/issue/2671 - -Change-Id: I208f4c5b4ce2ce594e92acd4792aa03c729fa2cf -(cherry picked from commit 889a9c9efce62488f098fb96fcf4a1454c0b3bc2) ---- - .../src/org/dogtagpki/server/rest/InfoService.java | 27 +++++++++++++++++++++- - 1 file changed, 26 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java -index 13581dd..5467bda 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java -@@ -20,12 +20,15 @@ package org.dogtagpki.server.rest; - - import javax.servlet.http.HttpSession; - import javax.ws.rs.core.Response; -+import javax.xml.bind.UnmarshalException; - - import org.dogtagpki.common.Info; - import org.dogtagpki.common.InfoResource; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; -+import org.xml.sax.SAXParseException; - -+import com.netscape.certsrv.base.PKIException; - import com.netscape.cms.servlet.base.PKIService; - - /** -@@ -42,17 +45,39 @@ public class InfoService extends PKIService implements InfoResource { - logger.debug("InfoService.getInfo(): session: " + session.getId()); - - Info info = new Info(); -- info.setVersion(getVersion()); - - boolean bannerDisplayed = session.getAttribute("bannerDisplayed") != null; - boolean bannerEnabled = isBannerEnabled(); - - // if banner not yet displayed in this session and it's enabled, return banner - if (!bannerDisplayed && bannerEnabled) { -+ - String banner = getBanner(); - info.setBanner(banner); -+ -+ // validate banner -+ try { -+ // converting Info object into XML -+ String xmlInfo = info.toString(); -+ -+ // and parse it back into Info object -+ info = Info.valueOf(xmlInfo); -+ -+ } catch (UnmarshalException e) { -+ Throwable cause = e.getCause(); -+ logger.error("InfoService: Invalid access banner: " + cause, e); -+ -+ if (cause instanceof SAXParseException) { -+ throw new PKIException("Banner contains invalid character(s)", e); -+ } else { -+ throw new PKIException("Invalid access banner: " + cause, e); -+ } -+ } - } - -+ // add other info attributes after banner validation -+ info.setVersion(getVersion()); -+ - return createOKResponse(info); - } - } --- -1.8.3.1 - diff --git a/SOURCES/pki-core-server-access-banner-validation.patch b/SOURCES/pki-core-server-access-banner-validation.patch deleted file mode 100644 index ac95f33..0000000 --- a/SOURCES/pki-core-server-access-banner-validation.patch +++ /dev/null @@ -1,523 +0,0 @@ -From 9c8a4d2543e215f388e95e30f727a35eb9a7f778 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 5 Jun 2017 21:50:00 +0200 -Subject: [PATCH 1/4] Fixed access banner normalization. - -The PKIService has been modified to trim whitespaces in access -banner before returning the value to the client. The clients -have been modified to no longer trim the banner. - -https://pagure.io/dogtagpki/issue/2671 - -Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6 -(cherry picked from commit 5e0dcb69a734c9f52cca673a7a5189d31fb15774) ---- - base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 2 +- - base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java | 2 +- - base/server/share/webapps/pki/js/pki-banner.js | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index 51861b5..8f91f32 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -571,7 +571,7 @@ public class MainCLI extends CLI { - - if (banner != null) { - -- System.out.println(banner.trim()); -+ System.out.println(banner); - System.out.println(); - System.out.print("Do you want to proceed (y/N)? "); - System.out.flush(); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -index e023aa6..3273477 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -@@ -98,7 +98,7 @@ public class PKIService { - } - - public static String getBanner() throws IOException { -- return new String(Files.readAllBytes(bannerFile)); -+ return new String(Files.readAllBytes(bannerFile)).trim(); - } - - public static MediaType resolveFormat(MediaType format) { -diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js -index e88220e..ff64092 100644 ---- a/base/server/share/webapps/pki/js/pki-banner.js -+++ b/base/server/share/webapps/pki/js/pki-banner.js -@@ -37,7 +37,7 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) { - } - - // display the banner and ask for confirmation -- var message = $.trim(data.Banner) + "\n\nDo you want to proceed?"; -+ var message = banner + "\n\nDo you want to proceed?"; - - // if banner accepted - if (confirm(message)) { --- -1.8.3.1 - - -From 00b439b9056baef2b40a16cba2b3e46d1365ce62 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 13 Jun 2017 21:09:52 +0200 -Subject: [PATCH 2/4] Fixed access banner encoding. - -The Info service and client have been modified to transmit access -banner in Base64-encoded form. The PKI UI has been modified to -decode the access banner properly. - -https://pagure.io/dogtagpki/issue/2671 - -Change-Id: Ic8526bac4c4d6b99e627aced64ab24cf675f5d50 -(cherry picked from commit e5f6ed7be301a3531b871ef3b0ce64bea0fe1973) ---- - .../src/org/dogtagpki/common/Base64Adapter.java | 34 ++++++++++++++++++++++ - base/common/src/org/dogtagpki/common/Info.java | 2 ++ - base/server/share/webapps/pki/js/pki-banner.js | 3 ++ - 3 files changed, 39 insertions(+) - create mode 100644 base/common/src/org/dogtagpki/common/Base64Adapter.java - -diff --git a/base/common/src/org/dogtagpki/common/Base64Adapter.java b/base/common/src/org/dogtagpki/common/Base64Adapter.java -new file mode 100644 -index 0000000..f777745 ---- /dev/null -+++ b/base/common/src/org/dogtagpki/common/Base64Adapter.java -@@ -0,0 +1,34 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package org.dogtagpki.common; -+ -+import javax.xml.bind.annotation.adapters.XmlAdapter; -+ -+public class Base64Adapter extends XmlAdapter { -+ -+ @Override -+ public String unmarshal(byte[] bytes) throws Exception { -+ return new String(bytes); -+ } -+ -+ @Override -+ public byte[] marshal(String string) throws Exception { -+ return string.getBytes(); -+ } -+} -diff --git a/base/common/src/org/dogtagpki/common/Info.java b/base/common/src/org/dogtagpki/common/Info.java -index 0a216f4..7ea3fd7 100644 ---- a/base/common/src/org/dogtagpki/common/Info.java -+++ b/base/common/src/org/dogtagpki/common/Info.java -@@ -26,6 +26,7 @@ import javax.xml.bind.Marshaller; - import javax.xml.bind.Unmarshaller; - import javax.xml.bind.annotation.XmlElement; - import javax.xml.bind.annotation.XmlRootElement; -+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; - - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; -@@ -66,6 +67,7 @@ public class Info extends ResourceMessage { - } - - @XmlElement(name="Banner") -+ @XmlJavaTypeAdapter(Base64Adapter.class) - public String getBanner() { - return banner; - } -diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js -index ff64092..05b5f01 100644 ---- a/base/server/share/webapps/pki/js/pki-banner.js -+++ b/base/server/share/webapps/pki/js/pki-banner.js -@@ -36,6 +36,9 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) { - return; - } - -+ // decode Base64-encoded UTF-8 banner -+ var banner = decodeURIComponent(escape(atob(data.Banner))); -+ - // display the banner and ask for confirmation - var message = banner + "\n\nDo you want to proceed?"; - --- -1.8.3.1 - - -From b5085492242307d669fb331dead66f331a07c09e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 14 Jun 2017 03:40:43 +0200 -Subject: [PATCH 3/4] Fixed access banner encoding (part 2). - -The code that reads the access banner from file has been modified -to explicitly use UTF-8 encoding. - -The Info class and the PKI UI have been modified not to encode the -access banner in Base64 since it is not necessary. - -https://pagure.io/dogtagpki/issue/2671 - -Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38 -(cherry picked from commit 4a8e1703603ab348b24d4f010e3587c340e1a032) ---- - base/common/src/org/dogtagpki/common/Info.java | 2 -- - base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java | 2 +- - base/server/share/webapps/pki/js/pki-banner.js | 5 +---- - 3 files changed, 2 insertions(+), 7 deletions(-) - -diff --git a/base/common/src/org/dogtagpki/common/Info.java b/base/common/src/org/dogtagpki/common/Info.java -index 7ea3fd7..0a216f4 100644 ---- a/base/common/src/org/dogtagpki/common/Info.java -+++ b/base/common/src/org/dogtagpki/common/Info.java -@@ -26,7 +26,6 @@ import javax.xml.bind.Marshaller; - import javax.xml.bind.Unmarshaller; - import javax.xml.bind.annotation.XmlElement; - import javax.xml.bind.annotation.XmlRootElement; --import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; - - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; -@@ -67,7 +66,6 @@ public class Info extends ResourceMessage { - } - - @XmlElement(name="Banner") -- @XmlJavaTypeAdapter(Base64Adapter.class) - public String getBanner() { - return banner; - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -index 3273477..7a4727b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java -@@ -98,7 +98,7 @@ public class PKIService { - } - - public static String getBanner() throws IOException { -- return new String(Files.readAllBytes(bannerFile)).trim(); -+ return new String(Files.readAllBytes(bannerFile), "UTF-8").trim(); - } - - public static MediaType resolveFormat(MediaType format) { -diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js -index 05b5f01..2bb2792 100644 ---- a/base/server/share/webapps/pki/js/pki-banner.js -+++ b/base/server/share/webapps/pki/js/pki-banner.js -@@ -36,11 +36,8 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) { - return; - } - -- // decode Base64-encoded UTF-8 banner -- var banner = decodeURIComponent(escape(atob(data.Banner))); -- - // display the banner and ask for confirmation -- var message = banner + "\n\nDo you want to proceed?"; -+ var message = data.Banner + "\n\nDo you want to proceed?"; - - // if banner accepted - if (confirm(message)) { --- -1.8.3.1 - - -From 6449371ab6cb95a10ce0ad37d4a303709e356973 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 14 Jun 2017 23:08:29 +0200 -Subject: [PATCH 4/4] Added banner validation during server startup. - -Some pki-server CLIs have been added to inspect and validate the -content of the banner file. - -The PKI server startup script has been modified to validate the -content of the banner file using the new CLI. - -https://pagure.io/dogtagpki/issue/2671 - -Change-Id: Ibc51afee184d0a720cc0d2961af08ef75d2b54c4 -(cherry picked from commit d2e247798a36225880ef6050716cc7576fe2ad7f) ---- - base/server/python/pki/server/__init__.py | 8 ++ - base/server/python/pki/server/cli/banner.py | 186 ++++++++++++++++++++++++++++ - base/server/sbin/pki-server | 2 + - base/server/scripts/operations | 6 + - 4 files changed, 202 insertions(+) - create mode 100644 base/server/python/pki/server/cli/banner.py - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 46c6711..0852b12 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -19,6 +19,7 @@ - # - - from __future__ import absolute_import -+import codecs - from lxml import etree - import functools - import getpass -@@ -501,6 +502,7 @@ class PKIInstance(object): - self.conf_dir = os.path.join(CONFIG_BASE_DIR, name) - self.log_dir = os.path.join(LOG_BASE_DIR, name) - -+ self.banner_file = os.path.join(self.conf_dir, 'banner.txt') - self.password_conf = os.path.join(self.conf_dir, 'password.conf') - self.external_certs_conf = os.path.join( - self.conf_dir, 'external_certs.conf') -@@ -792,6 +794,12 @@ class PKIInstance(object): - self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml') - os.remove(context_xml) - -+ def banner_installed(self): -+ return os.path.exists(self.banner_file) -+ -+ def get_banner(self): -+ return codecs.open(self.banner_file, "UTF-8").read().strip() -+ - def __repr__(self): - if self.type == 9: - return "Dogtag 9 " + self.name -diff --git a/base/server/python/pki/server/cli/banner.py b/base/server/python/pki/server/cli/banner.py -new file mode 100644 -index 0000000..98f8f16 ---- /dev/null -+++ b/base/server/python/pki/server/cli/banner.py -@@ -0,0 +1,186 @@ -+# Authors: -+# Endi S. Dewata -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+# -+ -+from __future__ import absolute_import -+from __future__ import print_function -+import codecs -+import getopt -+from lxml import etree -+import sys -+import traceback -+ -+import pki.cli -+ -+ -+class BannerCLI(pki.cli.CLI): -+ -+ def __init__(self): -+ super(BannerCLI, self).__init__('banner', -+ 'Banner management commands') -+ -+ self.add_module(BannerShowCLI()) -+ self.add_module(BannerValidateCLI()) -+ -+ -+class BannerShowCLI(pki.cli.CLI): -+ -+ def __init__(self): -+ super(BannerShowCLI, self).__init__('show', 'Show banner') -+ -+ def usage(self): -+ print('Usage: pki-server banner-show [OPTIONS]') -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' -v, --verbose Run in verbose mode.') -+ print(' --help Show help message.') -+ print() -+ -+ def execute(self, argv): -+ -+ try: -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ -+ 'instance=', -+ 'verbose', 'help']) -+ -+ except getopt.GetoptError as e: -+ print('ERROR: ' + str(e)) -+ self.usage() -+ sys.exit(1) -+ -+ instance_name = 'pki-tomcat' -+ -+ for o, a in opts: -+ if o in ('-i', '--instance'): -+ instance_name = a -+ -+ elif o in ('-v', '--verbose'): -+ self.set_verbose(True) -+ -+ elif o == '--help': -+ self.usage() -+ sys.exit() -+ -+ else: -+ print('ERROR: unknown option ' + o) -+ self.usage() -+ sys.exit(1) -+ -+ instance = pki.server.PKIInstance(instance_name) -+ -+ if not instance.is_valid(): -+ print('ERROR: Invalid instance %s.' % instance_name) -+ sys.exit(1) -+ -+ instance.load() -+ -+ if not instance.banner_installed(): -+ print('ERROR: Banner is not installed') -+ sys.exit(1) -+ -+ print(instance.get_banner()) -+ -+ -+class BannerValidateCLI(pki.cli.CLI): -+ -+ def __init__(self): -+ super(BannerValidateCLI, self).__init__('validate', 'Validate banner') -+ -+ def usage(self): -+ print('Usage: pki-server banner-validate [OPTIONS]') -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' --file Validate specified banner file.') -+ print(' -v, --verbose Run in verbose mode.') -+ print(' --help Show help message.') -+ print() -+ -+ def execute(self, argv): -+ -+ try: -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ -+ 'instance=', 'file=', -+ 'verbose', 'help']) -+ -+ except getopt.GetoptError as e: -+ print('ERROR: ' + str(e)) -+ self.usage() -+ sys.exit(1) -+ -+ instance_name = 'pki-tomcat' -+ banner_file = None -+ -+ for o, a in opts: -+ if o in ('-i', '--instance'): -+ instance_name = a -+ -+ elif o == '--file': -+ banner_file = a -+ -+ elif o in ('-v', '--verbose'): -+ self.set_verbose(True) -+ -+ elif o == '--help': -+ self.usage() -+ sys.exit() -+ -+ else: -+ print('ERROR: unknown option ' + o) -+ self.usage() -+ sys.exit(1) -+ -+ if banner_file: -+ -+ # load banner from file -+ banner = codecs.open(banner_file, "UTF-8").read().strip() -+ -+ else: -+ -+ # load banner from instance -+ instance = pki.server.PKIInstance(instance_name) -+ -+ if not instance.is_valid(): -+ print('ERROR: Invalid instance %s.' % instance_name) -+ sys.exit(1) -+ -+ instance.load() -+ -+ if not instance.banner_installed(): -+ self.print_message('Banner is not installed') -+ return -+ -+ banner = instance.get_banner() -+ -+ if not banner: -+ print('ERROR: Banner is empty') -+ sys.exit(1) -+ -+ xml_banner = "" + banner + "" -+ -+ try: -+ parser = etree.XMLParser() -+ etree.fromstring(xml_banner, parser) -+ -+ self.print_message('Banner is valid') -+ -+ except etree.XMLSyntaxError as e: -+ if self.verbose: -+ traceback.print_exc() -+ print('ERROR: Banner contains invalid character(s)') -+ sys.exit(1) -diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server -index 6df70dc..ce06e28 100644 ---- a/base/server/sbin/pki-server -+++ b/base/server/sbin/pki-server -@@ -32,6 +32,7 @@ import pki.server.cli.kra - import pki.server.cli.ocsp - import pki.server.cli.tks - import pki.server.cli.tps -+import pki.server.cli.banner - import pki.server.cli.db - import pki.server.cli.instance - import pki.server.cli.subsystem -@@ -52,6 +53,7 @@ class PKIServerCLI(pki.cli.CLI): - self.add_module(pki.server.cli.tks.TKSCLI()) - self.add_module(pki.server.cli.tps.TPSCLI()) - -+ self.add_module(pki.server.cli.banner.BannerCLI()) - self.add_module(pki.server.cli.db.DBCLI()) - self.add_module(pki.server.cli.instance.InstanceCLI()) - self.add_module(pki.server.cli.subsystem.SubsystemCLI()) -diff --git a/base/server/scripts/operations b/base/server/scripts/operations -index 907dd0e..908c952 100644 ---- a/base/server/scripts/operations -+++ b/base/server/scripts/operations -@@ -1297,6 +1297,12 @@ EOF - /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ - /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy - -+ pki-server banner-validate -i "$PKI_INSTANCE_NAME" -+ rv=$? -+ if [ $rv -ne 0 ]; then -+ return $rv -+ fi -+ - if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then - # enable all subsystems - pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all --- -1.8.3.1 - diff --git a/SOURCES/pki-core-snapshot-1.patch b/SOURCES/pki-core-snapshot-1.patch deleted file mode 100644 index ca2391a..0000000 --- a/SOURCES/pki-core-snapshot-1.patch +++ /dev/null @@ -1,6661 +0,0 @@ -From ee5af05036e87a9dad821c9dd8bc0198dac9bd65 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Fri, 12 May 2017 13:00:54 -0600 -Subject: [PATCH 01/27] Fix CA installation with HSM in FIPS mode - -Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails -dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails ---- - base/server/python/pki/server/deployment/pkihelper.py | 19 ++++++++++++++----- - .../pki/server/deployment/scriptlets/finalization.py | 3 ++- - 2 files changed, 16 insertions(+), 6 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 051778d..a1345de 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -1017,11 +1017,20 @@ class Instance: - extra=config.PKI_INDENTATION_LEVEL_2) - raise - -- def get_instance_status(self): -+ def get_instance_status(self, secure_connection=True): -+ pki_protocol = None -+ pki_port = None -+ if secure_connection: -+ pki_protocol = "https" -+ pki_port = self.mdict['pki_https_port'] -+ else: -+ pki_protocol = "http" -+ pki_port = self.mdict['pki_http_port'] -+ - connection = pki.client.PKIConnection( -- protocol='https', -+ protocol=pki_protocol, - hostname=self.mdict['pki_hostname'], -- port=self.mdict['pki_https_port'], -+ port=pki_port, - subsystem=self.mdict['pki_subsystem_type'], - accept='application/xml', - trust_env=False) -@@ -1049,11 +1058,11 @@ class Instance: - extra=config.PKI_INDENTATION_LEVEL_3) - return None - -- def wait_for_startup(self, timeout): -+ def wait_for_startup(self, timeout, secure_connection=True): - start_time = datetime.today() - status = None - while status != "running": -- status = self.get_instance_status() -+ status = self.get_instance_status(secure_connection) - time.sleep(1) - stop_time = datetime.today() - if (stop_time - start_time).total_seconds() >= timeout: -diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py -index 941691c..75bb80e 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/finalization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py -@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - if config.str2bool(deployer.mdict['pki_restart_configured_instance']): - deployer.systemd.restart() - # wait for startup -- status = deployer.instance.wait_for_startup(60) -+ # (must use 'http' protocol due to potential FIPS configuration) -+ status = deployer.instance.wait_for_startup(60, False) - if status is None: - config.pki_log.error( - "server failed to restart", --- -1.8.3.1 - - -From 4557cd497ecc3c753461617dd8f10067a3815042 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 16 May 2017 01:43:33 +0200 -Subject: [PATCH 02/27] Added log messages for server shutdown. - -Some log messages have been added to help troubleshoot the cause -of server shutdown. - -Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2 ---- - base/common/src/com/netscape/certsrv/apps/CMS.java | 4 ++++ - .../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java | 3 +++ - .../server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java | 1 + - .../cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 4 ++++ - 4 files changed, 12 insertions(+) - -diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java -index 8f1d648..cc634cc 100644 ---- a/base/common/src/com/netscape/certsrv/apps/CMS.java -+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java -@@ -1627,6 +1627,8 @@ public final class CMS { - // Raidzilla Bug #57592: Always print error message to stdout. - System.out.println(e); - -+ CMS.debug("CMS.start(): shutdown server"); -+ - shutdown(); - throw e; - -@@ -1722,6 +1724,8 @@ public final class CMS { - ILogger.LL_INFO, - "CMSEngine: Received shutdown signal"); - -+ CMS.debug("CMS.main(): shutdown server"); -+ - CMS.shutdown(); - }; - }); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -index e5a1474..f8bc34a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -@@ -750,6 +750,7 @@ public final class CMSAdminServlet extends AdminServlet { - if (stop != null) { - //XXX Send response first then shutdown - sendResponse(SUCCESS, null, params, resp); -+ CMS.debug("CMSAdminServlet.performTasks(): shutdown server"); - CMS.shutdown(); - return; - } -@@ -3271,6 +3272,8 @@ public final class CMSAdminServlet extends AdminServlet { - + "\n"; - sendResponse(ERROR, content, null, resp); - -+ CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server"); -+ - // shutdown the system gracefully - CMS.shutdown(); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java -index cfbf724..9609b06 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java -@@ -148,6 +148,7 @@ public class CMSStartServlet extends HttpServlet { - * This method will be called when Tomcat is shutdown. - */ - public void destroy() { -+ CMS.debug("CMSStartServlet.destroy(): shutdown server"); - CMS.shutdown(); - } - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -index 6ee3176..e1d6e15 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java -@@ -547,6 +547,8 @@ public class SelfTestSubsystem - "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED", - instanceFullName)); - -+ CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server"); -+ - // shutdown the system gracefully - CMS.shutdown(); - -@@ -1845,6 +1847,8 @@ public class SelfTestSubsystem - - audit(auditMessage); - -+ CMS.debug("SelfTestSubsystem.startup(): shutdown server"); -+ - // shutdown the system gracefully - CMS.shutdown(); - --- -1.8.3.1 - - -From 587cfa90b3b065f4c9c5bd0292202d5d9a4c2f54 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 25 Apr 2017 22:12:20 +0200 -Subject: [PATCH 03/27] Simplified conditions to log CERT_REQUEST_PROCESSED. - -The conditions to log CERT_REQUEST_PROCESSED have been simplified -since the auditInfoCertValue() will return SIGNED_AUDIT_EMPTY_VALUE -if the certificate object is not available in the request object. - -https://pagure.io/dogtagpki/issue/2636 - -Change-Id: I946481c17729d2c349c949def113fc5563ec90ad ---- - .../logging/event/CertRequestProcessedEvent.java | 2 +- - .../netscape/cms/servlet/cert/CertProcessor.java | 24 +++++------ - .../cms/servlet/connector/ConnectorServlet.java | 47 +++++++++------------- - .../servlet/profile/ProfileSubmitCMCServlet.java | 44 +++++++++----------- - 4 files changed, 48 insertions(+), 69 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -index 777434b..a17f7d5 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -@@ -96,7 +96,7 @@ public class CertRequestProcessedEvent extends AuditEvent { - * @param x509cert an X509CertImpl - * @return cert string containing the certificate - */ -- public static String auditInfoCertValue(X509CertImpl x509cert) { -+ String auditInfoCertValue(X509CertImpl x509cert) { - - if (x509cert == null) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -index d25d817..1becd1b 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java -@@ -246,21 +246,17 @@ public class CertProcessor extends CAProcessor { - req.setRequestStatus(RequestStatus.COMPLETE); - - X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); -- -- // TODO: simplify this condition -- if (auditInfoCertValue != null) { -- if (!(auditInfoCertValue.equals( -- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- -- audit(new CertRequestProcessedEvent( -- auditSubjectID, -- ILogger.SUCCESS, -- auditRequesterID, -- ILogger.SIGNED_AUDIT_ACCEPTANCE, -- x509cert)); -- } -+ -+ if (x509cert != null) { -+ -+ audit(new CertRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_ACCEPTANCE, -+ x509cert)); - } -+ - } catch (EDeferException e) { - // return defer message to the user - req.setRequestStatus(RequestStatus.PENDING); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index b5ccdd2..eeb640e 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -620,40 +620,31 @@ public class ConnectorServlet extends CMSServlet { - if (isProfileRequest(thisreq)) { - - X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); -- -- // TODO: simplify this condition -- if (auditInfoCertValue != null) { -- if (!(auditInfoCertValue.equals( -- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- -- audit(new CertRequestProcessedEvent( -- auditSubjectID, -- ILogger.SUCCESS, -- auditRequesterID, -- ILogger.SIGNED_AUDIT_ACCEPTANCE, -- x509cert)); -- } -+ -+ if (x509cert != null) { -+ -+ audit(new CertRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_ACCEPTANCE, -+ x509cert)); - } - } -+ - } catch (EBaseException eAudit1) { - if (isProfileRequest(thisreq)) { - - X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); -- -- // TODO: simplify this condition -- if (auditInfoCertValue != null) { -- if (!(auditInfoCertValue.equals( -- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- -- audit(new CertRequestProcessedEvent( -- auditSubjectID, -- ILogger.FAILURE, -- auditRequesterID, -- ILogger.SIGNED_AUDIT_ACCEPTANCE, -- x509cert)); -- } -+ -+ if (x509cert != null) { -+ -+ audit(new CertRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_ACCEPTANCE, -+ x509cert)); - } - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 1e128d0..0e101ed 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -696,21 +696,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - reqs[k].setRequestStatus(RequestStatus.COMPLETE); - - X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); -- -- // TODO: simplify this condition -- if (auditInfoCertValue != null) { -- if (!(auditInfoCertValue.equals( -- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -- -- audit(new CertRequestProcessedEvent( -- auditSubjectID, -- ILogger.SUCCESS, -- auditRequesterID, -- ILogger.SIGNED_AUDIT_ACCEPTANCE, -- x509cert)); -- } -+ -+ if (x509cert != null) { -+ -+ audit(new CertRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_ACCEPTANCE, -+ x509cert)); - } -+ - } catch (EDeferException e) { - // return defer message to the user - CMS.debug("ProfileSubmitCMCServlet: set request to PENDING"); -@@ -794,21 +790,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete"); - - X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert); - -- // TODO: simplify this condition -- if (auditInfoCertValue != null) { -- if (!(auditInfoCertValue.equals( -- ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { -+ if (x509cert != null) { - -- audit(new CertRequestProcessedEvent( -- auditSubjectID, -- ILogger.SUCCESS, -- auditRequesterID, -- ILogger.SIGNED_AUDIT_ACCEPTANCE, -- x509cert)); -- } -+ audit(new CertRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_ACCEPTANCE, -+ x509cert)); - } -+ - } catch (ERejectException e) { - // return error to the user - provedReq.setRequestStatus(RequestStatus.REJECTED); --- -1.8.3.1 - - -From 3abf731d9e6f02ac8d315978d31c28c2f9c85db9 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 26 Apr 2017 01:27:17 +0200 -Subject: [PATCH 04/27] Added AuditEvent attributes. - -The AuditEvent class has been modified to support variable number -of event attributes which can be used to generate more flexible -audit log entries. - -https://pagure.io/dogtagpki/issue/2655 - -Change-Id: I565062bd7d635c0cbff0e6a7e71477648c9d3212 ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 24 ++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 7a4aa9b..9ba9271 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -18,7 +18,9 @@ - package com.netscape.certsrv.logging; - - import java.text.MessageFormat; -+import java.util.LinkedHashMap; - import java.util.Locale; -+import java.util.Map; - - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.MessageFormatter; -@@ -265,6 +267,7 @@ public class AuditEvent implements IBundleLogEvent { - private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6"; - - protected Object mParams[] = null; -+ protected Map attributes = new LinkedHashMap<>(); - - private String mEventType = null; - private String mMessage = null; -@@ -574,4 +577,25 @@ public class AuditEvent implements IBundleLogEvent { - } else - return toContent(); - } -+ -+ public void setAttribute(String name, Object value) { -+ attributes.put(name, value); -+ } -+ -+ public String getAttributeList() { -+ -+ StringBuilder sb = new StringBuilder(); -+ -+ for (String name : attributes.keySet()) { -+ Object value = attributes.get(name); -+ -+ sb.append("["); -+ sb.append(name); -+ sb.append("="); -+ sb.append(value); -+ sb.append("]"); -+ } -+ -+ return sb.toString(); -+ } - } --- -1.8.3.1 - - -From cec9efefe027ed4e7592827889eb3b487e7e485a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 26 Apr 2017 20:04:46 +0200 -Subject: [PATCH 05/27] Added ConfigTrustedPublicKeyEvent. - -A new ConfigTrustedPublicKeyEvent class of has been added to -encapsulate the CONFIG_TRUSTED_PUBLIC_KEY events. - -https://pagure.io/dogtagpki/issue/2641 - -Change-Id: I2fb4b46dfd63daf3c0c08dc08b3dbac9108ec908 ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 2 - - .../logging/event/ConfigTrustedPublicKeyEvent.java | 42 ++++ - .../cms/servlet/admin/CMSAdminServlet.java | 218 +++++++-------------- - 3 files changed, 114 insertions(+), 148 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 9ba9271..ff5d344 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -63,8 +63,6 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3"; - public final static String CONFIG_ENCRYPTION = - "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; -- public final static String CONFIG_TRUSTED_PUBLIC_KEY = -- "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; - public final static String CONFIG_DRM = - "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; - public final static String SELFTESTS_EXECUTION = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java -new file mode 100644 -index 0000000..b0dd781 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java -@@ -0,0 +1,42 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class ConfigTrustedPublicKeyEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; -+ -+ public ConfigTrustedPublicKeyEvent( -+ String subjectID, -+ String outcome, -+ String params) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ params -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -index f8bc34a..8d28408 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java -@@ -62,6 +62,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ConfigTrustedPublicKeyEvent; - import com.netscape.certsrv.ocsp.IOCSPAuthority; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.security.ICryptoSubsystem; -@@ -1434,7 +1435,7 @@ public final class CMSAdminServlet extends AdminServlet { - private void issueImportCert(HttpServletRequest req, - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -1484,14 +1485,11 @@ public final class CMSAdminServlet extends AdminServlet { - nicknameWithoutTokenName = nickname.substring(index + 1); - oldtokenname = nickname.substring(0, index); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); - } -@@ -1504,14 +1502,11 @@ public final class CMSAdminServlet extends AdminServlet { - } else if (index > 0 && (index < (canickname.length() - 1))) { - canicknameWithoutTokenName = canickname.substring(index + 1); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); - } -@@ -1524,14 +1519,11 @@ public final class CMSAdminServlet extends AdminServlet { - KeyPair pair = null; - - if (nickname.equals("")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); - } -@@ -1771,40 +1763,30 @@ public final class CMSAdminServlet extends AdminServlet { - properties.clear(); - properties = null; - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - mConfig.commit(true); - sendResponse(SUCCESS, null, null, resp); - } catch (EBaseException eAudit1) { - CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString()); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { - CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString()); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -1890,14 +1872,11 @@ public final class CMSAdminServlet extends AdminServlet { - try { - if (pkcs == null || pkcs.equals("")) { - if (certpath == null || certpath.equals("")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - EBaseException ex = new EBaseException( - CMS.getLogMessage("BASE_INVALID_FILE_PATH")); -@@ -1924,14 +1903,11 @@ public final class CMSAdminServlet extends AdminServlet { - } - } - } catch (IOException ee) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EBaseException( - CMS.getLogMessage("BASE_OPEN_FILE_FAILED")); -@@ -1954,14 +1930,11 @@ public final class CMSAdminServlet extends AdminServlet { - tokenName = nickname.substring(0, index); - nicknameWithoutTokenName = nickname.substring(index + 1); - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EBaseException( - CMS.getLogMessage("BASE_CERT_NOT_FOUND")); -@@ -2203,14 +2176,10 @@ public final class CMSAdminServlet extends AdminServlet { - audit(auditMessage); - } - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - mConfig.commit(true); - if (verified == true) { -@@ -2220,26 +2189,20 @@ public final class CMSAdminServlet extends AdminServlet { - null, resp); - } - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -2275,7 +2238,7 @@ public final class CMSAdminServlet extends AdminServlet { - private void importXCert(HttpServletRequest req, - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - - // ensure that any low-level exceptions are reported -@@ -2309,14 +2272,11 @@ public final class CMSAdminServlet extends AdminServlet { - try { - if (b64Cert == null || b64Cert.equals("")) { - if (certpath == null || certpath.equals("")) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - EBaseException ex = new EBaseException( - CMS.getLogMessage("BASE_INVALID_FILE_PATH")); -@@ -2342,14 +2302,11 @@ public final class CMSAdminServlet extends AdminServlet { - } - } - } catch (IOException ee) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - throw new EBaseException( - CMS.getLogMessage("BASE_OPEN_FILE_FAILED")); -@@ -2376,14 +2333,11 @@ public final class CMSAdminServlet extends AdminServlet { - //this will import into internal ldap crossCerts entry - ccps.importCert(bCert); - } catch (Exception e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(1, "xcert importing failure:" + e.toString(), - null, resp); -@@ -2395,14 +2349,11 @@ public final class CMSAdminServlet extends AdminServlet { - // db to publishing directory, if turned on - ccps.publishCertPairs(); - } catch (EBaseException e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(1, "xcerts publishing failure:" + e.toString(), null, resp); - return; -@@ -2416,37 +2367,27 @@ public final class CMSAdminServlet extends AdminServlet { - results.put(Constants.PR_NICKNAME, "FBCA cross-signed cert"); - results.put(Constants.PR_CERT_CONTENT, content); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, results, resp); - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; -@@ -2929,7 +2870,7 @@ public final class CMSAdminServlet extends AdminServlet { - public void setRootCertTrust(HttpServletRequest req, - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - String nickname = req.getParameter(Constants.PR_NICK_NAME); - String serialno = req.getParameter(Constants.PR_SERIAL_NUMBER); -@@ -2943,25 +2884,20 @@ public final class CMSAdminServlet extends AdminServlet { - try { - jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust); - } catch (EBaseException e) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -+ auditParams(req))); - -- audit(auditMessage); - // rethrow the specific exception to be handled later - throw e; - } - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - sendResponse(SUCCESS, null, null, resp); - } -@@ -2982,7 +2918,7 @@ public final class CMSAdminServlet extends AdminServlet { - private void trustCACert(HttpServletRequest req, - HttpServletResponse resp) throws ServletException, - IOException, EBaseException { -- String auditMessage = null; -+ - String auditSubjectID = auditSubjectID(); - - CMS.debug("CMSAdminServlet: trustCACert()"); -@@ -3010,38 +2946,28 @@ public final class CMSAdminServlet extends AdminServlet { - } - } - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - //sendResponse(SUCCESS, null, null, resp); - sendResponse(RESTART, null, null, resp); - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit1; - } catch (IOException eAudit2) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY, -+ -+ audit(new ConfigTrustedPublicKeyEvent( - auditSubjectID, - ILogger.FAILURE, -- auditParams(req)); -- -- audit(auditMessage); -+ auditParams(req))); - - // rethrow the specific exception to be handled later - throw eAudit2; --- -1.8.3.1 - - -From 439ee21719064e60fb691c48aafdbc7fa722c8b7 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 26 Apr 2017 01:32:12 +0200 -Subject: [PATCH 06/27] Refactored CertRequestProcessedEvent to use AuditEvent - attributes. - -The CertRequestProcessedEvent constructors have been modified to -log the info attributes using the new AuditEvent attributes. - -The logging property for CERT_REQUEST_PROCESSED event has been -modified to accept a list of attributes as a single string instead -of individual info attributes. - -The CERT_REQUEST_PROCESSED constant in AuditEvent has been replaced -with a constant in CertRequestProcessedEvent class which points to -the new logging property. - -https://pagure.io/dogtagpki/issue/2655 - -Change-Id: I981212af7fca58916c73ccdeba9919a4d051af3c ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 2 -- - .../logging/event/CertRequestProcessedEvent.java | 27 ++++++++++++++-------- - base/server/cmsbundle/src/LogMessages.properties | 2 +- - 3 files changed, 19 insertions(+), 12 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index ff5d344..523b204 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -103,8 +103,6 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; - public final static String PROFILE_CERT_REQUEST = - "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; -- public final static String CERT_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; - public final static String CERT_STATUS_CHANGE_REQUEST = - "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; - public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -index a17f7d5..5155672 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -@@ -30,6 +30,9 @@ public class CertRequestProcessedEvent extends AuditEvent { - - private static final long serialVersionUID = 1L; - -+ private final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED"; -+ - public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = "requestNotes"; - - public CertRequestProcessedEvent( -@@ -39,14 +42,16 @@ public class CertRequestProcessedEvent extends AuditEvent { - String infoName, - String infoValue) { - -- super(CERT_REQUEST_PROCESSED); -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("InfoName", infoName); -+ setAttribute("InfoValue", infoValue); - - setParameters(new Object[] { - subjectID, - outcome, - requesterID, -- infoName, -- infoValue -+ getAttributeList() - }); - } - -@@ -57,14 +62,16 @@ public class CertRequestProcessedEvent extends AuditEvent { - String infoName, - X509CertImpl x509cert) { - -- super(CERT_REQUEST_PROCESSED); -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("InfoName", infoName); -+ setAttribute("InfoValue", auditInfoCertValue(x509cert)); - - setParameters(new Object[] { - subjectID, - outcome, - requesterID, -- infoName, -- auditInfoCertValue(x509cert) -+ getAttributeList() - }); - } - -@@ -75,14 +82,16 @@ public class CertRequestProcessedEvent extends AuditEvent { - String infoName, - IRequest request) { - -- super(CERT_REQUEST_PROCESSED); -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("InfoName", infoName); -+ setAttribute("InfoValue", auditInfoValue(request)); - - setParameters(new Object[] { - subjectID, - outcome, - requesterID, -- infoName, -- auditInfoValue(request) -+ getAttributeList() - }); - } - -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index d3ac06a..1a5b37a 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2088,7 +2088,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=:[AuditEv - # InfoValue must contain the certificate (in case of success), a reject reason in - # text, or a cancel reason in text - # --LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5=:[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}][InfoName={3}][InfoValue={4}] certificate request processed -+LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}]{3} certificate request processed - # - # LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST - # - used when a certificate status change request (e.g. revocation) --- -1.8.3.1 - - -From 3edee861f0f31910020825a4bdc18f36017b6a26 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 26 Apr 2017 02:02:34 +0200 -Subject: [PATCH 07/27] Added certificate serial number for - CERT_REQUEST_PROCESSED. - -The CertRequestProcessedEvent constructor that takes a certificate -object was modified to log the certificate serial number instead of -the base64-encoded certificate data. - -https://pagure.io/dogtagpki/issue/2655 - -Change-Id: I67f33a7d435d0e5accdb646bdd20bae99d123472 ---- - .../com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -index 5155672..d095ab6 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java -@@ -64,8 +64,7 @@ public class CertRequestProcessedEvent extends AuditEvent { - - super(LOGGING_PROPERTY); - -- setAttribute("InfoName", infoName); -- setAttribute("InfoValue", auditInfoCertValue(x509cert)); -+ setAttribute("CertSerialNum", x509cert.getSerialNumber()); - - setParameters(new Object[] { - subjectID, --- -1.8.3.1 - - -From 641180a465d7fdf12a978c9c458e39bf6829cac2 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Tue, 16 May 2017 12:58:17 -0600 -Subject: [PATCH 08/27] Added FIPS class to pkispawn - -Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails -dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails ---- - .../python/pki/server/deployment/__init__.py | 2 ++ - .../python/pki/server/deployment/pkihelper.py | 41 ++++++++++++++++++++++ - .../python/pki/server/deployment/pkimessages.py | 4 +++ - .../server/deployment/scriptlets/finalization.py | 10 ++++-- - base/server/sbin/pkispawn | 10 ++++++ - 5 files changed, 65 insertions(+), 2 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py -index 3d719de..709fe70 100644 ---- a/base/server/python/pki/server/deployment/__init__.py -+++ b/base/server/python/pki/server/deployment/__init__.py -@@ -55,6 +55,7 @@ class PKIDeployer: - self.symlink = None - self.war = None - self.password = None -+ self.fips = None - self.hsm = None - self.certutil = None - self.modutil = None -@@ -99,6 +100,7 @@ class PKIDeployer: - self.symlink = util.Symlink(self) - self.war = util.War(self) - self.password = util.Password(self) -+ self.fips = util.FIPS(self) - self.hsm = util.HSM(self) - self.certutil = util.Certutil(self) - self.modutil = util.Modutil(self) -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index a1345de..cf2a748 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -2172,6 +2172,47 @@ class Password: - return token_pwd - - -+class FIPS: -+ """PKI Deployment FIPS class""" -+ -+ def __init__(self, deployer): -+ self.mdict = deployer.mdict -+ -+ def is_fips_enabled(self, critical_failure=False): -+ try: -+ # Always initialize FIPS mode as NOT enabled -+ self.mdict['pki_fips_mode_enabled'] = False -+ -+ # Check to see if FIPS is enabled on this system -+ command = ["sysctl", "crypto.fips_enabled", "-bn"] -+ -+ # Execute this "sysctl" command. -+ with open(os.devnull, "w") as fnull: -+ output = subprocess.check_output(command, stderr=fnull, -+ close_fds=True) -+ if (output != "0"): -+ # Set FIPS mode as enabled -+ self.mdict['pki_fips_mode_enabled'] = True -+ config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_ENABLED, -+ extra=config.PKI_INDENTATION_LEVEL_3) -+ return True -+ else: -+ config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, -+ extra=config.PKI_INDENTATION_LEVEL_3) -+ return False -+ except subprocess.CalledProcessError as exc: -+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, -+ extra=config.PKI_INDENTATION_LEVEL_2) -+ if critical_failure: -+ raise -+ except OSError as exc: -+ config.pki_log.error(log.PKI_OSERROR_1, exc, -+ extra=config.PKI_INDENTATION_LEVEL_2) -+ if critical_failure: -+ raise -+ return False -+ -+ - class HSM: - """PKI Deployment HSM class""" - -diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py -index c8821bb..52c8e62 100644 ---- a/base/server/python/pki/server/deployment/pkimessages.py -+++ b/base/server/python/pki/server/deployment/pkimessages.py -@@ -222,6 +222,10 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." - PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." - PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" - PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" -+PKIHELPER_FIPS_MODE_IS_ENABLED = "FIPS mode is enabled on this operating "\ -+ "system." -+PKIHELPER_FIPS_MODE_IS_NOT_ENABLED = "FIPS mode is NOT enabled on this "\ -+ "operating system." - PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS = \ - "Since clones using Hardware Security Modules (HSMs) must share their "\ - "master's private keys, the 'pki_clone_pkcs12_path' and "\ -diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py -index 75bb80e..ef750b9 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/finalization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py -@@ -58,8 +58,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - if config.str2bool(deployer.mdict['pki_restart_configured_instance']): - deployer.systemd.restart() - # wait for startup -- # (must use 'http' protocol due to potential FIPS configuration) -- status = deployer.instance.wait_for_startup(60, False) -+ status = None -+ if deployer.fips.is_fips_enabled(): -+ # must use 'http' protocol when FIPS mode is enabled -+ status = deployer.instance.wait_for_startup( -+ 60, secure_connection=False) -+ else: -+ status = deployer.instance.wait_for_startup( -+ 60, secure_connection=True) - if status is None: - config.pki_log.error( - "server failed to restart", -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index e6e337b..9394b8e 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -756,6 +756,16 @@ def print_final_install_information(mdict): - " is a clone." % - (deployer.subsystem_name, mdict['pki_instance_name'])) - -+ if mdict['pki_fips_mode_enabled']: -+ print() -+ print(" This %s subsystem of the '%s' instance\n" -+ " has FIPS mode enabled on this operating system." % -+ (deployer.subsystem_name, mdict['pki_instance_name'])) -+ print() -+ print(" REMINDER: Don't forget to update the appropriate FIPS\n" -+ " algorithms in server.xml in the '%s' instance." -+ % mdict['pki_instance_name']) -+ - print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name']) - print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name']) - --- -1.8.3.1 - - -From dcbe7ce08fcf9512a6cf1ecf22ed080c0085e28a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 02:53:59 +0200 -Subject: [PATCH 10/27] Fixed audit event outcome for agent-rejected cert - request. - -The outcome of CERT_REQUEST_PROCESSED event has been changed to -Failure when the certificate request is rejected by an agent. - -https://pagure.io/dogtagpki/issue/2693 - -Change-Id: I530de4fe08ba97a8676d56a6aaf6c11ab7c36e40 ---- - base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -index 4494d2c..d8d8803 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -@@ -311,7 +311,7 @@ public class RequestProcessor extends CertProcessor { - - audit(new CertRequestProcessedEvent( - auditSubjectID, -- ILogger.SUCCESS, -+ ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - req)); --- -1.8.3.1 - - -From e54873d6dbb95e82632f888b90dc6d0d7836ad4d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 17:43:00 +0200 -Subject: [PATCH 11/27] Fixed audit event outcome for agent-canceled cert - request. - -The outcome of CERT_REQUEST_PROCESSED event has been changed to -Failure when the certificate request is canceled by an agent. - -https://pagure.io/dogtagpki/issue/2694 - -Change-Id: Iad25a135851188cc97106d81800e3b8443a2970a ---- - base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -index d8d8803..df5aae0 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java -@@ -281,7 +281,7 @@ public class RequestProcessor extends CertProcessor { - - audit(new CertRequestProcessedEvent( - auditSubjectID, -- ILogger.SUCCESS, -+ ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_CANCELLATION, - req)); --- -1.8.3.1 - - -From c6ed9679acba5d0072a16878ecf98e0843ab6a3a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 19:25:20 +0200 -Subject: [PATCH 12/27] Refactored UpdateCRL.process() (part 1). - -The UpdateCRL.process() has been refactored to reduce deeply -nested if-statements with early return. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I507bf72e28c3ba0ab98f24466bac2a40f1e6b198 ---- - base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -index d873b1a..1182922 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -@@ -331,7 +331,11 @@ public class UpdateCRL extends CMSServlet { - header.addStringValue("crlIssuingPoint", crlIssuingPointId); - IPublisherProcessor lpm = mCA.getPublisherProcessor(); - -- if (crlIssuingPoint != null) { -+ if (crlIssuingPoint == null) { -+ CMS.debug("UpdateCRL: no CRL issuing point"); -+ return; -+ } -+ - if (clearCache != null && clearCache.equals("true") && - crlIssuingPoint.isCRLGenerationEnabled() && - crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && -@@ -523,7 +527,5 @@ public class UpdateCRL extends CMSServlet { - header.addStringValue("crlUpdate", "Scheduled"); - } - } -- } -- return; - } - } --- -1.8.3.1 - - -From 69d5dc82f8664d1eb5dfcdcec615088127c0ad97 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 19:40:51 +0200 -Subject: [PATCH 13/27] Refactored UpdateCRL.process() (part 2). - -The UpdateCRL.process() has been refactored to reduce deeply -nested if-statements with early return. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I5591bf08e617614ca7def5ce5fff61e0925e4fc5 ---- - .../com/netscape/cms/servlet/cert/UpdateCRL.java | 32 +++++++++++----------- - 1 file changed, 16 insertions(+), 16 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -index 1182922..8669361 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -@@ -343,11 +343,25 @@ public class UpdateCRL extends CMSServlet { - == ICRLIssuingPoint.CRL_IP_INITIALIZED) { - crlIssuingPoint.clearCRLCache(); - } -- if (waitForUpdate != null && waitForUpdate.equals("true") && -+ if (!(waitForUpdate != null && waitForUpdate.equals("true") && - crlIssuingPoint.isCRLGenerationEnabled() && - crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && - crlIssuingPoint.isCRLIssuingPointInitialized() -- == ICRLIssuingPoint.CRL_IP_INITIALIZED) { -+ == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { -+ if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { -+ header.addStringValue("crlUpdate", "notInitialized"); -+ } else if (crlIssuingPoint.isCRLUpdateInProgress() -+ != ICRLIssuingPoint.CRL_UPDATE_DONE || -+ crlIssuingPoint.isManualUpdateSet()) { -+ header.addStringValue("crlUpdate", "inProgress"); -+ } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { -+ header.addStringValue("crlUpdate", "Disabled"); -+ } else { -+ crlIssuingPoint.setManualUpdate(signatureAlgorithm); -+ header.addStringValue("crlUpdate", "Scheduled"); -+ } -+ return; -+ } - if (test != null && test.equals("true") && - crlIssuingPoint.isCRLCacheTestingEnabled() && - (!mTesting.contains(crlIssuingPointId))) { -@@ -513,19 +527,5 @@ public class UpdateCRL extends CMSServlet { - } - } - } -- } else { -- if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { -- header.addStringValue("crlUpdate", "notInitialized"); -- } else if (crlIssuingPoint.isCRLUpdateInProgress() -- != ICRLIssuingPoint.CRL_UPDATE_DONE || -- crlIssuingPoint.isManualUpdateSet()) { -- header.addStringValue("crlUpdate", "inProgress"); -- } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { -- header.addStringValue("crlUpdate", "Disabled"); -- } else { -- crlIssuingPoint.setManualUpdate(signatureAlgorithm); -- header.addStringValue("crlUpdate", "Scheduled"); -- } -- } - } - } --- -1.8.3.1 - - -From ce9e6f1704d6c821429faafc778358202e1a233e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 19:43:06 +0200 -Subject: [PATCH 14/27] Refactored UpdateCRL.process() (part 3). - -The UpdateCRL.process() has been refactored to reduce deeply -nested if-statements with early return. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: Ie3aa5f9154eec78e994cf89cc33616d2c5cbaf47 ---- - base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -index 8669361..ca4a5bf 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -@@ -436,14 +436,17 @@ public class UpdateCRL extends CMSServlet { - - mTesting.remove(crlIssuingPointId); - CMS.debug("CRL test finished."); -+ return; - } else if (test != null && test.equals("true") && - crlIssuingPoint.isCRLCacheTestingEnabled() && - mTesting.contains(crlIssuingPointId)) { - header.addStringValue("crlUpdate", "testingInProgress"); -+ return; - } else if (test != null && test.equals("true") && - (!crlIssuingPoint.isCRLCacheTestingEnabled())) { - header.addStringValue("crlUpdate", "testingNotEnabled"); -- } else { -+ return; -+ } - try { - EBaseException publishError = null; - -@@ -526,6 +529,5 @@ public class UpdateCRL extends CMSServlet { - throw e; - } - } -- } - } - } --- -1.8.3.1 - - -From 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 19:45:39 +0200 -Subject: [PATCH 15/27] Reformatted UpdateCRL.process(). - -The UpdateCRL.process() has been reformatted to adjust the -indentations after refactoring. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: Ic67376678d442b9e2a79f9375aef61eab99d1b5c ---- - .../com/netscape/cms/servlet/cert/UpdateCRL.java | 348 ++++++++++----------- - 1 file changed, 174 insertions(+), 174 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -index ca4a5bf..7faecf1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -@@ -336,198 +336,198 @@ public class UpdateCRL extends CMSServlet { - return; - } - -- if (clearCache != null && clearCache.equals("true") && -- crlIssuingPoint.isCRLGenerationEnabled() && -- crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && -- crlIssuingPoint.isCRLIssuingPointInitialized() -- == ICRLIssuingPoint.CRL_IP_INITIALIZED) { -- crlIssuingPoint.clearCRLCache(); -+ if (clearCache != null && clearCache.equals("true") && -+ crlIssuingPoint.isCRLGenerationEnabled() && -+ crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && -+ crlIssuingPoint.isCRLIssuingPointInitialized() -+ == ICRLIssuingPoint.CRL_IP_INITIALIZED) { -+ crlIssuingPoint.clearCRLCache(); -+ } -+ if (!(waitForUpdate != null && waitForUpdate.equals("true") && -+ crlIssuingPoint.isCRLGenerationEnabled() && -+ crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && -+ crlIssuingPoint.isCRLIssuingPointInitialized() -+ == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { -+ if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { -+ header.addStringValue("crlUpdate", "notInitialized"); -+ } else if (crlIssuingPoint.isCRLUpdateInProgress() -+ != ICRLIssuingPoint.CRL_UPDATE_DONE || -+ crlIssuingPoint.isManualUpdateSet()) { -+ header.addStringValue("crlUpdate", "inProgress"); -+ } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { -+ header.addStringValue("crlUpdate", "Disabled"); -+ } else { -+ crlIssuingPoint.setManualUpdate(signatureAlgorithm); -+ header.addStringValue("crlUpdate", "Scheduled"); - } -- if (!(waitForUpdate != null && waitForUpdate.equals("true") && -- crlIssuingPoint.isCRLGenerationEnabled() && -- crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && -- crlIssuingPoint.isCRLIssuingPointInitialized() -- == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { -- if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { -- header.addStringValue("crlUpdate", "notInitialized"); -- } else if (crlIssuingPoint.isCRLUpdateInProgress() -- != ICRLIssuingPoint.CRL_UPDATE_DONE || -- crlIssuingPoint.isManualUpdateSet()) { -- header.addStringValue("crlUpdate", "inProgress"); -- } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { -- header.addStringValue("crlUpdate", "Disabled"); -- } else { -- crlIssuingPoint.setManualUpdate(signatureAlgorithm); -- header.addStringValue("crlUpdate", "Scheduled"); -+ return; -+ } -+ if (test != null && test.equals("true") && -+ crlIssuingPoint.isCRLCacheTestingEnabled() && -+ (!mTesting.contains(crlIssuingPointId))) { -+ CMS.debug("CRL test started."); -+ mTesting.add(crlIssuingPointId); -+ BigInteger addLen = null; -+ BigInteger startFrom = null; -+ if (add != null && add.length() > 0 && -+ from != null && from.length() > 0) { -+ try { -+ addLen = new BigInteger(add); -+ startFrom = new BigInteger(from); -+ } catch (Exception e) { - } -- return; - } -- if (test != null && test.equals("true") && -- crlIssuingPoint.isCRLCacheTestingEnabled() && -- (!mTesting.contains(crlIssuingPointId))) { -- CMS.debug("CRL test started."); -- mTesting.add(crlIssuingPointId); -- BigInteger addLen = null; -- BigInteger startFrom = null; -- if (add != null && add.length() > 0 && -- from != null && from.length() > 0) { -- try { -- addLen = new BigInteger(add); -- startFrom = new BigInteger(from); -- } catch (Exception e) { -- } -- } -- if (addLen != null && startFrom != null) { -- Date revocationDate = CMS.getCurrentDate(); -- String err = null; -- -- CRLExtensions entryExts = crlEntryExtensions(reason, invalidity); -- -- BigInteger serialNumber = startFrom; -- BigInteger counter = addLen; -- BigInteger stepBy = null; -- if (by != null && by.length() > 0) { -- try { -- stepBy = new BigInteger(by); -- } catch (Exception e) { -- } -- } -+ if (addLen != null && startFrom != null) { -+ Date revocationDate = CMS.getCurrentDate(); -+ String err = null; - -- long t1 = System.currentTimeMillis(); -- long t2 = 0; -- -- while (counter.compareTo(BigInteger.ZERO) > 0) { -- RevokedCertImpl revokedCert = -- new RevokedCertImpl(serialNumber, revocationDate, entryExts); -- crlIssuingPoint.addRevokedCert(serialNumber, revokedCert); -- serialNumber = serialNumber.add(BigInteger.ONE); -- counter = counter.subtract(BigInteger.ONE); -- -- if ((counter.compareTo(BigInteger.ZERO) == 0) || -- (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) { -- t2 = System.currentTimeMillis(); -- long t0 = t2 - t1; -- t1 = t2; -- try { -- if (signatureAlgorithm != null) { -- crlIssuingPoint.updateCRLNow(signatureAlgorithm); -- } else { -- crlIssuingPoint.updateCRLNow(); -- } -- } catch (Throwable e) { -- counter = BigInteger.ZERO; -- err = e.toString(); -- } -- if (results != null && results.equals("1")) { -- addInfo(argSet, crlIssuingPoint, t0); -- } -- } -- } -- if (err != null) { -- header.addStringValue("crlUpdate", "Failure"); -- header.addStringValue("error", err); -- } else { -- header.addStringValue("crlUpdate", "Success"); -- } -- } else { -- CMS.debug("CRL test error: missing parameters."); -- header.addStringValue("crlUpdate", "missingParameters"); -- } -+ CRLExtensions entryExts = crlEntryExtensions(reason, invalidity); - -- mTesting.remove(crlIssuingPointId); -- CMS.debug("CRL test finished."); -- return; -- } else if (test != null && test.equals("true") && -- crlIssuingPoint.isCRLCacheTestingEnabled() && -- mTesting.contains(crlIssuingPointId)) { -- header.addStringValue("crlUpdate", "testingInProgress"); -- return; -- } else if (test != null && test.equals("true") && -- (!crlIssuingPoint.isCRLCacheTestingEnabled())) { -- header.addStringValue("crlUpdate", "testingNotEnabled"); -- return; -- } -+ BigInteger serialNumber = startFrom; -+ BigInteger counter = addLen; -+ BigInteger stepBy = null; -+ if (by != null && by.length() > 0) { - try { -- EBaseException publishError = null; -+ stepBy = new BigInteger(by); -+ } catch (Exception e) { -+ } -+ } - -+ long t1 = System.currentTimeMillis(); -+ long t2 = 0; -+ -+ while (counter.compareTo(BigInteger.ZERO) > 0) { -+ RevokedCertImpl revokedCert = -+ new RevokedCertImpl(serialNumber, revocationDate, entryExts); -+ crlIssuingPoint.addRevokedCert(serialNumber, revokedCert); -+ serialNumber = serialNumber.add(BigInteger.ONE); -+ counter = counter.subtract(BigInteger.ONE); -+ -+ if ((counter.compareTo(BigInteger.ZERO) == 0) || -+ (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) { -+ t2 = System.currentTimeMillis(); -+ long t0 = t2 - t1; -+ t1 = t2; - try { -- long now1 = System.currentTimeMillis(); -- - if (signatureAlgorithm != null) { - crlIssuingPoint.updateCRLNow(signatureAlgorithm); - } else { - crlIssuingPoint.updateCRLNow(); - } -+ } catch (Throwable e) { -+ counter = BigInteger.ZERO; -+ err = e.toString(); -+ } -+ if (results != null && results.equals("1")) { -+ addInfo(argSet, crlIssuingPoint, t0); -+ } -+ } -+ } -+ if (err != null) { -+ header.addStringValue("crlUpdate", "Failure"); -+ header.addStringValue("error", err); -+ } else { -+ header.addStringValue("crlUpdate", "Success"); -+ } -+ } else { -+ CMS.debug("CRL test error: missing parameters."); -+ header.addStringValue("crlUpdate", "missingParameters"); -+ } - -- long now2 = System.currentTimeMillis(); -+ mTesting.remove(crlIssuingPointId); -+ CMS.debug("CRL test finished."); -+ return; -+ } else if (test != null && test.equals("true") && -+ crlIssuingPoint.isCRLCacheTestingEnabled() && -+ mTesting.contains(crlIssuingPointId)) { -+ header.addStringValue("crlUpdate", "testingInProgress"); -+ return; -+ } else if (test != null && test.equals("true") && -+ (!crlIssuingPoint.isCRLCacheTestingEnabled())) { -+ header.addStringValue("crlUpdate", "testingNotEnabled"); -+ return; -+ } -+ try { -+ EBaseException publishError = null; - -- header.addStringValue("time", "" + (now2 - now1)); -- } catch (EErrorPublishCRL e) { -- publishError = e; -- } -+ try { -+ long now1 = System.currentTimeMillis(); - -- if (lpm != null && lpm.isCRLPublishingEnabled()) { -- Enumeration rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL); -- if (rules != null && rules.hasMoreElements()) { -- if (publishError != null) { -- header.addStringValue("crlPublished", "Failure"); -- header.addStringValue("error", publishError.toString(locale)); -- } else { -- header.addStringValue("crlPublished", "Success"); -- } -- } -- } -+ if (signatureAlgorithm != null) { -+ crlIssuingPoint.updateCRLNow(signatureAlgorithm); -+ } else { -+ crlIssuingPoint.updateCRLNow(); -+ } - -- // for audit log -- SessionContext sContext = SessionContext.getContext(); -- String agentId = (String) sContext.get(SessionContext.USER_ID); -- IAuthToken authToken = (IAuthToken) sContext.get(SessionContext.AUTH_TOKEN); -- String authMgr = AuditFormat.NOAUTH; -+ long now2 = System.currentTimeMillis(); - -- if (authToken != null) { -- authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); -- } -- long endTime = CMS.getCurrentDate().getTime(); -- -- if (crlIssuingPoint.getNextUpdate() != null) { -- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -- AuditFormat.LEVEL, -- AuditFormat.CRLUPDATEFORMAT, -- new Object[] { -- AuditFormat.FROMAGENT + " agentID: " + agentId, -- authMgr, -- "completed", -- crlIssuingPoint.getId(), -- crlIssuingPoint.getCRLNumber(), -- crlIssuingPoint.getLastUpdate(), -- crlIssuingPoint.getNextUpdate(), -- Long.toString(crlIssuingPoint.getCRLSize()) -- + " time: " + (endTime - startTime) } -- ); -- } else { -- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -- AuditFormat.LEVEL, -- AuditFormat.CRLUPDATEFORMAT, -- new Object[] { -- AuditFormat.FROMAGENT + " agentID: " + agentId, -- authMgr, -- "completed", -- crlIssuingPoint.getId(), -- crlIssuingPoint.getCRLNumber(), -- crlIssuingPoint.getLastUpdate(), -- "not set", -- Long.toString(crlIssuingPoint.getCRLSize()) -- + " time: " + (endTime - startTime) } -- ); -- } -- } catch (EBaseException e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString())); -- if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) { -- header.addStringValue("crlPublished", "Failure"); -- header.addStringValue("error", e.toString(locale)); -- } else { -- throw e; -- } -+ header.addStringValue("time", "" + (now2 - now1)); -+ } catch (EErrorPublishCRL e) { -+ publishError = e; -+ } -+ -+ if (lpm != null && lpm.isCRLPublishingEnabled()) { -+ Enumeration rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL); -+ if (rules != null && rules.hasMoreElements()) { -+ if (publishError != null) { -+ header.addStringValue("crlPublished", "Failure"); -+ header.addStringValue("error", publishError.toString(locale)); -+ } else { -+ header.addStringValue("crlPublished", "Success"); - } -+ } -+ } -+ -+ // for audit log -+ SessionContext sContext = SessionContext.getContext(); -+ String agentId = (String) sContext.get(SessionContext.USER_ID); -+ IAuthToken authToken = (IAuthToken) sContext.get(SessionContext.AUTH_TOKEN); -+ String authMgr = AuditFormat.NOAUTH; -+ -+ if (authToken != null) { -+ authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); -+ } -+ long endTime = CMS.getCurrentDate().getTime(); -+ -+ if (crlIssuingPoint.getNextUpdate() != null) { -+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -+ AuditFormat.LEVEL, -+ AuditFormat.CRLUPDATEFORMAT, -+ new Object[] { -+ AuditFormat.FROMAGENT + " agentID: " + agentId, -+ authMgr, -+ "completed", -+ crlIssuingPoint.getId(), -+ crlIssuingPoint.getCRLNumber(), -+ crlIssuingPoint.getLastUpdate(), -+ crlIssuingPoint.getNextUpdate(), -+ Long.toString(crlIssuingPoint.getCRLSize()) -+ + " time: " + (endTime - startTime) } -+ ); -+ } else { -+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -+ AuditFormat.LEVEL, -+ AuditFormat.CRLUPDATEFORMAT, -+ new Object[] { -+ AuditFormat.FROMAGENT + " agentID: " + agentId, -+ authMgr, -+ "completed", -+ crlIssuingPoint.getId(), -+ crlIssuingPoint.getCRLNumber(), -+ crlIssuingPoint.getLastUpdate(), -+ "not set", -+ Long.toString(crlIssuingPoint.getCRLSize()) -+ + " time: " + (endTime - startTime) } -+ ); -+ } -+ } catch (EBaseException e) { -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString())); -+ if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) { -+ header.addStringValue("crlPublished", "Failure"); -+ header.addStringValue("error", e.toString(locale)); -+ } else { -+ throw e; -+ } -+ } - } - } --- -1.8.3.1 - - -From 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 15 May 2017 18:15:36 -0700 -Subject: [PATCH 16/27] Tocket2673- CMC: allow enrollment key signed - (self-signed) CMC with identity proof - -This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches. ---- - base/ca/shared/conf/CS.cfg | 9 +- - .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 85 ++++ - base/ca/shared/webapps/ca/WEB-INF/web.xml | 28 ++ - .../certsrv/authentication/IAuthManager.java | 1 + - .../certsrv/authentication/IAuthSubsystem.java | 5 + - .../com/netscape/certsrv/logging/AuditEvent.java | 12 +- - .../src/com/netscape/cmstools/CMCRequest.java | 166 ++++++- - .../src/com/netscape/cmstools/CRMFPopClient.java | 32 ++ - .../src/com/netscape/cmstools/PKCS10Client.java | 87 ++-- - .../cms/authentication/CMCUserSignedAuth.java | 543 +++++++++++++-------- - .../netscape/cms/profile/common/EnrollProfile.java | 223 +++++++-- - .../netscape/cms/profile/def/CAEnrollDefault.java | 37 +- - .../def/SubjectKeyIdentifierExtDefault.java | 21 +- - .../netscape/cms/profile/input/EnrollInput.java | 19 +- - .../cms/servlet/processors/CRMFProcessor.java | 35 +- - .../servlet/profile/ProfileSubmitCMCServlet.java | 49 +- - base/server/cmsbundle/src/LogMessages.properties | 24 +- - .../com/netscape/cmscore/security/KeyCertUtil.java | 12 +- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 181 ++++++- - base/util/src/netscape/security/pkcs/PKCS10.java | 31 +- - .../netscape/security/pkcs/PKCS10Attributes.java | 2 + - 21 files changed, 1204 insertions(+), 398 deletions(-) - create mode 100644 base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 3eb5b1b..f6297a3 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -735,7 +735,6 @@ ca.publish.rule.instance.LdapXCertRule.predicate= - ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher - ca.publish.rule.instance.LdapXCertRule.type=xcert - cmc.cert.confirmRequired=false --cmc.lraPopWitness.verify.allow=false - cmc.popLinkWitnessRequired=false - cmc.revokeCert.verify=true - cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -@@ -908,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -@@ -971,7 +970,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 - oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension - oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 - os.userid=nobody --profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment -+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment - profile.caUUIDdeviceCert.class_id=caEnrollImpl - profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg - profile.caManualRenewal.class_id=caEnrollImpl -@@ -1018,6 +1017,8 @@ profile.caFullCMCUserCert.class_id=caEnrollImpl - profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg - profile.caFullCMCUserSignedCert.class_id=caEnrollImpl - profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg -+profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl -+profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg - profile.caInternalAuthOCSPCert.class_id=caEnrollImpl - profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg - profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -new file mode 100644 -index 0000000..db3fbd6 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -@@ -0,0 +1,85 @@ -+desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request -+enable=true -+enableBy=admin -+name=Self-Signed CMC User Certificate Enrollment -+visible=false -+auth.instance_id=CMCUserSignedAuth -+input.list=i1,i2 -+input.i1.class_id=cmcCertReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -+policyset.cmcUserCertSet.1.constraint.params.accept=true -+policyset.cmcUserCertSet.1.constraint.params.pattern=.* -+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=- -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml -index dc61ab3..a550142 100644 ---- a/base/ca/shared/webapps/ca/WEB-INF/web.xml -+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml -@@ -1576,6 +1576,29 @@ - - - -+ caProfileSubmitSelfSignedCMCFull -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caFullCMCSelfSignedCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitSelfSignedCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ - caProfileList - com.netscape.cms.servlet.profile.ProfileListServlet - GetClientCert -@@ -2284,6 +2307,11 @@ - /ee/ca/profileSubmitUserSignedCMCFull - - -+ -+ caProfileSubmitSelfSignedCMCFull -+ /ee/ca/profileSubmitSelfSignedCMCFull -+ -+ - - caProfileList - /ee/ca/profileList -diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java -index 21639e2..7d30d2e 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java -+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java -@@ -33,6 +33,7 @@ public interface IAuthManager { - - /* standard credential for CMC request signing cert */ - public static final String CRED_CMC_SIGNING_CERT = "cmcSigningCert"; -+ public static final String CRED_CMC_SELF_SIGNED = "cmcSelfSigned"; - - /** - * Standard credential for client cert's serial number from revocation. -diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java -index e1ccc2d..9089527 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java -+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java -@@ -119,6 +119,11 @@ public interface IAuthSubsystem extends ISubsystem { - public static final String CMCAUTH_AUTHMGR_ID = "CMCAuth"; - - /** -+ * Constant for CMC user-signed authentication manager ID. -+ */ -+ public static final String CMC_USER_SIGNED_AUTH_AUTHMGR_ID = "CMCUserSignedAuth"; -+ -+ /** - * Authenticate the given credentials using the given manager name. - * - * @param authCred The authentication credentials -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 523b204..059363e 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -125,7 +125,11 @@ public class AuditEvent implements IBundleLogEvent { - public final static String CERT_PROFILE_APPROVAL = - "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4"; - public final static String PROOF_OF_POSSESSION = -- "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; -+ "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3"; -+ public final static String CMC_PROOF_OF_IDENTIFICATION = -+ "LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3"; -+ public final static String CMC_ID_POP_LINK_WITNESS = -+ "LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3"; - - public final static String CRL_RETRIEVAL = - "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; -@@ -143,8 +147,10 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3"; - public final static String CMC_SIGNED_REQUEST_SIG_VERIFY = - "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5"; -- public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY = -- "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5"; -+ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5"; -+ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE = -+ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6"; - - public final static String COMPUTE_RANDOM_DATA_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index ac523ad..6e27cb1 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -103,6 +103,9 @@ import com.netscape.cmsutil.util.HMACDigest; - import com.netscape.cmsutil.util.Utils; - - import netscape.security.pkcs.PKCS10; -+import netscape.security.x509.KeyIdentifier; -+import netscape.security.x509.PKIXExtensions; -+import netscape.security.x509.SubjectKeyIdentifierExtension; - import netscape.security.x509.X500Name; - import netscape.security.x509.X509CertImpl; - -@@ -121,6 +124,7 @@ public class CMCRequest { - public static final int ARGC = 1; - public static final String HEADER = "-----BEGIN"; - public static final String TRAILER = "-----END"; -+ public static SubjectKeyIdentifierExtension skiExtn = null; - - void cleanArgs(String[] s) { - -@@ -193,7 +197,7 @@ public class CMCRequest { - } - - /** -- * signData signs the request PKIData -+ * signData signs the request PKIData using existing cert - * - * @param signerCert the certificate of the authorized signer of the CMC revocation request. - * @param nickname the nickname of the certificate inside the token. -@@ -212,6 +216,15 @@ public class CMCRequest { - SignedData req = null; - System.out.println(method + "begins: "); - -+ if (signerCert == null || -+ tokenName == null || -+ nickname == null || -+ manager == null || -+ pkidata == null) { -+ System.out.println(method + "method parameters cannot be null"); -+ System.exit(1); -+ } -+ - try { - java.security.PrivateKey privKey = null; - SignerIdentifier si = null; -@@ -232,7 +245,72 @@ public class CMCRequest { - privKey = getPrivateKey(tokenName, nickname); - if (privKey != null) - System.out.println(method + " got signer privKey"); -+ else { -+ System.out.println(method + " signer privKey not foudn on token"); -+ System.exit(1); -+ } -+ -+ org.mozilla.jss.crypto.X509Certificate[] certChain = manager.buildCertificateChain(signerCert); -+ req = createSignedData(privKey, si, certChain, pkidata); -+ -+ System.out.println(method + "signed request generated."); -+ } catch (Exception e) { -+ e.printStackTrace(); -+ System.exit(1); -+ } -+ -+ return req; -+ } -+ -+ /* -+ * signData self-signs the PKIData using the private key that matches -+ * the public key in the request -+ */ -+ static SignedData signData( -+ java.security.PrivateKey privKey, -+ PKIData pkidata) { -+ String method = "signData for selfSign: "; -+ System.out.println(method + "begins: "); -+ SignedData req = null; -+ -+ if (privKey == null || -+ pkidata == null) { -+ System.out.println(method + "method parameters cannot be null"); -+ System.exit(1); -+ } -+ -+ KeyIdentifier keyIdObj = null; -+ try { -+ keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); -+ SignerIdentifier si = new SignerIdentifier( -+ SignerIdentifier.SUBJECT_KEY_IDENTIFIER, -+ null, new OCTET_STRING(keyIdObj.getIdentifier())); -+ req = createSignedData(privKey, si, null /*certChain*/, pkidata); -+ } catch (Exception e) { -+ e.printStackTrace(); -+ System.exit(1); -+ } -+ return req; -+ } - -+ static SignedData createSignedData( -+ java.security.PrivateKey privKey, -+ SignerIdentifier signerId, -+ org.mozilla.jss.crypto.X509Certificate[] certChain, -+ PKIData pkidata) { -+ -+ String method = "createSignedData: "; -+ System.out.println(method + "begins"); -+ if (privKey == null || -+ signerId == null || -+ pkidata == null) { -+ // certChain could be null -+ System.out.println(method + "method parameters cannot be null"); -+ System.exit(1); -+ } -+ -+ SignedData req = null; -+ try { - EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata); - DigestAlgorithm digestAlg = null; - SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privKey); -@@ -251,11 +329,18 @@ public class CMCRequest { - pkidata.encode(ostream); - digest = SHADigest.digest(ostream.toByteArray()); - } catch (NoSuchAlgorithmException e) { -- System.out.println(e); System.exit(1);} -+ System.out.println(e); -+ System.exit(1); -+ } - System.out.println(method + "digest created for pkidata"); - -- SignerInfo signInfo = new SignerInfo(si, null, null, OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg, -+ SignerInfo signInfo = new SignerInfo(signerId, null, null, -+ OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg, - (org.mozilla.jss.crypto.PrivateKey) privKey); -+ -+ String digestAlgName = signInfo.getDigestEncryptionAlgorithm().toString(); -+ System.out.println(method + "digest algorithm =" + digestAlgName); -+ - SET signInfos = new SET(); - signInfos.addElement(signInfo); - -@@ -266,21 +351,20 @@ public class CMCRequest { - digestAlgs.addElement(ai); - } - -- org.mozilla.jss.crypto.X509Certificate[] agentChain = manager.buildCertificateChain(signerCert); - SET certs = new SET(); -- -- for (int i = 0; i < agentChain.length; i++) { -- ANY cert = new ANY(agentChain[i].getEncoded()); -- certs.addElement(cert); -+ if (certChain != null) { -+ System.out.println(method + "building cert chain"); -+ for (int i = 0; i < certChain.length; i++) { -+ ANY cert = new ANY(certChain[i].getEncoded()); -+ certs.addElement(cert); -+ } - } - - req = new SignedData(digestAlgs, ci, certs, null, signInfos); -- System.out.println(method + "signed request generated."); - } catch (Exception e) { - e.printStackTrace(); - System.exit(1); - } -- - return req; - } - -@@ -325,6 +409,7 @@ public class CMCRequest { - * @return request in PKIData - */ - static PKIData createPKIData( -+ String selfSign, - String[] rValue, String format, String transactionMgtEnable, - String transactionMgtId, - String identificationEnable, String identification, -@@ -387,13 +472,26 @@ public class CMCRequest { - } - certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0); - -+ CertRequest certReq = certReqMsg.getCertReq(); -+ CertTemplate certTemplate = certReq.getCertTemplate(); -+ if (selfSign.equals("true")) { -+ skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromCertTemplate( -+ certTemplate, -+ PKIXExtensions.SubjectKey_Id); -+ if (skiExtn != null) { -+ System.out.println(method + -+ " SubjectKeyIdentifier extension found in self-signed request"); -+ } else { -+ System.out.println(method + -+ " SubjectKeyIdentifier extension missing in self-signed request"); -+ System.exit(1); -+ } -+ } - if (popLinkWitnessV2Enable.equals("true")) { - System.out.println(method + - "popLinkWitnessV2 enabled. reconstructing crmf"); - //crmf reconstruction to include PopLinkWitnessV2 control -- CertRequest certReq = certReqMsg.getCertReq(); - INTEGER certReqId = certReq.getCertReqId(); -- CertTemplate certTemplate = certReq.getCertTemplate(); - SEQUENCE controls = certReq.getControls(); - controls.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2, - popLinkWitnessV2Control)); -@@ -449,6 +547,22 @@ public class CMCRequest { - System.out.println(method + " Excception:" + e2.toString()); - System.exit(1); - } -+ -+ if (selfSign.equals("true")) { -+ try { -+ skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromPKCS10( -+ pkcs, "SubjectKeyIdentifier"); -+ } catch (IOException e) { -+ System.out.println(method + "getting SubjectKeyIdentifiere..." + e); -+ } -+ -+ if (skiExtn != null) { -+ System.out.println(method + " SubjectKeyIdentifier extension found"); -+ } else { -+ System.out.println(method + " SubjectKeyIdentifier extension missing"); -+ System.exit(1); -+ } -+ } - ByteArrayInputStream crInputStream = new ByteArrayInputStream( - pkcs.toByteArray()); - CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate() -@@ -661,8 +775,13 @@ public class CMCRequest { - System.out.println(""); - System.out.println("#nickname: nickname for agent certificate which will be used"); - System.out.println("#to sign the CMC full request."); -+ System.out.println("#selfSign: if selfSign is true, the CMC request will be"); -+ System.out.println("#signed with the pairing private key of the request;"); -+ System.out.println("#and in which case the nickname will be ignored"); - System.out.println("nickname=CMS Agent Certificate"); - System.out.println(""); -+ System.out.println("selfSign=false"); -+ System.out.println(""); - System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); - System.out.println("dbdir=./"); - System.out.println(""); -@@ -1700,6 +1819,7 @@ public class CMCRequest { - String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256"; - String popLinkWitnessEnable = "false"; - String bodyPartIDs = null, lraPopWitnessEnable = "false"; -+ String selfSign = "false"; - - System.out.println(""); - -@@ -1760,6 +1880,8 @@ public class CMCRequest { - decryptedPopEnable = val; - } else if (name.equals("encryptedPopResponseFile")) { - encryptedPopResponseFile = val; -+ } else if (name.equals("request.selfSign")) { -+ selfSign = val; - } else if (name.equals("request.privKeyId")) { - privKeyId = val; - } else if (name.equals("decryptedPopRequestFile")) { -@@ -1846,7 +1968,7 @@ public class CMCRequest { - printUsage(); - } - -- if (nickname == null) { -+ if (!selfSign.equals("true") && nickname == null) { - System.out.println("Missing nickname."); - printUsage(); - } -@@ -1898,14 +2020,14 @@ public class CMCRequest { - System.out.println("got signerCert: "+ certname.toString()); - } - -- //cfu - ContentInfo cmcblob = null; - PKIData pkidata = null; - PrivateKey privk = null; -- if (decryptedPopEnable.equalsIgnoreCase("true") || -+ if (selfSign.equalsIgnoreCase("true") || -+ decryptedPopEnable.equalsIgnoreCase("true") || - popLinkWitnessV2Enable.equalsIgnoreCase("true")) { - if (privKeyId == null) { -- System.out.println("ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); -+ System.out.println("selfSign or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); - printUsage(); - } else { - System.out.println("got request privKeyId: " + privKeyId); -@@ -2095,6 +2217,7 @@ public class CMCRequest { - - // create the request PKIData - pkidata = createPKIData( -+ selfSign, - requests, - format, transactionMgtEnable, transactionMgtId, - identificationEnable, identification, -@@ -2114,7 +2237,16 @@ public class CMCRequest { - } - - // sign the request -- SignedData signedData = signData(signerCert, tokenName, nickname, cm, pkidata); -+ SignedData signedData = null; -+ if (selfSign.equalsIgnoreCase("true")) { -+ // selfSign signes with private key -+ System.out.println("selfSign is true..."); -+ signedData = signData(privk, pkidata); -+ } else { -+ // none selfSign signes with existing cert -+ System.out.println("selfSign is false..."); -+ signedData = signData(signerCert, tokenName, nickname, cm, pkidata); -+ } - if (signedData == null) { - System.out.println("signData() returns null. Exiting with error"); - System.exit(1); -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index d0e5c27..0057a1d 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -86,6 +86,8 @@ import com.netscape.cmsutil.util.HMACDigest; - import com.netscape.cmsutil.util.Utils; - - import netscape.security.util.WrappingParams; -+import netscape.security.x509.KeyIdentifier; -+import netscape.security.x509.PKIXExtensions; - import netscape.security.x509.X500Name; - - /** -@@ -196,6 +198,8 @@ public class CRMFPopClient { - option.setArgName("keySet"); - options.addOption(option); - -+ options.addOption("y", false, "for Self-signed cmc."); -+ - options.addOption("v", "verbose", false, "Run in verbose mode."); - options.addOption(null, "help", false, "Show help message."); - -@@ -214,6 +218,9 @@ public class CRMFPopClient { - System.out.println(" -k Attribute value encoding in subject DN (default: false)"); - System.out.println(" - true: enabled"); - System.out.println(" - false: disabled"); -+ System.out.println(" -y Add SubjectKeyIdentifier extension in case of self-signed CMC requests (default: false)"); -+ System.out.println(" - true: enabled"); -+ System.out.println(" - false: disabled"); - System.out.println(" -a Key algorithm (default: rsa)"); - System.out.println(" - rsa: RSA"); - System.out.println(" - ec: ECC"); -@@ -320,6 +327,8 @@ public class CRMFPopClient { - int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); - int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); - -+ boolean self_sign = cmd.hasOption("y"); -+ - // get the key wrapping mechanism - boolean keyWrap = true; - if (cmd.hasOption("g")) { -@@ -516,6 +525,7 @@ public class CRMFPopClient { - - if (verbose) System.out.println("Creating certificate request"); - CertRequest certRequest = client.createCertRequest( -+ self_sign, - token, transportCert, algorithm, keyPair, - subject, archivalMechanism, wrappingKeySet); - -@@ -629,6 +639,19 @@ public class CRMFPopClient { - Name subject, - String archivalMechanism, - String wrappingKeySet) throws Exception { -+ return createCertRequest(false, token, transportCert, algorithm, keyPair, -+ subject, archivalMechanism, wrappingKeySet); -+ } -+ -+ public CertRequest createCertRequest( -+ boolean self_sign, -+ CryptoToken token, -+ X509Certificate transportCert, -+ String algorithm, -+ KeyPair keyPair, -+ Name subject, -+ String archivalMechanism, -+ String wrappingKeySet) throws Exception { - EncryptionAlgorithm encryptAlg = null; - - if (wrappingKeySet == null) { -@@ -663,6 +686,15 @@ public class CRMFPopClient { - seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); - */ - -+ if (self_sign) { // per rfc 5272 -+ System.out.println("CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension."); -+ KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(keyPair); -+ OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); -+ SEQUENCE extns = new SEQUENCE(); -+ extns.addElement(new AVA(oid, new OCTET_STRING(subjKeyId.getIdentifier()))); -+ certTemplate.setExtensions(extns); -+ } -+ - return new CertRequest(new INTEGER(1), certTemplate, seq); - } - -diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -index fd1d087..795c24b 100644 ---- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -@@ -17,19 +17,15 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.cmstools; - --import java.io.ByteArrayOutputStream; - import java.io.FileOutputStream; - import java.io.IOException; - import java.io.PrintStream; - import java.security.KeyPair; --import java.security.PublicKey; - - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.BMPString; --import org.mozilla.jss.asn1.INTEGER; - import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; - import org.mozilla.jss.asn1.PrintableString; --import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.asn1.TeletexString; - import org.mozilla.jss.asn1.UTF8String; - import org.mozilla.jss.asn1.UniversalString; -@@ -37,20 +33,17 @@ import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.KeyPairAlgorithm; - import org.mozilla.jss.crypto.KeyPairGenerator; - import org.mozilla.jss.crypto.PrivateKey; --import org.mozilla.jss.crypto.SignatureAlgorithm; --import org.mozilla.jss.pkcs10.CertificationRequest; --import org.mozilla.jss.pkcs10.CertificationRequestInfo; - import org.mozilla.jss.pkix.primitive.AVA; - import org.mozilla.jss.pkix.primitive.Name; --import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; - import org.mozilla.jss.util.Password; - - import com.netscape.cmsutil.crypto.CryptoUtil; --import com.netscape.cmsutil.util.Utils; - - import netscape.security.pkcs.PKCS10; -+import netscape.security.x509.Extensions; -+import netscape.security.x509.KeyIdentifier; -+import netscape.security.x509.SubjectKeyIdentifierExtension; - import netscape.security.x509.X500Name; --import netscape.security.x509.X509Key; - - /** - * Generates an ECC or RSA key pair in the security database, constructs a -@@ -91,6 +84,8 @@ public class PKCS10Client { - " -x \n"); - System.out.println( - " available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n"); -+ System.out.println( -+ "In addition: -y \n"); - } - - public static void main(String args[]) throws Exception { -@@ -105,6 +100,8 @@ public class PKCS10Client { - boolean ec_ssl_ecdh = false; - int rsa_keylen = 2048; - -+ boolean self_sign = false; -+ - if (args.length < 4) { - printUsage(); - System.exit(1); -@@ -171,6 +168,12 @@ public class PKCS10Client { - subjectName = args[i+1]; - } else if (name.equals("-h")) { - tokenName = args[i+1]; -+ } else if (name.equals("-y")) { -+ String temp = args[i+1]; -+ if (temp.equals("true")) -+ self_sign = true; -+ else -+ self_sign = false; - } else { - System.out.println("Unrecognized argument(" + i + "): " - + name); -@@ -273,55 +276,29 @@ public class PKCS10Client { - Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr); - ***/ - -- SET attributes = new SET(); -- //attributes.addElement(attr); -- Name n = getJssName(enable_encoding, subjectName); -- SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic()); -- System.out.println("PKCS10Client: pair.getPublic() called."); -- CertificationRequestInfo certReqInfo = -- new CertificationRequestInfo(new INTEGER(0), n, subjectPub, attributes); -- System.out.println("PKCS10Client: CertificationRequestInfo() created."); - -- String b64E = ""; -- if (alg.equals("rsa")) { -- CertificationRequest certRequest = null; -- certRequest = new CertificationRequest(certReqInfo, -- pair.getPrivate(), SignatureAlgorithm.RSASignatureWithSHA256Digest); -- System.out.println("PKCS10Client: CertificationRequest created."); -+ Extensions extns = new Extensions(); -+ if (self_sign) { // per rfc 5272 -+ System.out.println("PKCS10Client: self_sign true. Generating SubjectKeyIdentifier extension."); -+ KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(pair); -+ SubjectKeyIdentifierExtension extn = new SubjectKeyIdentifierExtension(false, -+ subjKeyId.getIdentifier()); -+ extns.add(extn); -+ } - -- ByteArrayOutputStream bos = new ByteArrayOutputStream(); -- certRequest.encode(bos); -- byte[] bb = bos.toByteArray(); -+ String b64E = ""; -+ PKCS10 certReq = CryptoUtil.createCertificationRequest( -+ subjectName, pair, extns); - -- System.out.println("PKCS10Client: calling Utils.b64encode."); -- b64E = Utils.base64encode(bb); -- System.out.println("PKCS10Client: b64encode completes."); -- } else { // "ec" -+ if (certReq == null) { -+ System.out.println("PKCS10Client: cert request null"); -+ System.exit(1); -+ } else -+ System.out.println("PKCS10Client: CertificationRequest created."); -+ byte[] certReqb = certReq.toByteArray(); -+ b64E = CryptoUtil.base64Encode(certReqb); - -- CryptoToken t = cm.getThreadToken(); -- System.out.println("PKCS10Client: token is: "+ t.getName()); -- PublicKey pubk = pair.getPublic(); -- if (pubk == null) { -- System.out.println("PKCS10Client: pubk null."); -- System.exit(1); -- } -- X509Key xKey = null; -- byte pubk_encoded[] = pubk.getEncoded(); -- xKey = CryptoUtil.getPublicX509ECCKey(pubk_encoded); -- System.out.println("PKCS10Client: calling CryptoUtil.createCertificationRequest"); -- PKCS10 certReq = CryptoUtil.createCertificationRequest( -- subjectName, xKey, (org.mozilla.jss.crypto.PrivateKey) pair.getPrivate(), -- "SHA256withEC"); -- -- System.out.println("PKCS10Client: created cert request"); -- if (certReq == null) { -- System.out.println("PKCS10Client: cert request null"); -- System.exit(1); -- } else -- System.out.println("PKCS10Client: cert request not null"); -- byte[] certReqb = certReq.toByteArray(); -- b64E = CryptoUtil.base64Encode(certReqb); -- } -+ System.out.println("PKCS10Client: b64encode completes."); - - // print out keyid to be used in cmc popLinkWitnessV2 - PrivateKey privateKey = (PrivateKey) pair.getPrivate(); -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index a72ce58..2128c1e 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -39,6 +39,7 @@ import java.util.Vector; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.CryptoManager.NotInitializedException; - import org.mozilla.jss.asn1.ASN1Util; -+import org.mozilla.jss.asn1.BIT_STRING; - import org.mozilla.jss.asn1.INTEGER; - import org.mozilla.jss.asn1.InvalidBERException; - import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; -@@ -66,6 +67,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest; - import org.mozilla.jss.pkix.crmf.CertTemplate; - import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; - import org.mozilla.jss.pkix.primitive.Name; -+import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; -@@ -90,6 +92,9 @@ import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Utils; - - import netscape.security.pkcs.PKCS10; -+import netscape.security.x509.KeyIdentifier; -+import netscape.security.x509.PKIXExtensions; -+import netscape.security.x509.SubjectKeyIdentifierExtension; - import netscape.security.x509.X500Name; - import netscape.security.x509.X509CertImpl; - import netscape.security.x509.X509CertInfo; -@@ -103,14 +108,15 @@ import netscape.security.x509.X509Key; - /** - * User Signed CMC authentication plug-in - * note: -- * - this version differs from CMCAuth in that it allows non-agent users -- * to sign own cmc requests; It is expected to be used with -- * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint -- * so that the resulting cert will bear the same subjectDN of that of the CMC -- * signing cert -- * - it originates from CMCAuth with modification for user-signed cmc -+ * - this version differs from CMCAuth in that it allows non-agent users -+ * to sign own cmc requests; It is expected to be used with -+ * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint -+ * so that the resulting cert will bear the same subjectDN of that of the CMC -+ * signing cert -+ * - it originates from CMCAuth with modification for user-signed cmc -+ * - * @author cfu - user signed cmc authentication -- *

    -+ *

    - * - * @version $Revision$, $Date$ - */ -@@ -121,6 +127,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // default parameters // - //////////////////////// - -+ // only one request for self-signed -+ boolean selfSigned = false; -+ SubjectKeyIdentifierExtension selfsign_skiExtn = null; -+ PK11PubKey selfsign_pubK = null; -+ byte[] selfsign_digest = null; -+ - ///////////////////////////// - // IAuthManager parameters // - ///////////////////////////// -@@ -144,8 +156,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - * for instances of this implementation can be configured through the - * console. - */ -- protected static String[] mConfigParams = -- new String[] {}; -+ protected static String[] mConfigParams = new String[] {}; - - /* authentication plug-in values */ - -@@ -171,7 +182,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - mExtendedPluginInfo - .add(IExtendedPluginInfo.HELP_TEXT + -- ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); -+ ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\""); - mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-authentication"); - } -@@ -185,10 +196,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - /* signed audit parameters */ - private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -- private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = -- "enrollment"; -- private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = -- "revocation"; -+ private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = "enrollment"; -+ private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = "revocation"; - - ///////////////////// - // default methods // -@@ -228,7 +237,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - *

    - * - *

      -- *
    • signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed) cert -+ *
    • signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC -+ * (user-pre-signed or self-signed) cert - * requests or revocation requests are submitted and signature is verified - *
    - * -@@ -245,6 +255,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, - EBaseException { - String method = "CMCUserSignedAuth: authenticate: "; -+ String msg = ""; - CMS.debug(method + "begins"); - - String auditMessage = null; -@@ -273,40 +284,19 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - if (cmc == null) { - CMS.debug(method + " Authentication failed. Missing CMC."); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); -- -- audit(auditMessage); -- - throw new EMissingCredential(CMS.getUserMessage( - "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC)); - } - - if (cmc.equals("")) { -- log(ILogger.LL_FAILURE, -- "cmc : attempted login with empty CMC."); -- -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); -- -- audit(auditMessage); -- -- throw new EInvalidCredentials(CMS.getUserMessage( -- "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ msg = "attempted login with empty cert_request in authCred."; -+ CMS.debug(method + msg); -+ -+ throw new EInvalidCredentials(msg); - } - -+ SessionContext auditContext = SessionContext.getExistingContext(); -+ - // authenticate by checking CMC. - - // everything OK. -@@ -330,84 +320,88 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - asciiBASE64Blob = cmc; - - byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); -- ByteArrayInputStream cmcBlobIn = new -- ByteArrayInputStream(cmcBlob); -+ ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob); - - org.mozilla.jss.pkix.cms.ContentInfo cmcReq = -- (org.mozilla.jss.pkix.cms.ContentInfo) -- org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode( -+ (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo -+ .getTemplate().decode( - cmcBlobIn); - - if (!cmcReq.getContentType().equals( - org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || - !cmcReq.hasContent()) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); - -- audit(auditMessage); -- -- // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT); -- -- throw new EBaseException("NO_CMC_CONTENT"); -+ cmcBlobIn.close(); -+ msg = "cmc rquest content type is not ContentInfo.SIGNED_DATA"; -+ CMS.debug(msg); -+ throw new EBaseException(msg); - } - -- SignedData cmcFullReq = (SignedData) -- cmcReq.getInterpretedContent(); -+ SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); -+ -+ String userid = ILogger.UNIDENTIFIED; -+ String uid = ILogger.UNIDENTIFIED; - - IConfigStore cmc_config = CMS.getConfigStore(); -- boolean checkSignerInfo = -- cmc_config.getBoolean("cmc.signerInfo.verify", true); -- String userid = "defUser"; -- String uid = "defUser"; -+ boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true); - if (checkSignerInfo) { -- IAuthToken userToken = verifySignerInfo(authToken, cmcFullReq); -+ // selfSigned will be set in verifySignerInfo if applicable -+ IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq); - if (userToken == null) { -- CMS.debug(method + " authenticate() userToken null"); -- throw new EBaseException(method + " verifySignerInfo failure"); -+ msg = "userToken null; verifySignerInfo failure"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); -+ } else { -+ if (selfSigned) { -+ CMS.debug(method -+ + " self-signed cmc request will not have user identification info at this point."); -+ auditSignerInfo = "selfSigned"; -+ } else { -+ CMS.debug(method + "signed with user cert"); -+ userid = userToken.getInString("userid"); -+ uid = userToken.getInString("cn"); -+ if (userid == null && uid == null) { -+ msg = " verifySignerInfo failure... missing userid and cn"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); -+ } -+ // reset value of auditSignerInfo -+ if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { -+ CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); -+ auditSignerInfo = uid.trim(); -+ auditSubjectID = uid.trim(); -+ authToken.set(IAuthToken.USER_ID, auditSubjectID); -+ } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { -+ CMS.debug(method + "setting auditSignerInfo to userid:" + userid); -+ auditSignerInfo = userid.trim(); -+ auditSubjectID = userid.trim(); -+ authToken.set(IAuthToken.USER_ID, auditSubjectID); -+ } -+ } - } -- userid = userToken.getInString("userid"); -- uid = userToken.getInString("cn"); - } else { -- CMS.debug(method + " authenticate() signerInfo verification bypassed"); -- } -- // reset value of auditSignerInfo -- if (uid != null) { -- auditSignerInfo = uid.trim(); -+ CMS.debug(method + " signerInfo verification bypassed"); - } - - EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); -+ SET sis = cmcFullReq.getSignerInfos(); -+ // only one SignerInfo for selfSigned -+ org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = -+ (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0); - - OBJECT_IDENTIFIER id = ci.getContentType(); - - if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || - !ci.hasContent()) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); -- -- audit(auditMessage); -+ msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; -+ CMS.debug(method + msg); - -- // throw new ECMSGWException( -- // CMSGWResources.NO_PKIDATA); -- -- throw new EBaseException("NO_PKIDATA"); -+ throw new EBaseException(msg); - } - - OCTET_STRING content = ci.getContent(); - -- ByteArrayInputStream s = new -- ByteArrayInputStream(content.toByteArray()); -+ ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); - PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - - SEQUENCE reqSequence = pkiData.getReqSequence(); -@@ -426,13 +420,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - if (controlSize > 0) { - for (int i = 0; i < controlSize; i++) { -- TaggedAttribute taggedAttribute = -- (TaggedAttribute) controlSequence.elementAt(i); -+ TaggedAttribute taggedAttribute = (TaggedAttribute) controlSequence.elementAt(i); - OBJECT_IDENTIFIER type = taggedAttribute.getType(); - - if (type.equals( - OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { --/* TODO: user-signed revocation to be handled in next ticket -+ /* TODO: user-signed revocation to be handled in next ticket - // if( i ==1 ) { - // taggedAttribute.getType() == - // OBJECT_IDENTIFIER.id_cmc_revokeRequest -@@ -479,10 +472,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - Integer IntObject = Integer.valueOf((int) reasonCode); - authToken.set(REASON_CODE, IntObject); - -- authToken.set("uid", uid); -- authToken.set("userid", userid); -+ -+ //authToken.set("uid", uid); -+ //authToken.set("userid", userid); -+ - } --*/ -+ */ -+ - } - } - -@@ -499,8 +495,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - for (int i = 0; i < numReqs; i++) { - // decode message. -- TaggedRequest taggedRequest = -- (TaggedRequest) reqSequence.elementAt(i); -+ TaggedRequest taggedRequest = (TaggedRequest) reqSequence.elementAt(i); - - TaggedRequest.Type type = taggedRequest.getType(); - -@@ -508,18 +503,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - CMS.debug(method + " type is PKCS10"); - authToken.set("cert_request_type", "cmc-pkcs10"); - -- TaggedCertificationRequest tcr = -- taggedRequest.getTcr(); -+ TaggedCertificationRequest tcr = taggedRequest.getTcr(); - int p10Id = tcr.getBodyPartID().intValue(); - - reqIdArray[i] = String.valueOf(p10Id); - -- CertificationRequest p10 = -- tcr.getCertificationRequest(); -+ CertificationRequest p10 = tcr.getCertificationRequest(); - - // transfer to sun class -- ByteArrayOutputStream ostream = -- new ByteArrayOutputStream(); -+ ByteArrayOutputStream ostream = new ByteArrayOutputStream(); - - p10.encode(ostream); - boolean sigver = true; -@@ -533,8 +525,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - try { - cm = CryptoManager.getInstance(); - if (sigver == true) { -- String tokenName = -- CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); -+ String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", -+ CryptoUtil.INTERNAL_TOKEN_NAME); - savedToken = cm.getThreadToken(); - signToken = CryptoUtil.getCryptoToken(tokenName); - if (!savedToken.getName().equals(signToken.getName())) { -@@ -543,65 +535,92 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } - } - -- PKCS10 pkcs10 = -- new PKCS10(ostream.toByteArray(), sigver); -+ PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); -+ // reset value of auditCertSubject -+ X500Name tempName = pkcs10.getSubjectName(); -+ CMS.debug(method + "request subject name=" + tempName.toString()); -+ if (tempName != null) { -+ auditCertSubject = tempName.toString().trim(); -+ if (auditCertSubject.equals("")) { -+ auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ } -+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, -+ auditCertSubject/*tempName.toString()*/); -+ } -+ -+ if (selfSigned) { -+ // prepare for checking SKI extension -+ try { -+ selfsign_skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil -+ .getExtensionFromPKCS10(pkcs10, "SubjectKeyIdentifier"); -+ if (selfsign_skiExtn != null) -+ CMS.debug(method + "SubjectKeyIdentifierExtension found:"); -+ else { -+ msg = "missing SubjectKeyIdentifierExtension in request"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); -+ } -+ } catch (IOException e) { -+ msg = method + "SubjectKeyIdentifierExtension not found:" + e; -+ CMS.debug(msg); -+ throw new EBaseException(msg); -+ } catch (Exception e) { -+ msg = method + "SubjectKeyIdentifierExtension not found:" + e; -+ CMS.debug(msg); -+ throw new EBaseException(msg); -+ } -+ -+ X509Key pubKey = pkcs10.getSubjectPublicKeyInfo(); -+ PrivateKey.Type keyType = null; -+ String alg = pubKey.getAlgorithm(); -+ -+ if (alg.equals("RSA")) { -+ CMS.debug(method + "signing key alg=RSA"); -+ keyType = PrivateKey.RSA; -+ selfsign_pubK = PK11PubKey.fromRaw(keyType, pubKey.getKey()); -+ } else if (alg.equals("EC")) { -+ CMS.debug(method + "signing key alg=EC"); -+ keyType = PrivateKey.EC; -+ byte publicKeyData[] = (pubKey).getEncoded(); -+ selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); -+ } else { -+ msg = "unsupported signature algorithm: " + alg; -+ CMS.debug(method + msg); -+ throw new EInvalidCredentials(msg); -+ } -+ CMS.debug(method + "public key retrieved"); -+ verifySelfSignedCMC(selfsign_signerInfo, id); -+ -+ } //selfSigned - - // xxx do we need to do anything else? -- X509CertInfo certInfo = -- CMS.getDefaultX509CertInfo(); -+ X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); - - // fillPKCS10(certInfo,pkcs10,authToken,null); - - // authToken.set( - // pkcs10.getSubjectPublicKeyInfo()); - -- X500Name tempName = pkcs10.getSubjectName(); -- -- // reset value of auditCertSubject -- if (tempName != null) { -- auditCertSubject = -- tempName.toString().trim(); -- if (auditCertSubject.equals("")) { -- auditCertSubject = -- ILogger.SIGNED_AUDIT_EMPTY_VALUE; -- } -- authToken.set(AuthToken.TOKEN_CERT_SUBJECT, -- tempName.toString()); -- } -- -+ /* - authToken.set("uid", uid); - authToken.set("userid", userid); -+ */ - - certInfoArray[i] = certInfo; - } catch (Exception e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); -- -- audit(auditMessage); -- -- //throw new ECMSGWException( -- //CMSGWResources.ERROR_PKCS101, e.toString()); -- - e.printStackTrace(); - throw new EBaseException(e.toString()); - } finally { -- if ((sigver == true) && (tokenSwitched == true)){ -+ if ((sigver == true) && (tokenSwitched == true)) { - cm.setThreadToken(savedToken); - } -- } -+ } - } else if (type.equals(TaggedRequest.CRMF)) { - - CMS.debug(method + " type is CRMF"); - authToken.set("cert_request_type", "cmc-crmf"); - try { -- CertReqMsg crm = -- taggedRequest.getCrm(); -+ CertReqMsg crm = taggedRequest.getCrm(); - CertRequest certReq = crm.getCertReq(); - INTEGER reqID = certReq.getCertReqId(); - reqIdArray[i] = reqID.toString(); -@@ -609,70 +628,82 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - Name name = template.getSubject(); - - // xxx do we need to do anything else? -- X509CertInfo certInfo = -- CMS.getDefaultX509CertInfo(); -+ X509CertInfo certInfo = CMS.getDefaultX509CertInfo(); - - // reset value of auditCertSubject - if (name != null) { - String ss = name.getRFC1485(); - -+ CMS.debug(method + "setting auditCertSubject to: " + ss); - auditCertSubject = ss; - if (auditCertSubject.equals("")) { -- auditCertSubject = -- ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); -- authToken.set("uid", uid); -- authToken.set("userid", userid); -+ //authToken.set("uid", uid); -+ //authToken.set("userid", userid); - } - certInfoArray[i] = certInfo; -- } catch (Exception e) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); - -- audit(auditMessage); -+ if (selfSigned) { -+ selfsign_skiExtn = -+ (SubjectKeyIdentifierExtension) CryptoUtil -+ .getExtensionFromCertTemplate(template, PKIXExtensions.SubjectKey_Id); -+ if (selfsign_skiExtn != null) { -+ CMS.debug(method + -+ "SubjectKeyIdentifierExtension found"); -+ } else { -+ CMS.debug(method + -+ "SubjectKeyIdentifierExtension not found"); -+ } -+ -+ // get public key for verifying signature later -+ SubjectPublicKeyInfo pkinfo = template.getPublicKey(); -+ PrivateKey.Type keyType = null; -+ String alg = pkinfo.getAlgorithm(); -+ BIT_STRING bitString = pkinfo.getSubjectPublicKey(); -+ byte[] publicKeyData = bitString.getBits(); -+ if (alg.equals("RSA")) { -+ CMS.debug(method + "signing key alg=RSA"); -+ keyType = PrivateKey.RSA; -+ selfsign_pubK = PK11PubKey.fromRaw(keyType, publicKeyData); -+ } else if (alg.equals("EC")) { -+ CMS.debug(method + "signing key alg=EC"); -+ keyType = PrivateKey.EC; -+ selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); -+ } else { -+ msg = "unsupported signature algorithm: " + alg; -+ CMS.debug(method + msg); -+ throw new EInvalidCredentials(msg); -+ } -+ CMS.debug(method + "public key retrieved"); - -- //throw new ECMSGWException( -- //CMSGWResources.ERROR_PKCS101, e.toString()); -+ verifySelfSignedCMC(selfsign_signerInfo, id); -+ } //selfSigned - -+ } catch (Exception e) { - e.printStackTrace(); -+ cmcBlobIn.close(); -+ s.close(); - throw new EBaseException(e.toString()); - } - } - -- // authToken.set(AgentAuthentication.CRED_CERT, new -- // com.netscape.certsrv.usrgrp.Certificates( -- // x509Certs)); - } - } -+ -+ authToken.set("uid", uid); -+ authToken.set("userid", userid); - } catch (Exception e) { - CMS.debug(method + e); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -- auditSubjectID, -- ILogger.FAILURE, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); -- -- audit(auditMessage); -- - //Debug.printStackTrace(e); -- throw new EInvalidCredentials(CMS.getUserMessage( -- "CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ throw new EInvalidCredentials(e.toString()); - } - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, - auditSubjectID, - ILogger.SUCCESS, - auditReqType, -@@ -687,12 +718,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - CMS.debug(method + eAudit1); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, -- auditSignerInfo); -+ auditSignerInfo, -+ eAudit1.toString()); - - audit(auditMessage); - -@@ -702,12 +734,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - CMS.debug(method + eAudit2); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, -- auditSignerInfo); -+ auditSignerInfo, -+ eAudit2.toString()); - - audit(auditMessage); - -@@ -717,17 +750,70 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - CMS.debug(method + eAudit3); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY, -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, - auditSubjectID, - ILogger.FAILURE, - auditReqType, - auditCertSubject, -- auditSignerInfo); -+ auditSignerInfo, -+ eAudit3.toString()); - - audit(auditMessage); - - // rethrow the specific exception to be handled later - throw eAudit3; -+ } catch (Exception eAudit4) { -+ CMS.debug(method + eAudit4); -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo, -+ eAudit4.toString()); -+ -+ audit(auditMessage); -+ -+ // rethrow the specific exception to be handled later -+ throw eAudit4; -+ } -+ } -+ -+ /* -+ * verifySelfSignedCMC() verifies the following -+ * a. the required (per RFC 5272) SKI extension in the request matches that in the -+ * SignerIdentifier -+ * b. the signature in the request -+ */ -+ protected void verifySelfSignedCMC( -+ org.mozilla.jss.pkix.cms.SignerInfo signerInfo, -+ OBJECT_IDENTIFIER id) -+ throws EBaseException { -+ String method = "CMCUserSignedAuth: verifySelfSignedCMC: "; -+ CMS.debug(method + "begins"); -+ try { -+ SignerIdentifier sid = signerInfo.getSignerIdentifier(); -+ OCTET_STRING subjKeyId = sid.getSubjectKeyIdentifier(); -+ KeyIdentifier keyIdObj = -+ (KeyIdentifier) selfsign_skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); -+ boolean match = CryptoUtil.compare(subjKeyId.toByteArray(), keyIdObj.getIdentifier()); -+ if (match) { -+ CMS.debug(method + -+ " SignerIdentifier SUBJECT_KEY_IDENTIFIER matches SKI of request"); -+ } else { -+ CMS.debug(method + -+ " SignerIdentifier SUBJECT_KEY_IDENTIFIER failed to match"); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } -+ // verify sig using public key in request -+ CMS.debug(method + "verifying request signature with public key"); -+ signerInfo.verify(selfsign_digest, id, selfsign_pubK); -+ CMS.debug(method + " signature verified"); -+ } catch (Exception e) { -+ CMS.debug(method + e.toString()); -+ throw new EBaseException(method + e.toString()); - } - } - -@@ -825,10 +911,24 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - level, "CMC User Signed Authentication: " + msg); - } - -- protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { -+ /** -+ * User-signed CMC requests can be signed in two ways: -+ * a. signed with previously issued user signing cert -+ * b. self-signed with the private key paired with the public key in -+ * the request -+ * -+ * In case "a", the resulting authToke would contain -+ * (IAuthManager.CRED_CMC_SIGNING_CERT, signing cert serial number) -+ * In case "b", the resulting authToke would not contain the attribute -+ * IAuthManager.CRED_CMC_SIGNING_CERT -+ */ -+ protected IAuthToken verifySignerInfo( -+ SessionContext auditContext, // to capture info in case of failure -+ AuthToken authToken, -+ SignedData cmcFullReq) -+ throws EBaseException { - String method = "CMCUserSignedAuth: verifySignerInfo: "; - CMS.debug(method + "begins"); -- - EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - OBJECT_IDENTIFIER id = ci.getContentType(); - OCTET_STRING content = ci.getContent(); -@@ -849,13 +949,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - //if request key is used for signing, there MUST be only one signerInfo - //object in the signedData object. - for (int i = 0; i < numDig; i++) { -- AlgorithmIdentifier dai = -- (AlgorithmIdentifier) dais.elementAt(i); -- String name = -- DigestAlgorithm.fromOID(dai.getOID()).toString(); -+ AlgorithmIdentifier dai = (AlgorithmIdentifier) dais.elementAt(i); -+ String name = DigestAlgorithm.fromOID(dai.getOID()).toString(); - -- MessageDigest md = -- MessageDigest.getInstance(name); -+ MessageDigest md = MessageDigest.getInstance(name); - - byte[] digest = md.digest(content.toByteArray()); - -@@ -867,6 +964,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - for (int i = 0; i < numSis; i++) { - org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); -+ //selfsign_SignerInfo = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); - - String name = si.getDigestAlgorithm().toString(); - byte[] digest = digs.get(name); -@@ -879,11 +977,14 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - digest = md.digest(ostream.toByteArray()); - - } -+ - // signed by previously certified signature key - SignerIdentifier sid = si.getSignerIdentifier(); -- // TODO: need to handle signing key being the matching key from -- // the request - if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { -+ CMS.debug(method + "SignerIdentifier type: ISSUER_AND_SERIALNUMBER"); -+ selfSigned = false; -+ CMS.debug(method + "selfSigned is false"); -+ - IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber(); - // find from the certs in the signedData - java.security.cert.X509Certificate cert = null; -@@ -899,14 +1000,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - Name issuer = certI.getIssuer(); - - byte[] issuerB = ASN1Util.encode(issuer); --CMS.debug(method + "issuer = " + new String(issuerB)); - INTEGER sn = certI.getSerialNumber(); - // if this cert is the signer cert, not a cert in the chain - if (new String(issuerB).equals(new String( - ASN1Util.encode(issuerAndSerialNumber.getIssuer()))) - && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) { -- ByteArrayOutputStream os = new -- ByteArrayOutputStream(); -+ ByteArrayOutputStream os = new ByteArrayOutputStream(); - - certJss.encode(os); - certByteArray = os.toByteArray(); -@@ -919,13 +1018,23 @@ CMS.debug(method + "issuer = " + new String(issuerB)); - - } - } -+ - CMS.debug(method + "start checking signature"); -+ String CN = null; - if (cert == null) { - // find from certDB - CMS.debug(method + "verifying signature"); - si.verify(digest, id); - } else { - CMS.debug(method + "found signing cert... verifying"); -+ -+ //capture auditSubjectID first in case of failure -+ netscape.security.x509.X500Name tempPrincipal = -+ (X500Name) x509Certs[0].getSubjectDN(); -+ CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); -+ CMS.debug(method + " Principal name = " + CN); -+ auditContext.put(SessionContext.USER_ID, CN); -+ - PublicKey signKey = cert.getPublicKey(); - PrivateKey.Type keyType = null; - String alg = signKey.getAlgorithm(); -@@ -942,21 +1051,24 @@ CMS.debug(method + "issuer = " + new String(issuerB)); - pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); - } else { - CMS.debug(method + "unsupported signature algorithm: " + alg); -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ s.close(); -+ throw new EInvalidCredentials( -+ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - -- String tokenName = -- CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); -+ String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", -+ CryptoUtil.INTERNAL_TOKEN_NAME); - // by default JSS will use internal crypto token - if (!CryptoUtil.isInternalToken(tokenName)) { - savedToken = cm.getThreadToken(); - signToken = CryptoUtil.getCryptoToken(tokenName); -- if(signToken != null) { -+ if (signToken != null) { - cm.setThreadToken(signToken); - tokenSwitched = true; -- CMS.debug(method + "verifySignerInfo token switched:"+ tokenName); -+ CMS.debug(method + "verifySignerInfo token switched:" + tokenName); - } else { -- CMS.debug(method + "verifySignerInfo token not found:"+ tokenName+ ", trying internal"); -+ CMS.debug(method + "verifySignerInfo token not found:" + tokenName -+ + ", trying internal"); - } - } - -@@ -967,6 +1079,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); - // verify signer's certificate using the revocator - if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { - CMS.debug(method + "CMC signature failed to be verified"); -+ s.close(); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } else { - CMS.debug(method + "CMC signature verified; but signer not yet;"); -@@ -974,23 +1087,38 @@ CMS.debug(method + "issuer = " + new String(issuerB)); - // At this point, the signature has been verified; - - IAuthToken tempToken = new AuthToken(null); -+/* - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); - String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); - CMS.debug(method + " Principal name = " + CN); -+*/ - - BigInteger certSerial = x509Certs[0].getSerialNumber(); - CMS.debug(method + " verified cert serial=" + certSerial.toString()); - authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); - tempToken.set("cn", CN); - -+ s.close(); - return tempToken; - -+ } else { -+ CMS.debug(method + "no certificate found in cmcFullReq"); - } -- -+ } else if (sid.getType().equals(SignerIdentifier.SUBJECT_KEY_IDENTIFIER)) { -+ CMS.debug(method + "SignerIdentifier type: SUBJECT_KEY_IDENTIFIER"); -+ CMS.debug(method + "selfSigned is true"); -+ selfSigned = true; -+ selfsign_digest = digest; -+ -+ IAuthToken tempToken = new AuthToken(null); -+ authToken.set(IAuthManager.CRED_CMC_SELF_SIGNED, "true"); -+ s.close(); -+ return tempToken; - } else { - CMS.debug(method + "unsupported SignerIdentifier type"); - } -- } -+ } //for -+ - } catch (InvalidBERException e) { - CMS.debug(method + e.toString()); - } catch (IOException e) { -@@ -1001,7 +1129,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); - CMS.debug(method + e.toString()); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } finally { -- if ((tokenSwitched == true) && (savedToken != null)){ -+ if ((tokenSwitched == true) && (savedToken != null)) { - cm.setThreadToken(savedToken); - CMS.debug(method + "verifySignerInfo token restored"); - } -@@ -1123,8 +1251,7 @@ CMS.debug(method + "issuer = " + new String(issuerB)); - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { -- subjectID = (String) -- auditContext.get(SessionContext.USER_ID); -+ subjectID = (String) auditContext.get(SessionContext.USER_ID); - - if (subjectID != null) { - subjectID = subjectID.trim(); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 7d52fc8..1443a0a 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -110,6 +110,8 @@ import netscape.security.x509.CertificateVersion; - import netscape.security.x509.CertificateX509Key; - import netscape.security.x509.Extension; - import netscape.security.x509.Extensions; -+import netscape.security.x509.PKIXExtensions; -+import netscape.security.x509.SubjectKeyIdentifierExtension; - import netscape.security.x509.X500Name; - import netscape.security.x509.X509CertImpl; - import netscape.security.x509.X509CertInfo; -@@ -656,6 +658,8 @@ public abstract class EnrollProfile extends BasicProfile - String msg = ""; // for capturing debug and throw info - //CMS.debug(method + " Start parseCMC(): " + certreq); - CMS.debug(method + "starts"); -+ String auditMessage = ""; -+ String auditSubjectID = auditSubjectID(); - - /* cert request must not be null */ - if (certreq == null) { -@@ -742,22 +746,27 @@ public abstract class EnrollProfile extends BasicProfile - - msg = " id_cmc_identification attribute value not found in"; - CMS.debug(method + msg); -+/* - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + - msg); -+*/ -+ } else { -+ ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), -+ ASN1Util.encode(ident.elementAt(0)))); - } -- ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(), -- ASN1Util.encode(ident.elementAt(0)))); -- if (ident_s == null) { -+ if (ident == null && ident_s == null) { - msg = " id_cmc_identification contains invalid content"; - CMS.debug(method + msg); - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identification", bpids); - - CMS.debug(method + msg); -+/* - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + - msg); -+*/ - } - } - -@@ -776,19 +785,27 @@ public abstract class EnrollProfile extends BasicProfile - } - } else if (id_cmc_identityProofV2 && (attr != null)) { - // either V2 or not V2; can't be both -- CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProofV2;"); -- if (!id_cmc_identification) { -+ CMS.debug(method + -+ "not pre-signed CMC request; calling verifyIdentityProofV2;"); -+ if (!id_cmc_identification || ident_s == null) { - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("identification", bpids); - context.put("identityProofV2", bpids); - msg = "id_cmc_identityProofV2 missing id_cmc_identification"; - CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -+ auditSubjectID, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); -+ - throw new EProfileException( - CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") + - msg); - } - -- boolean valid = verifyIdentityProofV2(attr, ident_s, -+ boolean valid = verifyIdentityProofV2(context, attr, ident_s, - reqSeq); - if (!valid) { - SEQUENCE bpids = getRequestBpids(reqSeq); -@@ -815,10 +832,18 @@ public abstract class EnrollProfile extends BasicProfile - "CMS_POI_VERIFICATION_ERROR") + msg); - } else { - CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;"); -+ // in case it was set -+ auditSubjectID = auditSubjectID(); - } - } else { - msg = "not pre-signed CMC request; missing Proof of Identification control"; - CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -+ auditSubjectID, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); - throw new EProfileException(CMS.getUserMessage(locale, - "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg); - } -@@ -837,6 +862,13 @@ public abstract class EnrollProfile extends BasicProfile - } else { //decPopVals == null - msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP"; - CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.PROOF_OF_POSSESSION, -+ auditSubjectID, -+ ILogger.SUCCESS, -+ method + msg); -+ audit(auditMessage); -+ - SEQUENCE bpids = getRequestBpids(reqSeq); - context.put("decryptedPOP", bpids); - } -@@ -877,6 +909,11 @@ public abstract class EnrollProfile extends BasicProfile - String configName = "cmc.popLinkWitnessRequired"; - CMS.debug(method + "getting :" + configName); - popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, false); -+ if (popLinkWitnessRequired) { -+ CMS.debug(method + "popLinkWitness(V2) required"); -+ } else { -+ CMS.debug(method + "popLinkWitness(V2) not required"); -+ } - } catch (Exception e) { - // unlikely to get here - msg = method + " Failed to retrieve cmc.popLinkWitnessRequired"; -@@ -897,8 +934,16 @@ public abstract class EnrollProfile extends BasicProfile - !context.containsKey("POPLinkWitnessV2") && - !context.containsKey("POPLinkWitness")) { - CMS.debug(method + "popLinkWitness(V2) required"); -- if (randomSeed == null) { -- CMS.debug(method + "no randomSeed found"); -+ if (randomSeed == null || ident_s == null) { -+ msg = "no randomSeed or identification found needed for popLinkWitness(V2)"; -+ CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_ID_POP_LINK_WITNESS, -+ auditSubjectID, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); -+ - context.put("POPLinkWitnessV2", bpids); - return null; - } -@@ -913,11 +958,26 @@ public abstract class EnrollProfile extends BasicProfile - else if (context.containsKey("POPLinkWitness")) - msg = " in POPLinkWitness"; - else -- msg = " unspecified failure from verifyPOPLinkWitness"; -+ msg = " failure from verifyPOPLinkWitness"; - -+ msg = msg + ": ident_s=" + ident_s; - CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_ID_POP_LINK_WITNESS, -+ auditSubjectID, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); - throw new EProfileException(CMS.getUserMessage(locale, - "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg); -+ } else { -+ msg = ": ident_s=" + ident_s; -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_ID_POP_LINK_WITNESS, -+ auditSubjectID, -+ ILogger.SUCCESS, -+ method + msg); -+ audit(auditMessage); - } - } - } //for -@@ -1441,22 +1501,37 @@ public abstract class EnrollProfile extends BasicProfile - * @author cfu - */ - private boolean verifyIdentityProofV2( -+ SessionContext sessionContext, - TaggedAttribute attr, - UTF8String ident, - SEQUENCE reqSeq) { - String method = "EnrollProfile:verifyIdentityProofV2: "; -+ String msg = ""; - CMS.debug(method + " begins"); -+ boolean verified = false; -+ String auditMessage = method; -+ - if ((attr == null) || - (ident == null) || - (reqSeq == null)) { - CMS.debug(method + "method parameters cannot be null"); -+ // this is internal error - return false; - } - - String ident_string = ident.toString(); -+ String auditAttemptedCred = null; - - SET vals = attr.getValues(); // getting the IdentityProofV2 structure - if (vals.size() < 1) { -+ msg = " invalid TaggedAttribute in request"; -+ CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -+ auditAttemptedCred, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); - return false; - } - -@@ -1464,18 +1539,33 @@ public abstract class EnrollProfile extends BasicProfile - ISharedToken tokenClass = getSharedTokenClass(configName); - - if (tokenClass == null) { -- CMS.debug(method + " Failed to retrieve shared secret plugin class"); -+ msg = " Failed to retrieve shared secret plugin class"; -+ CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -+ auditAttemptedCred, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); - return false; - } - - String token = null; -- if (ident_string != null) -+ if (ident_string != null) { -+ auditAttemptedCred = ident_string; - token = tokenClass.getSharedToken(ident_string); -- else -+ } else - token = tokenClass.getSharedToken(mCMCData); - - if (token == null) { -- CMS.debug(method + " Failed to retrieve shared secret"); -+ msg = " Failed to retrieve shared secret"; -+ CMS.debug(method + msg); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -+ auditAttemptedCred, -+ ILogger.FAILURE, -+ method + msg); -+ audit(auditMessage); - return false; - } - -@@ -1493,26 +1583,64 @@ public abstract class EnrollProfile extends BasicProfile - - OCTET_STRING witness = idV2val.getWitness(); - if (witness == null) { -- CMS.debug(method + " witness reurned by idV2val.getWitness is null"); -- return false; -+ msg = " witness reurned by idV2val.getWitness is null"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); - } - - byte[] witness_bytes = witness.toByteArray(); - byte[] request_bytes = ASN1Util.encode(reqSeq); // PKIData reqSequence field -- return verifyDigest( -+ verified = verifyDigest( - (ident_string != null) ? (token + ident_string).getBytes() : token.getBytes(), - request_bytes, - witness_bytes, - hashAlg, macAlg); -+ -+ String authMgrID = -+ (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID); -+ String auditSubjectID = null; -+ -+ if (verified) { -+ // update auditSubjectID -+ if (sessionContext != null) { -+ auditSubjectID = (String) -+ sessionContext.get(SessionContext.USER_ID); -+ CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); -+ CMS.debug(method + "identity verified. Updating auditSubjectID"); -+ CMS.debug(method + "updated auditSubjectID is:"+ ident_string); -+ auditSubjectID = ident_string; -+ sessionContext.put(SessionContext.USER_ID, auditSubjectID); -+ } else { //very unlikely -+ CMS.debug(method + "sessionContext null; cannot update auditSubjectID"); -+ } -+ -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -+ auditSubjectID, -+ ILogger.SUCCESS, -+ "method=" + method); -+ audit(auditMessage); -+ } else { -+ throw new EBaseException("failed to verify"); -+ } -+ return verified; - } catch (Exception e) { - CMS.debug(method + " Failed with Exception: " + e.toString()); -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -+ auditAttemptedCred, -+ ILogger.FAILURE, -+ method + e.toString()); -+ audit(auditMessage); - return false; - } - - } // verifyIdentityProofV2 - -- private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) { -+ private boolean verifyIdentityProof( -+ TaggedAttribute attr, SEQUENCE reqSeq) { - String method = "verifyIdentityProof: "; -+ boolean verified = false; - - SET vals = attr.getValues(); - if (vals.size() < 1) -@@ -1537,7 +1665,11 @@ public abstract class EnrollProfile extends BasicProfile - byte[] b = ostr.toByteArray(); - byte[] text = ASN1Util.encode(reqSeq); - -- return verifyDigest(token.getBytes(), text, b); -+ verified = verifyDigest(token.getBytes(), text, b); -+ if (verified) {// update auditSubjectID -+ //placeholder. Should probably just disable this v1 method -+ } -+ return verified; - } - - public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, -@@ -1592,13 +1724,22 @@ public abstract class EnrollProfile extends BasicProfile - - p10.encode(ostream); - PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); -+ if (sigver) { -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.PROOF_OF_POSSESSION, -+ auditSubjectID, -+ ILogger.SUCCESS, -+ "method="+method); -+ audit(auditMessage); -+ } - - req.setExtData("bodyPartId", tcr.getBodyPartID()); - fillPKCS10(locale, pkcs10, info, req); - } catch (Exception e) { - CMS.debug(method + e); - // this will throw -- popFailed(locale, auditSubjectID, auditMessage, e); -+ if (sigver) -+ popFailed(locale, auditSubjectID, auditMessage, e); - } finally { - if ((sigver == true) && (tokenSwitched == true)){ - cm.setThreadToken(savedToken); -@@ -1787,8 +1928,9 @@ public abstract class EnrollProfile extends BasicProfile - public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info, - IRequest req) - throws EProfileException { -+ String method = "EnrollProfile: fillCertReqMsg: "; - try { -- CMS.debug("Start parseCertReqMsg "); -+ CMS.debug(method + "Start parseCertReqMsg "); - CertRequest certReq = certReqMsg.getCertReq(); - req.setExtData("bodyPartId", certReq.getCertReqId()); - // handle PKIArchiveOption (key archival) -@@ -1897,12 +2039,20 @@ public abstract class EnrollProfile extends BasicProfile - extensions = new CertificateExtensions(); - int numexts = certTemplate.numExtensions(); - -+ /* -+ * there seems to be an issue with constructor in Extension -+ * when feeding SubjectKeyIdentifierExtension; -+ * Special-case it -+ */ -+ OBJECT_IDENTIFIER SKIoid = -+ new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); - for (int j = 0; j < numexts; j++) { - org.mozilla.jss.pkix.cert.Extension jssext = - certTemplate.extensionAt(j); - boolean isCritical = jssext.getCritical(); - org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = - jssext.getExtnId(); -+ CMS.debug(method + "found extension:" + jssoid.toString()); - long[] numbers = jssoid.getNumbers(); - int[] oidNumbers = new int[numbers.length]; - -@@ -1919,8 +2069,14 @@ public abstract class EnrollProfile extends BasicProfile - jssvalue.encode(jssvalueout); - byte[] extValue = jssvalueout.toByteArray(); - -- Extension ext = -- new Extension(oid, isCritical, extValue); -+ Extension ext = null; -+ if (jssoid.equals(SKIoid)) { -+ CMS.debug(method + "found SUBJECT_KEY_IDENTIFIER extension"); -+ ext = new SubjectKeyIdentifierExtension(false, -+ jssext.getExtnValue().toByteArray()); -+ } else { -+ new Extension(oid, isCritical, extValue); -+ } - - extensions.parseExtension(ext); - } -@@ -2042,12 +2198,12 @@ public abstract class EnrollProfile extends BasicProfile - DerInputStream extIn = new DerInputStream(extB); - CertificateExtensions exts = new CertificateExtensions(extIn); - if (exts != null) { -- CMS.debug(method + "Set extensions " + exts); -+ CMS.debug(method + "PKCS10 found extensions " + exts); - // info.set(X509CertInfo.EXTENSIONS, exts); - req.setExtData(REQUEST_EXTENSIONS, exts); - } - } else { -- CMS.debug(method + "PKCS10 extension Not Found"); -+ CMS.debug(method + "PKCS10 no extension found"); - } - } - -@@ -2406,7 +2562,7 @@ public abstract class EnrollProfile extends BasicProfile - String method = "EnrollProfile: verifyPOP: "; - CMS.debug(method + "for signing keys begins."); - -- String auditMessage = null; -+ String auditMessage = method; - String auditSubjectID = auditSubjectID(); - - if (!certReqMsg.hasPop()) { -@@ -2437,7 +2593,8 @@ public abstract class EnrollProfile extends BasicProfile - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.SUCCESS); -+ ILogger.SUCCESS, -+ "method="+method); - audit(auditMessage); - } catch (Exception e) { - CMS.debug(method + "Unable to verify POP: " + e); -@@ -2446,19 +2603,21 @@ public abstract class EnrollProfile extends BasicProfile - CMS.debug(method + "done."); - } - -- private void popFailed(Locale locale, String auditSubjectID, String auditMessage) -+ private void popFailed(Locale locale, String auditSubjectID, String msg) - throws EProfileException { -- popFailed(locale, auditSubjectID, auditMessage, null); -+ popFailed(locale, auditSubjectID, msg, null); - } -- private void popFailed(Locale locale, String auditSubjectID, String auditMessage, Exception e) -+ private void popFailed(Locale locale, String auditSubjectID, String msg, Exception e) - throws EProfileException { - -+ if (e != null) -+ msg = msg + e.toString(); - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -+ String auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.FAILURE); -- -+ ILogger.FAILURE, -+ msg); - audit(auditMessage); - - if (e != null) { -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java -index 14484e0..635c044 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java -@@ -25,6 +25,7 @@ import java.security.cert.CertificateException; - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.ca.ICertificateAuthority; -+import com.netscape.cmsutil.crypto.CryptoUtil; - - import netscape.security.x509.CertificateX509Key; - import netscape.security.x509.KeyIdentifier; -@@ -46,30 +47,29 @@ public abstract class CAEnrollDefault extends EnrollDefault { - } - - public KeyIdentifier getKeyIdentifier(X509CertInfo info) { -+ String method = "CAEnrollDefault: getKeyIdentifier: "; - try { - CertificateX509Key ckey = (CertificateX509Key) - info.get(X509CertInfo.KEY); - X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY); -- MessageDigest md = MessageDigest.getInstance("SHA-1"); -- -- md.update(key.getKey()); -- byte[] hash = md.digest(); -+ byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); -+ if (hash == null) { -+ CMS.debug(method + -+ "CryptoUtil.generateKeyIdentifier returns null"); -+ return null; -+ } - - return new KeyIdentifier(hash); - } catch (IOException e) { -- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + -- e.toString()); -+ CMS.debug(method + e.toString()); - } catch (CertificateException e) { -- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + -- e.toString()); -- } catch (NoSuchAlgorithmException e) { -- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + -- e.toString()); -+ CMS.debug(method + e.toString()); - } - return null; - } - - public KeyIdentifier getCAKeyIdentifier(ICertificateAuthority ca) throws EBaseException { -+ String method = "CAEnrollDefault: getCAKeyIdentifier: "; - X509CertImpl caCert = ca.getCACert(); - if (caCert == null) { - // during configuration, we dont have the CA certificate -@@ -89,16 +89,11 @@ public abstract class CAEnrollDefault extends EnrollDefault { - } - } - -- try { -- MessageDigest md = MessageDigest.getInstance("SHA-1"); -- -- md.update(key.getKey()); -- byte[] hash = md.digest(); -- -- return new KeyIdentifier(hash); -- } catch (NoSuchAlgorithmException e) { -- CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + -- e.toString()); -+ byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); -+ if (hash == null) { -+ CMS.debug(method + -+ "CryptoUtil.generateKeyIdentifier returns null"); -+ return null; - } - return null; - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java -index a8f6a74..d787575 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java -@@ -37,6 +37,7 @@ import com.netscape.certsrv.property.Descriptor; - import com.netscape.certsrv.property.EPropertyException; - import com.netscape.certsrv.property.IDescriptor; - import com.netscape.certsrv.request.IRequest; -+import com.netscape.cmsutil.crypto.CryptoUtil; - - /** - * This class implements an enrollment default policy -@@ -195,22 +196,26 @@ public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault { - } - - public KeyIdentifier getKeyIdentifier(X509CertInfo info) { -+ String method = "SubjectKeyIdentifierExtDefault: getKeyIdentifier: "; - try { - CertificateX509Key infokey = (CertificateX509Key) - info.get(X509CertInfo.KEY); - X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); -- MessageDigest md = MessageDigest.getInstance("SHA-1"); - -- md.update(key.getKey()); -- byte[] hash = md.digest(); -+ // "SHA-1" is default for CryptoUtil.generateKeyIdentifier. -+ // you could specify different algorithm with the alg parameter -+ // like this: -+ //byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), "SHA-256"); -+ byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey()); - -+ if (hash == null) { -+ CMS.debug(method + -+ "CryptoUtil.generateKeyIdentifier returns null"); -+ return null; -+ } - return new KeyIdentifier(hash); -- } catch (NoSuchAlgorithmException e) { -- CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + -- e.toString()); - } catch (Exception e) { -- CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + -- e.toString()); -+ CMS.debug(method + e.toString()); - } - return null; - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -index 84a6398..2affaf3 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -+++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java -@@ -179,26 +179,27 @@ public abstract class EnrollInput implements IProfileInput { - - public void verifyPOP(Locale locale, CertReqMsg certReqMsg) - throws EProfileException { -+ String method = "EnrollInput: verifyPOP: "; - CMS.debug("EnrollInput ::in verifyPOP"); - - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - - if (!certReqMsg.hasPop()) { -- CMS.debug("CertReqMsg has not POP, return"); -+ CMS.debug(method + "CertReqMsg has not POP, return"); - return; - } - ProofOfPossession pop = certReqMsg.getPop(); - ProofOfPossession.Type popType = pop.getType(); - - if (popType != ProofOfPossession.SIGNATURE) { -- CMS.debug("not POP SIGNATURE, return"); -+ CMS.debug(method + "not POP SIGNATURE, return"); - return; - } - - try { - if (CMS.getConfigStore().getBoolean("cms.skipPOPVerify", false)) { -- CMS.debug("skipPOPVerify on, return"); -+ CMS.debug(method + "skipPOPVerify on, return"); - return; - } - CMS.debug("POP verification begins:"); -@@ -207,10 +208,10 @@ public abstract class EnrollInput implements IProfileInput { - CryptoToken verifyToken = null; - String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); - if (CryptoUtil.isInternalToken(tokenName)) { -- CMS.debug("POP verification using internal token"); -+ CMS.debug(method + "POP verification using internal token"); - certReqMsg.verify(); - } else { -- CMS.debug("POP verification using token:" + tokenName); -+ CMS.debug(method + "POP verification using token:" + tokenName); - verifyToken = CryptoUtil.getCryptoToken(tokenName); - certReqMsg.verify(verifyToken); - } -@@ -219,18 +220,20 @@ public abstract class EnrollInput implements IProfileInput { - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.SUCCESS); -+ ILogger.SUCCESS, -+ "method="+method); - audit(auditMessage); - } catch (Exception e) { - -- CMS.debug("Failed POP verify! " + e.toString()); -+ CMS.debug(method + "Failed POP verify! " + e.toString()); - CMS.debug(e); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.FAILURE); -+ ILogger.FAILURE, -+ method + e.toString()); - - audit(auditMessage); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java -index 70a4a42..c57c532 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java -@@ -23,17 +23,6 @@ import java.io.IOException; - import java.security.InvalidKeyException; - import java.security.cert.CertificateException; - --import netscape.security.util.ObjectIdentifier; --import netscape.security.x509.CertificateExtensions; --import netscape.security.x509.CertificateSubjectName; --import netscape.security.x509.CertificateValidity; --import netscape.security.x509.CertificateVersion; --import netscape.security.x509.CertificateX509Key; --import netscape.security.x509.Extension; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertInfo; --import netscape.security.x509.X509Key; -- - import org.mozilla.jss.asn1.INTEGER; - import org.mozilla.jss.asn1.InvalidBERException; - import org.mozilla.jss.asn1.SEQUENCE; -@@ -56,6 +45,17 @@ import com.netscape.certsrv.request.IRequest; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.ECMSGWException; - -+import netscape.security.util.ObjectIdentifier; -+import netscape.security.x509.CertificateExtensions; -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.CertificateValidity; -+import netscape.security.x509.CertificateVersion; -+import netscape.security.x509.CertificateX509Key; -+import netscape.security.x509.Extension; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertInfo; -+import netscape.security.x509.X509Key; -+ - /** - * Process CRMF requests, according to RFC 2511 - * See http://www.ietf.org/rfc/rfc2511.txt -@@ -98,6 +98,7 @@ public class CRMFProcessor extends PKIProcessor { - */ - private void verifyPOP(CertReqMsg certReqMsg) - throws EBaseException { -+ String method = "CRMFProcessor: verifyPOP: "; - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - -@@ -118,7 +119,8 @@ public class CRMFProcessor extends PKIProcessor { - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.SUCCESS); -+ ILogger.SUCCESS, -+ "method=" + method); - - audit(auditMessage); - } catch (Exception e) { -@@ -131,7 +133,8 @@ public class CRMFProcessor extends PKIProcessor { - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.FAILURE); -+ ILogger.FAILURE, -+ method + e.toString()); - - audit(auditMessage); - -@@ -148,7 +151,8 @@ public class CRMFProcessor extends PKIProcessor { - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.FAILURE); -+ ILogger.FAILURE, -+ method + "required POP missing"); - - audit(auditMessage); - -@@ -161,7 +165,8 @@ public class CRMFProcessor extends PKIProcessor { - auditMessage = CMS.getLogMessage( - AuditEvent.PROOF_OF_POSSESSION, - auditSubjectID, -- ILogger.FAILURE); -+ ILogger.FAILURE, -+ method + eAudit1.toString()); - - audit(auditMessage); - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 0e101ed..93039a4 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -39,12 +39,16 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; - import org.mozilla.jss.pkix.cmc.TaggedAttribute; - - import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.EInvalidCredentials; -+import com.netscape.certsrv.authentication.EMissingCredential; - import com.netscape.certsrv.authentication.IAuthManager; - import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AuthFailEvent; -+import com.netscape.certsrv.logging.event.AuthSuccessEvent; - import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; -@@ -143,6 +147,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - - public IAuthToken authenticate(IProfileAuthenticator authenticator, - HttpServletRequest request) throws EBaseException { -+ String method = "ProfileSubmitCMCServlet: authenticate: "; - AuthCredentials credentials = new AuthCredentials(); - - // build credential -@@ -158,15 +163,47 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - credentials.set(authName, request.getParameter(authName)); - } - } -- IAuthToken authToken = authenticator.authenticate(credentials); - -+ IAuthToken authToken = null; -+ String auditSubjectID = null; -+ String authMgrID = authenticator.getName(); - SessionContext sc = SessionContext.getContext(); -- if (sc != null) { -- sc.put(SessionContext.AUTH_MANAGER_ID, authenticator.getName()); -- String userid = authToken.getInString(IAuthToken.USER_ID); -- if (userid != null) { -- sc.put(SessionContext.USER_ID, userid); -+ -+ try { -+ authToken = authenticator.authenticate(credentials); -+ if (sc != null) { -+ sc.put(SessionContext.AUTH_MANAGER_ID, authMgrID); -+ auditSubjectID = authToken.getInString(IAuthToken.USER_ID); -+ if (auditSubjectID != null) { -+ CMS.debug(method + "setting auditSubjectID in SessionContext:" + -+ auditSubjectID); -+ sc.put(SessionContext.USER_ID, auditSubjectID); -+ } else { -+ CMS.debug(method + "no auditSubjectID found in authToken"); -+ } -+ } -+ -+ if (!auditSubjectID.equals(ILogger.UNIDENTIFIED) && -+ !auditSubjectID.equals(ILogger.NONROLEUSER)) { -+ audit(new AuthSuccessEvent( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ authMgrID)); -+ } -+ -+ } catch (EBaseException e) { -+ CMS.debug(method + e); -+ String attempted_auditSubjectID = null; -+ if (sc != null) { -+ attempted_auditSubjectID = -+ (String) sc.get(SessionContext.USER_ID); - } -+ audit(new AuthFailEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ authMgrID, -+ attempted_auditSubjectID)); -+ throw(e); - } - - return authToken; -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 1a5b37a..6bc2d82 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2181,9 +2181,18 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3=:[AuditEvent=AUTH_SUCCESS - LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval - # - # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION --# - used when proof of possession is checked during certificate enrollment -+# - used for proof of possession during certificate enrollment processing - # --LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}] checking proof of possession -+LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession -+# LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION -+# - used for proof of identification during CMC request processing -+# - In case of success, "SubjectID" is the actual identified identification; -+# - In case of failure, "SubjectID" is the attempted identification -+# -+LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request -+# - used for identification and POP linking verification during CMC request processing -+# -+LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification - # - # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL - # - used when CRLs are retrieved by the OCSP Responder -@@ -2235,7 +2244,16 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification --LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification -+# -+# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY -+# - used when CMC (user-signed or self-signed) certificate requests or revocation requests -+# are submitted and signature is verified -+# ReqType must be the request type (enrollment, or revocation) -+# CertSubject must be the certificate subject name of the certificate request -+# SignerInfo must be a unique String representation for the signer -+# -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}][info={5}] User signed CMC request signature verification failure - - # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST - # - used for TPS to TKS to get random challenge data -diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java b/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java -index 6dabd0c..177d540 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java -@@ -1032,13 +1032,17 @@ public class KeyCertUtil { - - public static KeyIdentifier createKeyIdentifier(KeyPair keypair) - throws NoSuchAlgorithmException, InvalidKeyException { -- MessageDigest md = MessageDigest.getInstance("SHA-1"); - X509Key subjectKeyInfo = convertPublicKeyToX509Key( - keypair.getPublic()); - -- //md.update(subjectKeyInfo.getEncoded()); -- md.update(subjectKeyInfo.getKey()); -- return new KeyIdentifier(md.digest()); -+ byte[] hash = CryptoUtil.generateKeyIdentifier(subjectKeyInfo.getKey()); -+ -+ if (hash == null) { -+ CMS.debug("KeyCertUtil: createKeyIdentifier " + -+ "CryptoUtil.generateKeyIdentifier returns null"); -+ return null; -+ } -+ return new KeyIdentifier(hash); - } - - public static BigInteger getSerialNumber(LDAPConnection conn, String baseDN) -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index e529a0f..8b8c443 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -27,6 +27,7 @@ import java.net.SocketException; - import java.security.InvalidAlgorithmParameterException; - import java.security.InvalidKeyException; - import java.security.KeyPair; -+import java.security.MessageDigest; - import java.security.NoSuchAlgorithmException; - import java.security.NoSuchProviderException; - import java.security.PublicKey; -@@ -127,6 +128,7 @@ import netscape.security.util.DerValue; - import netscape.security.util.ObjectIdentifier; - import netscape.security.util.WrappingParams; - import netscape.security.x509.AlgorithmId; -+import netscape.security.x509.CertAttrSet; - import netscape.security.x509.CertificateAlgorithmId; - import netscape.security.x509.CertificateChain; - import netscape.security.x509.CertificateExtensions; -@@ -136,7 +138,11 @@ import netscape.security.x509.CertificateSubjectName; - import netscape.security.x509.CertificateValidity; - import netscape.security.x509.CertificateVersion; - import netscape.security.x509.CertificateX509Key; -+import netscape.security.x509.Extension; - import netscape.security.x509.Extensions; -+import netscape.security.x509.KeyIdentifier; -+import netscape.security.x509.PKIXExtensions; -+import netscape.security.x509.SubjectKeyIdentifierExtension; - import netscape.security.x509.X500Name; - import netscape.security.x509.X500Signer; - import netscape.security.x509.X509CertImpl; -@@ -1536,10 +1542,33 @@ public class CryptoUtil { - * This createCertificationRequest() allows extensions to be added to the CSR - */ - public static PKCS10 createCertificationRequest(String subjectName, -+ KeyPair keyPair, Extensions exts) -+ throws NoSuchAlgorithmException, NoSuchProviderException, -+ InvalidKeyException, IOException, CertificateException, -+ SignatureException { -+ String method = "CryptoUtil: createCertificationRequest: "; -+ -+ String alg = "SHA256withRSA"; -+ PublicKey pubk = keyPair.getPublic(); -+ X509Key key = convertPublicKeyToX509Key(pubk); -+ if (pubk instanceof RSAPublicKey) { -+ alg = "SHA256withRSA"; -+ } else if (isECCKey(key)) { -+ alg = "SHA256withEC"; -+ } else { -+ throw new NoSuchAlgorithmException(method + alg); -+ } -+ -+ return createCertificationRequest( -+ subjectName, key, (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(), -+ alg, exts); -+ } -+ -+ public static PKCS10 createCertificationRequest(String subjectName, - X509Key pubk, PrivateKey prik, String alg, Extensions exts) - throws NoSuchAlgorithmException, NoSuchProviderException, -- InvalidKeyException, IOException, CertificateException, -- SignatureException { -+ InvalidKeyException, IOException, CertificateException, -+ SignatureException { - X509Key key = pubk; - java.security.Signature sig = java.security.Signature.getInstance(alg, - "Mozilla-JSS"); -@@ -1548,11 +1577,12 @@ public class CryptoUtil { - PKCS10 pkcs10 = null; - - if (exts != null && !exts.isEmpty()) { -- PKCS10Attribute attr = new -- PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, -- exts); -+ PKCS10Attribute attr = new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, -+ exts); - PKCS10Attributes attrs = new PKCS10Attributes(); - -+ System.out.println("PKCS10: createCertificationRequest: adding attribute name =" + -+ attr.getAttributeValue().getName()); - attrs.setAttribute(attr.getAttributeValue().getName(), attr); - - pkcs10 = new PKCS10(key, attrs); -@@ -1566,6 +1596,51 @@ public class CryptoUtil { - return pkcs10; - } - -+ public static KeyIdentifier createKeyIdentifier(KeyPair keypair) -+ throws NoSuchAlgorithmException, InvalidKeyException { -+ String method = "CryptoUtil: createKeyIdentifier: "; -+ System.out.println(method + "begins"); -+ -+ X509Key subjectKeyInfo = convertPublicKeyToX509Key( -+ keypair.getPublic()); -+ -+ byte[] hash = generateKeyIdentifier(subjectKeyInfo.getKey()); -+ -+ if (hash == null) { -+ System.out.println(method + -+ "generateKeyIdentifier returns null"); -+ return null; -+ } -+ return new KeyIdentifier(hash); -+ } -+ -+ public static byte[] generateKeyIdentifier(byte[] rawKey) { -+ return generateKeyIdentifier(rawKey, null); -+ } -+ -+ public static byte[] generateKeyIdentifier(byte[] rawKey, String alg) { -+ String method = "CryptoUtil: generateKeyIdentifier: "; -+ String msg = ""; -+ if (alg == null) { -+ alg = "SHA-1"; -+ } -+ try { -+ MessageDigest md = MessageDigest.getInstance(alg); -+ -+ md.update(rawKey); -+ byte[] hash = md.digest(); -+ -+ return hash; -+ } catch (NoSuchAlgorithmException e) { -+ msg = method + e; -+ System.out.println(msg); -+ } catch (Exception e) { -+ msg = method + e; -+ System.out.println(msg); -+ } -+ return null; -+ } -+ - /** - * Creates a PKCS#10 request. - */ -@@ -1611,6 +1686,102 @@ public class CryptoUtil { - return pkcs10; - } - -+ /* -+ * get extention from PKCS10 request -+ */ -+ public static netscape.security.x509.Extension getExtensionFromPKCS10(PKCS10 pkcs10, String extnName) -+ throws IOException, CertificateException { -+ Extension extn = null; -+ -+ String method = "CryptoUtiil: getExtensionFromPKCS10: "; -+ System.out.println(method + "begins"); -+ -+ PKCS10Attributes attributeSet = pkcs10.getAttributes(); -+ if (attributeSet == null) { -+ System.out.println(method + "attributeSet not found"); -+ return null; -+ } -+ PKCS10Attribute attr = attributeSet.getAttribute("extensions"); -+ if (attr == null) { -+ System.out.println(method + "extensions attribute not found"); -+ return null; -+ } -+ System.out.println(method + attr.toString()); -+ -+ CertAttrSet cas = attr.getAttributeValue(); -+ if (cas == null) { -+ System.out.println(method + "CertAttrSet not found in PKCS10Attribute"); -+ return null; -+ } -+ -+ Enumeration en = cas.getAttributeNames(); -+ while (en.hasMoreElements()) { -+ String name = en.nextElement(); -+ System.out.println(method + " checking extension in request:" + name); -+ if (name.equals(extnName)) { -+ System.out.println(method + "extension matches"); -+ extn = (Extension)cas.get(name); -+ } -+ } -+ -+ System.out.println(method + "ends"); -+ return extn; -+ } -+ -+ /* -+ * get extension from CRMF cert request (CertTemplate) -+ */ -+ public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, ObjectIdentifier csOID) { -+ //ObjectIdentifier csOID = PKIXExtensions.SubjectKey_Id; -+ OBJECT_IDENTIFIER jssOID = -+ new OBJECT_IDENTIFIER(csOID.toString()); -+/* -+ return getExtensionFromCertTemplate(certTemplate, jssOID); -+ } -+ public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssOID) { -+*/ -+ -+ String method = "CryptoUtil: getSKIExtensionFromCertTemplate: "; -+ Extension extn = null; -+ -+ /* -+ * there seems to be an issue with constructor in Extension -+ * when feeding SubjectKeyIdentifierExtension; -+ * Special-case it -+ */ -+ OBJECT_IDENTIFIER SKIoid = -+ new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); -+ -+ if (certTemplate.hasExtensions()) { -+ int numexts = certTemplate.numExtensions(); -+ for (int j = 0; j < numexts; j++) { -+ org.mozilla.jss.pkix.cert.Extension jssext = -+ certTemplate.extensionAt(j); -+ org.mozilla.jss.asn1.OBJECT_IDENTIFIER extnoid = -+ jssext.getExtnId(); -+ System.out.println(method + "checking extension in request:" + extnoid.toString()); -+ if (extnoid.equals(jssOID)) { -+ System.out.println(method + "extension found"); -+ try { -+ if (jssOID.equals(SKIoid)) { -+ extn = -+ new SubjectKeyIdentifierExtension(false, jssext.getExtnValue().toByteArray()); -+ } else { -+ extn = -+ new netscape.security.x509.Extension(csOID, false, jssext.getExtnValue().toByteArray()); -+ } -+ } catch (IOException e) { -+ System.out.println(method + e); -+ } -+ } -+ } -+ } else { -+ System.out.println(method + "no extension found"); -+ } -+ -+ return extn; -+ } -+ - public static void unTrustCert(InternalCertificate cert) { - // remove TRUSTED_CA - int flag = cert.getSSLTrust(); -diff --git a/base/util/src/netscape/security/pkcs/PKCS10.java b/base/util/src/netscape/security/pkcs/PKCS10.java -index 0702e82..10933b0 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS10.java -+++ b/base/util/src/netscape/security/pkcs/PKCS10.java -@@ -123,6 +123,13 @@ public class PKCS10 { - byte sigData[]; - Signature sig; - -+ String method = "PKCS10: PKCS10: "; -+ String msg = ""; -+ -+ System.out.println(method + "begins"); -+ if (data == null) { -+ throw new IllegalArgumentException(method + "param data cann't be null"); -+ } - certificateRequest = data; - - // -@@ -131,9 +138,12 @@ public class PKCS10 { - // - in = new DerInputStream(data); - seq = in.getSequence(3); -+ if (seq == null) { -+ throw new IllegalArgumentException(method + "in.getSequence null"); -+ } - - if (seq.length != 3) -- throw new IllegalArgumentException("not a PKCS #10 request"); -+ throw new IllegalArgumentException(method + "not a PKCS #10 request"); - - data = seq[0].toByteArray(); // reusing this variable - certRequestInfo = seq[0].toByteArray(); // make a copy -@@ -152,20 +162,22 @@ public class PKCS10 { - */ - - subject = new X500Name(seq[0].data); -+ msg = "Request Subject: " + subject + ": "; - - byte val1[] = seq[0].data.getDerValue().toByteArray(); - subjectPublicKeyInfo = X509Key.parse(new DerValue(val1)); - PublicKey publicKey = X509Key.parsePublicKey(new DerValue(val1)); - if (publicKey == null) { -- System.out.println("PKCS10: publicKey null"); -- throw new SignatureException ("publicKey null"); -+ System.out.println(method + msg + "publicKey null"); -+ throw new SignatureException (method + msg + "publicKey null"); - } - - // Cope with a somewhat common illegal PKCS #10 format -- if (seq[0].data.available() != 0) -+ if (seq[0].data.available() != 0) { - attributeSet = new PKCS10Attributes(seq[0].data); -- else -+ } else { - attributeSet = new PKCS10Attributes(); -+ } - - // - // OK, we parsed it all ... validate the signature using the -@@ -202,14 +214,15 @@ public class PKCS10 { - sig.initVerify(publicKey); - sig.update(data); - if (!sig.verify(sigData)) { -- System.out.println("PKCS10: sig.verify() failed"); -- throw new SignatureException("Invalid PKCS #10 signature"); -+ System.out.println(method + msg + "sig.verify() failed"); -+ throw new SignatureException(method + msg + "Invalid PKCS #10 signature"); - } - } - } catch (InvalidKeyException e) { -- System.out.println("PKCS10: "+ e.toString()); -- throw new SignatureException("invalid key"); -+ System.out.println(method + msg + e.toString()); -+ throw new SignatureException(method + msg + "invalid key"); - } -+ System.out.println(method + "ends"); - } - - public PKCS10(byte data[]) -diff --git a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java -index 4c97218..45d5695 100644 ---- a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java -+++ b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java -@@ -66,6 +66,8 @@ public class PKCS10Attributes extends Vector implements DerEnco - for (int i = 0; i < attrs.length; i++) { - PKCS10Attribute attr = new PKCS10Attribute(attrs[i]); - addElement(attr); -+ System.out.println("PKCS10Attributes: adding attribute: " + -+ attr.getAttributeValue().getName()); - map.put(attr.getAttributeValue().getName(), attr); - } - } --- -1.8.3.1 - - -From 8751cd2c5cc0c41c5d85724fddfd5d872ad994ed Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 16:30:52 +0200 -Subject: [PATCH 17/27] Fixed CERT_REQUEST_PROCESSED events in - ConnectorServlet. - -The code that generates CERT_REQUEST_PROCESSED events in -ConnectorServlet.processRequest() has been moved into a finally- -clause that wraps around IRequestQueue.processRequest() to ensure -that the events are generated properly. - -If a cert was issued for the request that has just been processed -the event outcome is a Success, otherwise it's a Failure. - -Any exception thrown by the IRequestQueue.processRequest() will be -passed to the ConnectorServlet.processRequest()'s callers. - -https://pagure.io/dogtagpki/issue/2690 - -Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e ---- - .../cms/servlet/connector/ConnectorServlet.java | 19 +++++-------------- - 1 file changed, 5 insertions(+), 14 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -index eeb640e..82f3071 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java -@@ -617,6 +617,8 @@ public class ConnectorServlet extends CMSServlet { - try { - queue.processRequest(thisreq); - -+ } finally { -+ - if (isProfileRequest(thisreq)) { - - X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -@@ -629,28 +631,17 @@ public class ConnectorServlet extends CMSServlet { - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - x509cert)); -- } -- } - -- } catch (EBaseException eAudit1) { -- if (isProfileRequest(thisreq)) { -- -- X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); -- -- if (x509cert != null) { -+ } else { - - audit(new CertRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, -- ILogger.SIGNED_AUDIT_ACCEPTANCE, -- x509cert)); -+ ILogger.SIGNED_AUDIT_REJECTION, -+ ILogger.SIGNED_AUDIT_EMPTY_VALUE)); - } - } -- -- // rethrow EBaseException to primary catch clause -- // within this method -- throw eAudit1; - } - - replymsg = CMS.getHttpPKIMessage(); --- -1.8.3.1 - - -From 579ed7eed16c9fc6e02928f71656d2a326d68c22 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 16 May 2017 02:42:12 +0200 -Subject: [PATCH 18/27] Added CertStatusChangeRequestProcessedEvent. - -A new CertStatusChangeRequestProcessedEvent class has been added to -encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events. - -https://pagure.io/dogtagpki/issue/2636 - -Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 2 - - .../CertStatusChangeRequestProcessedEvent.java | 52 ++++++++++++++++++++ - .../cms/servlet/cert/CMCRevReqServlet.java | 55 +++++++++------------- - .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 33 +++++-------- - .../netscape/cms/servlet/cert/DoUnrevokeTPS.java | 17 +++---- - .../cms/servlet/cert/RevocationProcessor.java | 8 ++-- - 6 files changed, 98 insertions(+), 69 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 059363e..21cac27 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -105,8 +105,6 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; - public final static String CERT_STATUS_CHANGE_REQUEST = - "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5"; -- public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; - - public final static String AUTHZ_SUCCESS = - "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java -new file mode 100644 -index 0000000..f583ad2 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java -@@ -0,0 +1,52 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.request.RequestStatus; -+ -+public class CertStatusChangeRequestProcessedEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7"; -+ -+ public CertStatusChangeRequestProcessedEvent( -+ String subjectID, -+ String outcome, -+ String requesterID, -+ String serialNumber, -+ String requestType, -+ String reasonNum, -+ RequestStatus approvalStatus) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requesterID, -+ serialNumber, -+ requestType, -+ reasonNum, -+ approvalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : approvalStatus.toString() -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -index f4d7f8f..24ba494 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -@@ -31,13 +31,6 @@ import javax.servlet.ServletOutputStream; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - --import netscape.security.x509.CRLExtensions; --import netscape.security.x509.CRLReasonExtension; --import netscape.security.x509.InvalidityDateExtension; --import netscape.security.x509.RevocationReason; --import netscape.security.x509.RevokedCertImpl; --import netscape.security.x509.X509CertImpl; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.EMissingCredential; -@@ -56,6 +49,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.ra.IRegistrationAuthority; - import com.netscape.certsrv.request.IRequest; -@@ -69,6 +63,13 @@ import com.netscape.cms.servlet.common.CMSTemplateParams; - import com.netscape.cms.servlet.common.ECMSGWException; - import com.netscape.cmsutil.util.Utils; - -+import netscape.security.x509.CRLExtensions; -+import netscape.security.x509.CRLReasonExtension; -+import netscape.security.x509.InvalidityDateExtension; -+import netscape.security.x509.RevocationReason; -+import netscape.security.x509.RevokedCertImpl; -+import netscape.security.x509.X509CertImpl; -+ - /** - * Revoke a certificate with a CMC-formatted revocation request - * -@@ -810,17 +811,15 @@ public class CMCRevReqServlet extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - - } catch (CertificateException e) { -@@ -844,17 +843,15 @@ public class CMCRevReqServlet extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } - -@@ -882,17 +879,15 @@ public class CMCRevReqServlet extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } - -@@ -921,17 +916,15 @@ public class CMCRevReqServlet extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } - -@@ -957,17 +950,15 @@ public class CMCRevReqServlet extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -index 68ac6da..a9a6238 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -@@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -557,17 +558,15 @@ public class DoRevokeTPS extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - - return; -@@ -748,17 +747,15 @@ public class DoRevokeTPS extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } catch (EBaseException e) { - log(ILogger.LL_FAILURE, "error " + e); -@@ -783,17 +780,15 @@ public class DoRevokeTPS extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } - -@@ -822,17 +817,15 @@ public class DoRevokeTPS extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java -index 30bde76..36a6802 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java -@@ -46,6 +46,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -461,17 +462,15 @@ public class DoUnrevokeTPS extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - - } catch (EBaseException eAudit1) { -@@ -495,17 +494,15 @@ public class DoUnrevokeTPS extends CMSServlet { - if (auditApprovalStatus == RequestStatus.COMPLETE || - auditApprovalStatus == RequestStatus.REJECTED || - auditApprovalStatus == RequestStatus.CANCELED) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ -+ audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString()); -- -- audit(auditMessage); -+ auditApprovalStatus)); - } - } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java -index b90966e..570aea2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java -@@ -39,6 +39,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -505,17 +506,14 @@ public class RevocationProcessor extends CertProcessor { - || requestStatus == RequestStatus.REJECTED - || requestStatus == RequestStatus.CANCELED)) return; - -- String auditMessage = CMS.getLogMessage( -- AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED, -+ auditor.log(new CertStatusChangeRequestProcessedEvent( - auditor.getSubjectID(), - status, - requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(), - serialNumber == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : serialNumber.toHexString(), - requestType, - String.valueOf(revocationReason.toInt()), -- requestStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : requestStatus.toString()); -- -- auditor.log(auditMessage); -+ requestStatus)); - } - - public void log(int level, String message) { --- -1.8.3.1 - - -From 0b32d55d6c41dcdfbd63840a6681b12ad6675946 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 22:06:38 +0200 -Subject: [PATCH 19/27] Refactored RevocationRequestListener.accept(). - -The RevocationRequestListener.accept() has been refactored to -reduce deeply nested if-statements with early return. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd ---- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index a593eb8..d105386 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -3068,10 +3068,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - public void accept(IRequest r) { - String requestType = r.getRequestType(); - -- if (requestType.equals(IRequest.REVOCATION_REQUEST) || -+ if (!(requestType.equals(IRequest.REVOCATION_REQUEST) || - requestType.equals(IRequest.UNREVOCATION_REQUEST) || - requestType.equals(IRequest.CLA_CERT4CRL_REQUEST) || -- requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) { -+ requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST))) { -+ return; -+ } -+ - CMS.debug("Revocation listener called."); - // check if serial number is in begin/end range if set. - if (mBeginSerial != null || mEndSerial != null) { -@@ -3136,7 +3139,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); - } - } -- } - } - } - } --- -1.8.3.1 - - -From 0af026413a65386a0e8c8aba81fe667412ef7f0d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 17 May 2017 22:12:19 +0200 -Subject: [PATCH 20/27] Reformatted RevocationRequestListener.accept(). - -The RevocationRequestListener.accept() has been reformatted to -adjust the indentations after refactoring. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3 ---- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 142 +++++++++++------------ - 1 file changed, 71 insertions(+), 71 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index d105386..64101d7 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -31,23 +31,6 @@ import java.util.StringTokenizer; - import java.util.TimeZone; - import java.util.Vector; - --import netscape.security.util.BitArray; --import netscape.security.x509.AlgorithmId; --import netscape.security.x509.CRLExtensions; --import netscape.security.x509.CRLNumberExtension; --import netscape.security.x509.CRLReasonExtension; --import netscape.security.x509.DeltaCRLIndicatorExtension; --import netscape.security.x509.Extension; --import netscape.security.x509.FreshestCRLExtension; --import netscape.security.x509.IssuingDistributionPoint; --import netscape.security.x509.IssuingDistributionPointExtension; --import netscape.security.x509.RevocationReason; --import netscape.security.x509.RevokedCertImpl; --import netscape.security.x509.RevokedCertificate; --import netscape.security.x509.X509CRLImpl; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509ExtensionException; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; -@@ -83,6 +66,23 @@ import com.netscape.cmscore.dbs.CertRecord; - import com.netscape.cmscore.dbs.CertificateRepository; - import com.netscape.cmscore.util.Debug; - -+import netscape.security.util.BitArray; -+import netscape.security.x509.AlgorithmId; -+import netscape.security.x509.CRLExtensions; -+import netscape.security.x509.CRLNumberExtension; -+import netscape.security.x509.CRLReasonExtension; -+import netscape.security.x509.DeltaCRLIndicatorExtension; -+import netscape.security.x509.Extension; -+import netscape.security.x509.FreshestCRLExtension; -+import netscape.security.x509.IssuingDistributionPoint; -+import netscape.security.x509.IssuingDistributionPointExtension; -+import netscape.security.x509.RevocationReason; -+import netscape.security.x509.RevokedCertImpl; -+import netscape.security.x509.RevokedCertificate; -+import netscape.security.x509.X509CRLImpl; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509ExtensionException; -+ - /** - * This class encapsulates CRL issuing mechanism. CertificateAuthority - * contains a map of CRLIssuingPoint indexed by string ids. Each issuing -@@ -3075,70 +3075,70 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - return; - } - -- CMS.debug("Revocation listener called."); -- // check if serial number is in begin/end range if set. -- if (mBeginSerial != null || mEndSerial != null) { -- CMS.debug( -- "Checking if serial number is between " + -- mBeginSerial + " and " + mEndSerial); -- BigInteger[] serialNos = -- r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); -+ CMS.debug("Revocation listener called."); -+ // check if serial number is in begin/end range if set. -+ if (mBeginSerial != null || mEndSerial != null) { -+ CMS.debug( -+ "Checking if serial number is between " + -+ mBeginSerial + " and " + mEndSerial); -+ BigInteger[] serialNos = -+ r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); - -- if (serialNos == null || serialNos.length == 0) { -- X509CertImpl oldCerts[] = -- r.getExtDataInCertArray(IRequest.OLD_CERTS); -+ if (serialNos == null || serialNos.length == 0) { -+ X509CertImpl oldCerts[] = -+ r.getExtDataInCertArray(IRequest.OLD_CERTS); - -- if (oldCerts == null || oldCerts.length == 0) -- return; -- serialNos = new BigInteger[oldCerts.length]; -- for (int i = 0; i < oldCerts.length; i++) { -- serialNos[i] = oldCerts[i].getSerialNumber(); -- } -+ if (oldCerts == null || oldCerts.length == 0) -+ return; -+ serialNos = new BigInteger[oldCerts.length]; -+ for (int i = 0; i < oldCerts.length; i++) { -+ serialNos[i] = oldCerts[i].getSerialNumber(); - } -+ } - -- boolean inRange = false; -+ boolean inRange = false; - -- for (int i = 0; i < serialNos.length; i++) { -- if ((mBeginSerial == null || -- serialNos[i].compareTo(mBeginSerial) >= 0) && -- (mEndSerial == null || -- serialNos[i].compareTo(mEndSerial) <= 0)) { -- inRange = true; -- } -- } -- if (!inRange) { -- return; -+ for (int i = 0; i < serialNos.length; i++) { -+ if ((mBeginSerial == null || -+ serialNos[i].compareTo(mBeginSerial) >= 0) && -+ (mEndSerial == null || -+ serialNos[i].compareTo(mEndSerial) <= 0)) { -+ inRange = true; - } - } -+ if (!inRange) { -+ return; -+ } -+ } - -- if (mAlwaysUpdate) { -- try { -- updateCRLNow(); -- r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); -- if (mPublisherProcessor != null) { -- r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS); -- } -- } catch (EErrorPublishCRL e) { -- // error already logged in updateCRLNow(); -- r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); -- if (mPublisherProcessor != null) { -- r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR); -- r.setExtData(mCrlPublishError, e); -- } -- } catch (EBaseException e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); -- r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); -- r.setExtData(mCrlUpdateError, e); -- } catch (Exception e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); -- if (Debug.on()) -- Debug.printStackTrace(e); -- r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); -- r.setExtData(mCrlUpdateError, -- new EBaseException( -- CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); -+ if (mAlwaysUpdate) { -+ try { -+ updateCRLNow(); -+ r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); -+ if (mPublisherProcessor != null) { -+ r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS); -+ } -+ } catch (EErrorPublishCRL e) { -+ // error already logged in updateCRLNow(); -+ r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); -+ if (mPublisherProcessor != null) { -+ r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR); -+ r.setExtData(mCrlPublishError, e); - } -+ } catch (EBaseException e) { -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); -+ r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); -+ r.setExtData(mCrlUpdateError, e); -+ } catch (Exception e) { -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); -+ if (Debug.on()) -+ Debug.printStackTrace(e); -+ r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); -+ r.setExtData(mCrlUpdateError, -+ new EBaseException( -+ CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); - } -+ } - } - } - } --- -1.8.3.1 - - -From ea036b22d7d15cefb8f7a56e9c9781b545dec8ee Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Wed, 17 May 2017 17:17:42 -0600 -Subject: [PATCH 21/27] Correct section headings in user deployment - configuration file - -Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation -dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance - creation ---- - base/server/sbin/pkispawn | 39 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 39 insertions(+) - -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index 9394b8e..9e2ebc8 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -30,9 +30,12 @@ if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: - print("Please upgrade to at least Python 2.7.0.") - sys.exit(1) - try: -+ import fileinput - import ldap - import os - import requests -+ import time -+ from time import strftime as date - import traceback - import pki - from pki.server.deployment import pkiconfig as config -@@ -105,6 +108,8 @@ def main(argv): - interactive = True - parser.indent = 0 - print(log.PKISPAWN_INTERACTIVE_INSTALLATION) -+ else: -+ sanitize_user_deployment_cfg(config.user_deployment_cfg) - - # Only run this program as "root". - if not os.geteuid() == 0: -@@ -574,6 +579,40 @@ def main(argv): - print_final_install_information(parser.mdict) - - -+def sanitize_user_deployment_cfg(cfg): -+ # Generate a timestamp -+ ticks = time.time() -+ timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) -+ -+ # Correct any section headings in the user's configuration file -+ for line in fileinput.FileInput(cfg, inplace=1, backup='.' + timestamp): -+ # Remove extraneous leading and trailing whitespace from all lines -+ line = line.strip() -+ # Normalize section headings to match '/etc/pki/default.cfg' -+ if line.startswith("["): -+ if line.upper().startswith("[DEFAULT"): -+ line = "[DEFAULT]" -+ elif line.upper().startswith("[TOMCAT"): -+ line = "[Tomcat]" -+ elif line.upper().startswith("[CA"): -+ line = "[CA]" -+ elif line.upper().startswith("[KRA"): -+ line = "[KRA]" -+ elif line.upper().startswith("[OCSP"): -+ line = "[OCSP]" -+ elif line.upper().startswith("[RA"): -+ line = "[RA]" -+ elif line.upper().startswith("[TKS"): -+ line = "[TKS]" -+ elif line.upper().startswith("[TPS"): -+ line = "[TPS]" -+ else: -+ # Notify user of the existence of an invalid section heading -+ sys.stderr.write("'%s' contains an invalid section " -+ "heading called '%s'!\n" % (cfg, line)) -+ print(line) -+ -+ - def start_logging(): - # Enable 'pkispawn' logging. - config.pki_log_dir = config.pki_root_prefix + \ --- -1.8.3.1 - - -From 202c747564868432df93c6cf272fcd9d2979d8d8 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 19 May 2017 00:09:29 +0200 -Subject: [PATCH 22/27] Added debug logs for UpdateCRL servlet. - -Some debug logs have been added into UpdateCRL servlet to improve -code clarity. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I4dc92d574b8ce93f2964663d36ca28851e400839 ---- - .../com/netscape/cms/servlet/cert/UpdateCRL.java | 46 ++++++++++++++++++++-- - 1 file changed, 43 insertions(+), 3 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -index 7faecf1..b4d9d29 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -@@ -294,6 +294,7 @@ public class UpdateCRL extends CMSServlet { - String signatureAlgorithm, - Locale locale) - throws EBaseException { -+ - long startTime = CMS.getCurrentDate().getTime(); - String waitForUpdate = - req.getParameter("waitForUpdate"); -@@ -322,6 +323,7 @@ public class UpdateCRL extends CMSServlet { - crlIssuingPointId = null; - } - } -+ - if (crlIssuingPointId == null) { - crlIssuingPointId = ICertificateAuthority.PROP_MASTER_CRL; - } -@@ -336,39 +338,61 @@ public class UpdateCRL extends CMSServlet { - return; - } - -+ CMS.debug("UpdateCRL: CRL issuing point: " + crlIssuingPoint.getId()); -+ - if (clearCache != null && clearCache.equals("true") && - crlIssuingPoint.isCRLGenerationEnabled() && - crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && - crlIssuingPoint.isCRLIssuingPointInitialized() - == ICRLIssuingPoint.CRL_IP_INITIALIZED) { -+ -+ CMS.debug("UpdateCRL: clearing CRL cache"); - crlIssuingPoint.clearCRLCache(); - } -+ - if (!(waitForUpdate != null && waitForUpdate.equals("true") && - crlIssuingPoint.isCRLGenerationEnabled() && - crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE && - crlIssuingPoint.isCRLIssuingPointInitialized() - == ICRLIssuingPoint.CRL_IP_INITIALIZED)) { -+ - if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) { -+ -+ CMS.debug("UpdateCRL: CRL issuing point not initialized"); - header.addStringValue("crlUpdate", "notInitialized"); -+ - } else if (crlIssuingPoint.isCRLUpdateInProgress() - != ICRLIssuingPoint.CRL_UPDATE_DONE || - crlIssuingPoint.isManualUpdateSet()) { -+ -+ CMS.debug("UpdateCRL: CRL update in progress"); - header.addStringValue("crlUpdate", "inProgress"); -+ - } else if (!crlIssuingPoint.isCRLGenerationEnabled()) { -+ -+ CMS.debug("UpdateCRL: CRL update disabled"); - header.addStringValue("crlUpdate", "Disabled"); -+ - } else { -+ -+ CMS.debug("UpdateCRL: scheduling CRL update"); - crlIssuingPoint.setManualUpdate(signatureAlgorithm); - header.addStringValue("crlUpdate", "Scheduled"); - } -+ - return; - } -+ - if (test != null && test.equals("true") && - crlIssuingPoint.isCRLCacheTestingEnabled() && - (!mTesting.contains(crlIssuingPointId))) { -- CMS.debug("CRL test started."); -+ -+ CMS.debug("UpdateCRL: CRL test started"); -+ - mTesting.add(crlIssuingPointId); - BigInteger addLen = null; - BigInteger startFrom = null; -+ - if (add != null && add.length() > 0 && - from != null && from.length() > 0) { - try { -@@ -377,6 +401,7 @@ public class UpdateCRL extends CMSServlet { - } catch (Exception e) { - } - } -+ - if (addLen != null && startFrom != null) { - Date revocationDate = CMS.getCurrentDate(); - String err = null; -@@ -386,6 +411,7 @@ public class UpdateCRL extends CMSServlet { - BigInteger serialNumber = startFrom; - BigInteger counter = addLen; - BigInteger stepBy = null; -+ - if (by != null && by.length() > 0) { - try { - stepBy = new BigInteger(by); -@@ -397,6 +423,7 @@ public class UpdateCRL extends CMSServlet { - long t2 = 0; - - while (counter.compareTo(BigInteger.ZERO) > 0) { -+ - RevokedCertImpl revokedCert = - new RevokedCertImpl(serialNumber, revocationDate, entryExts); - crlIssuingPoint.addRevokedCert(serialNumber, revokedCert); -@@ -405,9 +432,11 @@ public class UpdateCRL extends CMSServlet { - - if ((counter.compareTo(BigInteger.ZERO) == 0) || - (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) { -+ - t2 = System.currentTimeMillis(); - long t0 = t2 - t1; - t1 = t2; -+ - try { - if (signatureAlgorithm != null) { - crlIssuingPoint.updateCRLNow(signatureAlgorithm); -@@ -418,35 +447,43 @@ public class UpdateCRL extends CMSServlet { - counter = BigInteger.ZERO; - err = e.toString(); - } -+ - if (results != null && results.equals("1")) { - addInfo(argSet, crlIssuingPoint, t0); - } - } - } -+ - if (err != null) { - header.addStringValue("crlUpdate", "Failure"); - header.addStringValue("error", err); - } else { - header.addStringValue("crlUpdate", "Success"); - } -+ - } else { -- CMS.debug("CRL test error: missing parameters."); -+ CMS.debug("UpdateCRL: CRL test error: missing parameters"); - header.addStringValue("crlUpdate", "missingParameters"); - } - - mTesting.remove(crlIssuingPointId); -- CMS.debug("CRL test finished."); -+ CMS.debug("UpdateCRL: CRL test finished"); - return; -+ - } else if (test != null && test.equals("true") && - crlIssuingPoint.isCRLCacheTestingEnabled() && - mTesting.contains(crlIssuingPointId)) { - header.addStringValue("crlUpdate", "testingInProgress"); - return; -+ - } else if (test != null && test.equals("true") && - (!crlIssuingPoint.isCRLCacheTestingEnabled())) { - header.addStringValue("crlUpdate", "testingNotEnabled"); - return; - } -+ -+ CMS.debug("UpdateCRL: updating CRL"); -+ - try { - EBaseException publishError = null; - -@@ -462,6 +499,7 @@ public class UpdateCRL extends CMSServlet { - long now2 = System.currentTimeMillis(); - - header.addStringValue("time", "" + (now2 - now1)); -+ - } catch (EErrorPublishCRL e) { - publishError = e; - } -@@ -487,6 +525,7 @@ public class UpdateCRL extends CMSServlet { - if (authToken != null) { - authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); - } -+ - long endTime = CMS.getCurrentDate().getTime(); - - if (crlIssuingPoint.getNextUpdate() != null) { -@@ -520,6 +559,7 @@ public class UpdateCRL extends CMSServlet { - + " time: " + (endTime - startTime) } - ); - } -+ - } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString())); - if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) { --- -1.8.3.1 - - -From e1fd9685e5442e5e2efa9a26e07bf45274b6fb93 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Fri, 19 May 2017 09:47:47 -0600 -Subject: [PATCH 23/27] Fixed hardcoded values in ca CS.cfg - -- Bugzilla Bug #1452123 - CA CS.cfg shows default port -- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port ---- - base/ca/shared/conf/CS.cfg | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index f6297a3..8f9af5c 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -290,7 +290,7 @@ ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.exten - ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt - ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints - ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints --ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_HOSTNAME]:8080/ocsp -+ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp - ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL - ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp - ca.Policy.rule.AuthInfoAccessExt.enable=false -@@ -773,8 +773,8 @@ cmsgateway._027=## 'cmsgateway.enableAdminEnroll=false' should have - cmsgateway._028=## already been reset. - cmsgateway._029=## - cmsgateway.enableAdminEnroll=false --https.port=8443 --http.port=8080 -+https.port=[PKI_SECURE_PORT] -+http.port=[PKI_UNSECURE_PORT] - dbs.enableSerialManagement=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS] - dbs.enableRandomSerialNumbers=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS] - dbs.randomSerialNumberCounter=0 --- -1.8.3.1 - - -From f30be692453ccb323f874e5a751e2381cbb4ebb0 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 19 May 2017 21:35:00 +0200 -Subject: [PATCH 24/27] Added debug logs for JssSubsystem. - -Some debug logs have been added into JssSubsystem to improve code -clarity. - -https://pagure.io/dogtagpki/issue/2695 - -Change-Id: Ice54cf5cfe1eb4984509b83a1098cd69819e37bc ---- - .../netscape/cmscore/security/JssSubsystem.java | 31 ++++++++++++++-------- - 1 file changed, 20 insertions(+), 11 deletions(-) - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -index dab9ac9..9031a92 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -@@ -264,12 +264,15 @@ public final class JssSubsystem implements ICryptoSubsystem { - */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { -+ -+ CMS.debug("JssSubsystem: initializing JSS subsystem"); -+ - mLogger = CMS.getLogger(); - - if (mInited) { - // This used to throw an exeception (e.g. - on Solaris). - // If JSS is already initialized simply return. -- CMS.debug("JssSubsystem already inited.. returning."); -+ CMS.debug("JssSubsystem: already initialized"); - return; - } - -@@ -277,9 +280,11 @@ public final class JssSubsystem implements ICryptoSubsystem { - - // If disabled, just return - boolean enabled = config.getBoolean(PROP_ENABLE, true); -+ CMS.debug("JssSubsystem: enabled: " + enabled); - -- if (!enabled) -+ if (!enabled) { - return; -+ } - - try { - devRandomInputStream = new FileInputStream("/dev/urandom"); -@@ -287,28 +292,28 @@ public final class JssSubsystem implements ICryptoSubsystem { - // XXX - add new exception - } - -- // get hardcoded password (for debugging. -- String pw; -+ // get debugging password from config file -+ String pw = config.getString(PASSWORD_ALIAS, null); - -- if ((pw = config.getString(PASSWORD_ALIAS, null)) != null) { -- // hardcoded password in config file -+ if (pw != null) { -+ CMS.debug("JssSubsystem: use debug password"); - mPWCB = new Password(pw.toCharArray()); -- CMS.debug("JssSubsystem init() got password from hardcoded in config"); - } - -- String certDir; -- -- certDir = config.getString(CONFIG_DIR, null); -+ String certDir = config.getString(CONFIG_DIR, null); -+ CMS.debug("JssSubsystem: NSS database: " + certDir); - - CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(certDir, "", "", "secmod.db"); -- - vals.removeSunProvider = false; - vals.installJSSProvider = true; -+ - try { -+ CMS.debug("JssSubsystem: initializing CryptoManager"); - CryptoManager.initialize(vals); - } catch (AlreadyInitializedException e) { - // do nothing - } catch (Exception e) { -+ CMS.debug(e); - String[] params = { mId, e.toString() }; - EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params)); - -@@ -317,9 +322,11 @@ public final class JssSubsystem implements ICryptoSubsystem { - } - - try { -+ CMS.debug("JssSubsystem: initializing SSL"); - mCryptoManager = CryptoManager.getInstance(); - initSSL(); - } catch (CryptoManager.NotInitializedException e) { -+ CMS.debug(e); - String[] params = { mId, e.toString() }; - EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params)); - -@@ -328,6 +335,8 @@ public final class JssSubsystem implements ICryptoSubsystem { - } - - mInited = true; -+ -+ CMS.debug("JssSubsystem: initialization complete"); - } - - public String getCipherVersion() throws EBaseException { --- -1.8.3.1 - - -From 62841380c6400023cf973e273ab974352885fabd Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 May 2017 04:06:17 +0200 -Subject: [PATCH 25/27] Fixed problem with --ignore-banner option. - -The pki CLI has been modified to parse the --ignore-banner option -properly and pass it only to Java-based CLI commands. - -https://pagure.io/dogtagpki/issue/2683 - -Change-Id: Ifc3e98f74682a2fb4daeea16e86f495515a2d1f5 ---- - base/common/python/pki/cli/main.py | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py -index 268547b..f201c1d 100644 ---- a/base/common/python/pki/cli/main.py -+++ b/base/common/python/pki/cli/main.py -@@ -44,6 +44,7 @@ class PKICLI(pki.cli.CLI): - self.password = None - self.password_file = None - self.token = None -+ self.ignore_banner = False - - self.add_module(pki.cli.pkcs12.PKCS12CLI()) - -@@ -96,6 +97,9 @@ class PKICLI(pki.cli.CLI): - if self.token and self.token != 'internal': - cmd.extend(['--token', self.token]) - -+ if self.ignore_banner: -+ cmd.extend(['--ignore-banner']) -+ - if self.verbose: - cmd.extend(['--verbose']) - -@@ -157,6 +161,12 @@ class PKICLI(pki.cli.CLI): - pki_options.append(args[i + 1]) - i = i + 2 - -+ # check ignore banner option -+ elif args[i] == '--ignore-banner': -+ self.ignore_banner = True -+ pki_options.append(args[i]) -+ i = i + 1 -+ - # check verbose option - elif args[i] == '-v' or args[i] == '--verbose': - self.set_verbose(True) --- -1.8.3.1 - - -From 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 19 May 2017 11:55:14 -0700 -Subject: [PATCH 26/27] Ticket#2618 feature: pre-signed CMC renewal request - -This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. -The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. -UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. -The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. ---- - .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 13 ++- - .../src/com/netscape/cmstools/CMCRequest.java | 14 ++- - .../constraint/RenewGracePeriodConstraint.java | 26 +++-- - .../profile/constraint/UniqueKeyConstraint.java | 123 ++++++++++++++++----- - 4 files changed, 132 insertions(+), 44 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -index 229a3cd..63a4bca 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -@@ -10,12 +10,23 @@ input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet --policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8 - policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl - policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint - policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl -+policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint -+policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true -+policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl -+policyset.cmcUserCertSet.9.default.name=No Default -+policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl -+policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint -+policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30 -+policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30 -+policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl -+policyset.cmcUserCertSet.10.default.name=No Default - policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl - policyset.cmcUserCertSet.2.constraint.name=Validity Constraint - policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 6e27cb1..9c41403 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -2014,10 +2014,12 @@ public class CMCRequest { - certname.append(tokenName); - certname.append(":"); - } -- certname.append(nickname); -- signerCert = cm.findCertByNickname(certname.toString()); -- if (signerCert != null) { -- System.out.println("got signerCert: "+ certname.toString()); -+ if (!selfSign.equals("true") && nickname != null) { -+ certname.append(nickname); -+ signerCert = cm.findCertByNickname(certname.toString()); -+ if (signerCert != null) { -+ System.out.println("got signerCert: "+ certname.toString()); -+ } - } - - ContentInfo cmcblob = null; -@@ -2239,11 +2241,11 @@ public class CMCRequest { - // sign the request - SignedData signedData = null; - if (selfSign.equalsIgnoreCase("true")) { -- // selfSign signes with private key -+ // selfSign signs with private key - System.out.println("selfSign is true..."); - signedData = signData(privk, pkidata); - } else { -- // none selfSign signes with existing cert -+ // none selfSign signs with existing cert - System.out.println("selfSign is false..."); - signedData = signData(signerCert, tokenName, nickname, cm, pkidata); - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java -index d140396..a5f7994 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java -@@ -87,14 +87,16 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { - - public void validate(IRequest req, X509CertInfo info) - throws ERejectException { -+ String method = "RenewGracePeriodConstraint: validate: "; -+ String msg = ""; -+ - String origExpDate_s = req.getExtDataInString("origNotAfter"); -- // probably not for renewal -- if (origExpDate_s == null) { -+ if (origExpDate_s == null) { // probably not for renewal -+ CMS.debug(method + " original cert expiration date not found...return without validation"); - return; -- } else { -- CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing"); -+ } else { //should occur when it's renewal -+ CMS.debug(method + " original cert expiration date found... validating"); - } -- CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins"); - BigInteger origExpDate_BI = new BigInteger(origExpDate_s); - Date origExpDate = new Date(origExpDate_BI.longValue()); - String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE); -@@ -122,7 +124,7 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { - - Date current = CMS.getCurrentDate(); - long millisDiff = origExpDate.getTime() - current.getTime(); -- CMS.debug("validateRenewGracePeriod: millisDiff=" -+ CMS.debug(method + " millisDiff=" - + millisDiff + " origExpDate=" + origExpDate.getTime() + " current=" + current.getTime()); - - /* -@@ -134,17 +136,17 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { - */ - if (millisDiff >= 0) { - if ((renew_grace_before > 0) && (millisDiff > renew_grace_before_BI.longValue())) { -+ msg = renew_grace_before + " days before and " + -+ renew_grace_after + " days after original cert expiration date"; - throw new ERejectException(CMS.getUserMessage(getLocale(req), -- "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", -- renew_grace_before + " days before and " + -- renew_grace_after + " days after original cert expiration date")); -+ "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg)); - } - } else { - if ((renew_grace_after > 0) && ((0 - millisDiff) > renew_grace_after_BI.longValue())) { -+ msg = renew_grace_before + " days before and " + -+ renew_grace_after + " days after original cert expiration date"; - throw new ERejectException(CMS.getUserMessage(getLocale(req), -- "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", -- renew_grace_before + " days before and " + -- renew_grace_after + " days after original cert expiration date")); -+ "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg)); - } - } - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -index 869f0e2..33cc7a9 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java -@@ -17,16 +17,11 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.cms.profile.constraint; - -+import java.math.BigInteger; -+import java.util.Date; - import java.util.Enumeration; - import java.util.Locale; - --import netscape.security.x509.CertificateSubjectName; --import netscape.security.x509.CertificateX509Key; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509CertInfo; --import netscape.security.x509.X509Key; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.ca.ICertificateAuthority; -@@ -41,6 +36,13 @@ import com.netscape.certsrv.property.IDescriptor; - import com.netscape.certsrv.request.IRequest; - import com.netscape.cms.profile.def.NoDefault; - -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.CertificateX509Key; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509CertInfo; -+import netscape.security.x509.X509Key; -+ - /** - * This constraint is to check for publickey uniqueness. - * The config param "allowSameKeyRenewal" enables the -@@ -102,9 +104,29 @@ public class UniqueKeyConstraint extends EnrollConstraint { - /** - * Validates the request. The request is not modified - * during the validation. -+ * -+ * It will try to capture orig cert expiration info for renewal later. -+ * Renewal can be either renewal with same key or new key. -+ * -+ * In case of renewing with same key, the old cert record -+ * can be retrieved and used to fill original info such as -+ * original expiration date for use with RenewGracePeriodConstraint. -+ * -+ * In case of renewing with new key, it would be no different from -+ * regular enrollment -+ * -+ * Search by ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA -+ * would tell us if its reusing the same key or not. -+ * If any cert with the same key in the repository is found -+ * to be revoked, then the request is rejected -+ * -+ * This contraint has to go before the RenewGracePeriodConstraint, -+ * but after any of the SubjectName Default and Constraint - */ - public void validate(IRequest request, X509CertInfo info) - throws ERejectException { -+ String method = "UniqueKeyConstraint: validate: "; -+ String msg = ""; - boolean rejected = false; - int size = 0; - ICertRecordList list; -@@ -114,6 +136,8 @@ public class UniqueKeyConstraint extends EnrollConstraint { - getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT); - */ - mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL); -+ msg = msg + ": allowSameKeyRenewal=" + mAllowSameKeyRenewal + ";"; -+ CMS.debug(method + msg); - - try { - CertificateX509Key infokey = (CertificateX509Key) -@@ -131,18 +155,18 @@ public class UniqueKeyConstraint extends EnrollConstraint { - - } catch (Exception e) { - throw new ERejectException( -- CMS.getUserMessage( -- getLocale(request), -- "CMS_PROFILE_INTERNAL_ERROR", e.toString())); -+ CMS.getUserMessage( -+ getLocale(request), -+ "CMS_PROFILE_INTERNAL_ERROR", method + e.toString())); - } - - /* - * It does not matter if the corresponding cert's status -- * is valid or not, we don't want a key that was once -- * generated before -+ * is valid or not, if mAllowSameKeyRenewal is false, -+ * we don't want a key that was once generated before - */ - if (size > 0) { -- CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key."); -+ CMS.debug(method + "found existing cert with same key"); - - /* - The following code revokes the existing certs that have -@@ -189,45 +213,94 @@ public class UniqueKeyConstraint extends EnrollConstraint { - - sjname_in_req = - (X500Name) subName.get(CertificateSubjectName.DN_NAME); -- CMS.debug("UniqueKeyConstraint: cert request subject DN =" + sjname_in_req.toString()); -+ CMS.debug(method +" cert request subject DN =" + sjname_in_req.toString()); - Enumeration e = list.getCertRecords(0, size - 1); -+ Date latestOrigNotAfter = null; -+ Date origNotAfter = null; -+ boolean first = true; - while (e != null && e.hasMoreElements()) { - ICertRecord rec = e.nextElement(); -- X509CertImpl cert = rec.getCertificate(); -+ BigInteger serial = rec.getSerialNumber(); -+ -+ if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED) -+ || rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { -+ msg = msg + "revoked cert cannot be renewed: serial=" + serial.toString() + ";"; -+ CMS.debug(method + msg); -+ rejected = true; -+ // this has to break -+ break; -+ } -+ if (!rec.getStatus().equals(ICertRecord.STATUS_VALID) -+ && !rec.getStatus().equals(ICertRecord.STATUS_EXPIRED)) { -+ CMS.debug(method + "invalid cert cannot be renewed; continue:" + serial.toString()); -+ // can still find another one to renew -+ continue; -+ } -+ // only VALID or EXPIRED certs could have reached here -+ X509CertImpl origCert = rec.getCertificate(); - String certDN = -- cert.getSubjectDN().toString(); -- CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" + certDN); -+ origCert.getSubjectDN().toString(); -+ CMS.debug(method + " cert retrieved from ldap has subject DN =" + certDN); - - sjname_in_db = new X500Name(certDN); - - if (sjname_in_db.equals(sjname_in_req) == false) { -+ msg = msg + "subject name not match in same key renewal;"; - rejected = true; - break; - } else { -- rejected = false; -+ CMS.debug("subject name match in same key renewal"); - } -+ -+ // find the latest expiration date to keep for -+ // Renewal Grace Period Constraint later -+ origNotAfter = origCert.getNotAfter(); -+ CMS.debug(method + "origNotAfter =" + origNotAfter.toString()); -+ if (first) { -+ latestOrigNotAfter = origNotAfter; -+ first = false; -+ } else if (latestOrigNotAfter.before(origNotAfter)) { -+ CMS.debug(method + "newer cert found"); -+ latestOrigNotAfter = origNotAfter; -+ } -+ -+ // yes, this could be overwritten by later -+ // found cert(s) that has violations -+ rejected = false; - } // while -+ -+ if (latestOrigNotAfter != null) { -+ String existingOrigExpDate_s = request.getExtDataInString("origNotAfter"); -+ if (existingOrigExpDate_s != null) { -+ // make sure not to interfere with renewal by serial -+ CMS.debug(method + -+ " original cert expiration date already exists. Not overriding."); -+ } else { -+ // set origNotAfter for RenewGracePeriodConstraint -+ CMS.debug(method + "setting latest original cert expiration in request"); -+ request.setExtData("origNotAfter", BigInteger.valueOf(latestOrigNotAfter.getTime())); -+ } -+ } - } else { //subName is null -+ msg = msg +"subject name not found in cert request info;"; - rejected = true; - } - } catch (Exception ex1) { -- CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " + ex1.toString()); -+ CMS.debug(method + msg + ex1.toString()); - rejected = true; - } // try - - } else { -+ msg = msg + "found existing cert with same key;"; - rejected = true; - }// allowSameKeyRenewal - } // (size > 0) - - if (rejected == true) { -- CMS.debug("UniqueKeyConstraint: rejected"); -- throw new ERejectException( -- CMS.getUserMessage( -- getLocale(request), -- "CMS_PROFILE_DUPLICATE_KEY")); -+ CMS.debug(method + " rejected"); -+ throw new ERejectException(msg); - } else { -- CMS.debug("UniqueKeyConstraint: approved"); -+ CMS.debug(method + " approved"); - } - } - --- -1.8.3.1 - - -From b66409ba4a9ffa8cb58f643e891a4a50a67fb29a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 May 2017 00:06:41 +0200 -Subject: [PATCH 27/27] Added configurable random number generator in - JssSubsystem. - -The JssSubsystem has been modified to provide a configurable -random number generator which uses PK11SecureRandom from JSS by -default. - -The CertificateRepository has been modified to use the new random -number generator to generate random serial number. - -https://pagure.io/dogtagpki/issue/2695 - -Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75 ---- - .../cmscore/dbs/CertificateRepository.java | 32 +++++++++++----------- - .../netscape/cmscore/security/JssSubsystem.java | 27 ++++++++++++++++++ - 2 files changed, 43 insertions(+), 16 deletions(-) - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java -index 8406f36..9a333fe 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java -@@ -19,27 +19,18 @@ package com.netscape.cmscore.dbs; - - import java.io.Serializable; - import java.math.BigInteger; -+import java.security.SecureRandom; - import java.security.cert.Certificate; - import java.util.Arrays; - import java.util.Date; - import java.util.Enumeration; - import java.util.Hashtable; --import java.util.Random; - import java.util.Vector; - import java.util.concurrent.Executors; - import java.util.concurrent.ScheduledExecutorService; - import java.util.concurrent.ThreadFactory; - import java.util.concurrent.TimeUnit; - --import netscape.ldap.LDAPAttributeSet; --import netscape.ldap.LDAPEntry; --import netscape.ldap.LDAPSearchResults; --import netscape.security.x509.CertificateValidity; --import netscape.security.x509.RevokedCertImpl; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509CertInfo; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; -@@ -62,6 +53,16 @@ import com.netscape.certsrv.dbs.certdb.RenewableCertificateCollection; - import com.netscape.certsrv.dbs.repository.IRepository; - import com.netscape.certsrv.dbs.repository.IRepositoryRecord; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.cmscore.security.JssSubsystem; -+ -+import netscape.ldap.LDAPAttributeSet; -+import netscape.ldap.LDAPEntry; -+import netscape.ldap.LDAPSearchResults; -+import netscape.security.x509.CertificateValidity; -+import netscape.security.x509.RevokedCertImpl; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509CertInfo; - - /** - * A class represents a certificate repository. It -@@ -99,7 +100,6 @@ public class CertificateRepository extends Repository - private int mTransitMaxRecords = 1000000; - private int mTransitRecordPageSize = 200; - -- private Random mRandom = null; - private int mBitLength = 0; - private BigInteger mRangeSize = null; - private int mMinRandomBitLength = 4; -@@ -169,11 +169,7 @@ public class CertificateRepository extends Repository - } - - private BigInteger getRandomNumber() throws EBaseException { -- BigInteger randomNumber = null; - -- if (mRandom == null) { -- mRandom = new Random(); -- } - super.initCacheIfNeeded(); - - if (mRangeSize == null) { -@@ -189,7 +185,11 @@ public class CertificateRepository extends Repository - CMS.debug("CertificateRepository: getRandomNumber: Range size is too small to support random certificate serial numbers."); - throw new EBaseException ("Range size is too small to support random certificate serial numbers."); - } -- randomNumber = new BigInteger((mBitLength), mRandom); -+ -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); -+ -+ BigInteger randomNumber = new BigInteger(mBitLength, random); - randomNumber = (randomNumber.multiply(mRangeSize)).shiftRight(mBitLength); - CMS.debug("CertificateRepository: getRandomNumber randomNumber="+randomNumber); - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -index 9031a92..d346a12 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -@@ -32,6 +32,7 @@ import java.security.NoSuchAlgorithmException; - import java.security.NoSuchProviderException; - import java.security.Principal; - import java.security.PublicKey; -+import java.security.SecureRandom; - import java.security.SignatureException; - import java.security.cert.CertificateEncodingException; - import java.security.cert.CertificateException; -@@ -116,6 +117,7 @@ public final class JssSubsystem implements ICryptoSubsystem { - private boolean mInited = false; - private ILogger mLogger = null; - private CryptoManager mCryptoManager = null; -+ private SecureRandom random; - - protected PasswordCallback mPWCB = null; - -@@ -334,11 +336,36 @@ public final class JssSubsystem implements ICryptoSubsystem { - throw ex; - } - -+ // read jss.random.* properties -+ // by default use PK11SecureRandom from JSS -+ // see http://pki.fedoraproject.org/wiki/Random_Number_Generator -+ -+ IConfigStore randomConfig = config.getSubStore("random"); -+ CMS.debug("JssSubsystem: random:"); -+ -+ String algorithm = randomConfig.getString("algorithm", "pkcs11prng"); -+ CMS.debug("JssSubsystem: - algorithm: " + algorithm); -+ -+ String provider = randomConfig.getString("provider", "Mozilla-JSS"); -+ CMS.debug("JssSubsystem: - provider: " + provider); -+ -+ try { -+ random = SecureRandom.getInstance(algorithm, provider); -+ -+ } catch (NoSuchAlgorithmException | NoSuchProviderException e) { -+ CMS.debug(e); -+ throw new EBaseException(e); -+ } -+ - mInited = true; - - CMS.debug("JssSubsystem: initialization complete"); - } - -+ public SecureRandom getRandomNumberGenerator() { -+ return random; -+ } -+ - public String getCipherVersion() throws EBaseException { - return "cipherdomestic"; - } --- -1.8.3.1 - diff --git a/SOURCES/pki-core-snapshot-2.patch b/SOURCES/pki-core-snapshot-2.patch deleted file mode 100644 index 54a39b3..0000000 --- a/SOURCES/pki-core-snapshot-2.patch +++ /dev/null @@ -1,15017 +0,0 @@ -From 1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 16 May 2017 17:29:45 -0400 -Subject: [PATCH 01/38] Encapsulate the archival audit log - -This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and -PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. - -The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the -SECURITY_DATA ones to simplify the whole structure. They -used to provide an archivalID parameter which was pretty much -meaningless as it was at best just the same as the request id -which is alreadty logged. So this is now dropped. - -Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2 ---- - base/ca/src/com/netscape/ca/CAService.java | 45 +++-------- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 - - .../logging/event/SecurityDataArchivalEvent.java | 59 ++++++++++++++ - base/kra/shared/conf/CS.cfg | 4 +- - .../src/com/netscape/kra/EnrollmentService.java | 92 ++++++---------------- - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 27 ++----- - .../src/com/netscape/kra/NetkeyKeygenService.java | 15 +--- - .../server/kra/rest/KeyRequestService.java | 9 +-- - .../cms/profile/common/CAEnrollProfile.java | 40 +++------- - .../cms/servlet/base/SubsystemService.java | 10 +++ - base/server/cmsbundle/src/LogMessages.properties | 14 +--- - 11 files changed, 132 insertions(+), 187 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java - -diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java -index 2ad1967..45fae66 100644 ---- a/base/ca/src/com/netscape/ca/CAService.java -+++ b/base/ca/src/com/netscape/ca/CAService.java -@@ -52,6 +52,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecordList; - import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileSubsystem; -@@ -368,10 +369,8 @@ public class CAService implements ICAService, IService { - * @return true or false - */ - public boolean serviceRequest(IRequest request) { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(); -- String auditArchiveID = ILogger.SIGNED_AUDIT_NON_APPLICABLE; - - boolean completed = false; - -@@ -392,7 +391,7 @@ public class CAService implements ICAService, IService { - request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); - request.setExtData(IRequest.ERROR, e.toString()); - -- audit(auditMessage); -+ // TODO(alee) New audit message needed here - - return false; - } -@@ -420,14 +419,10 @@ public class CAService implements ICAService, IService { - CMS.debug("CAService: Sending enrollment request to KRA"); - - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditRequesterID)); - - boolean sendStatus = mKRAConnector.send(request); - -@@ -439,14 +434,10 @@ public class CAService implements ICAService, IService { - new ECAException(CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST"))); - - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditRequesterID)); - - return true; - } else { -@@ -457,14 +448,10 @@ public class CAService implements ICAService, IService { - } - if (request.getExtDataInString(IRequest.ERROR) != null) { - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditRequesterID)); - - return true; - } -@@ -484,14 +471,10 @@ public class CAService implements ICAService, IService { - // store a message in the signed audit log file - if (!(type.equals(IRequest.REVOCATION_REQUEST) || - type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditRequesterID)); - } - - return true; -@@ -504,14 +487,10 @@ public class CAService implements ICAService, IService { - if (!(type.equals(IRequest.REVOCATION_REQUEST) || - type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditRequesterID)); - } - - return completed; -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 21cac27..a224ae6 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String LOG_PATH_CHANGE = - "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - -- public final static String PRIVATE_KEY_ARCHIVE_REQUEST = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; - public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = -@@ -182,8 +180,6 @@ public class AuditEvent implements IBundleLogEvent { - - public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; -- public static final String SECURITY_DATA_ARCHIVAL_REQUEST = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; - public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; - public static final String SECURITY_DATA_RECOVERY_REQUEST = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java -new file mode 100644 -index 0000000..43f7525 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java -@@ -0,0 +1,59 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class SecurityDataArchivalEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST"; -+ -+ public SecurityDataArchivalEvent( -+ String subjectID, -+ String outcome, -+ RequestId requestID, -+ String clientKeyID) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requestID, -+ clientKeyID -+ }); -+ } -+ -+ public SecurityDataArchivalEvent( -+ String subjectID, -+ String outcome, -+ String requestID) { -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requestID, -+ null -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index bd49a8d..be4ce71 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index e413a06..0a1fe1f 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.ProofOfArchival; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -@@ -155,13 +156,10 @@ public class EnrollmentService implements IService { - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(); -- String auditArchiveID = ILogger.UNIDENTIFIED; - String auditPublicKey = ILogger.UNIDENTIFIED; - - String id = request.getRequestId().toString(); -- if (id != null) { -- auditArchiveID = id.trim(); -- } -+ - if (CMS.debugOn()) - CMS.debug("EnrollmentServlet: KRA services enrollment request"); - -@@ -198,15 +196,11 @@ public class EnrollmentService implements IService { - aOpts = CRMFParser.getPKIArchiveOptions( - request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST)); - } catch (IOException e) { -- -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); - } -@@ -247,14 +241,11 @@ public class EnrollmentService implements IService { - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); - } -@@ -283,14 +274,11 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } -@@ -325,14 +313,11 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_DEBUG, e.getMessage()); - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e); - } - } // !allowEncDecrypt_archival -@@ -346,14 +331,11 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } -@@ -371,14 +353,11 @@ public class EnrollmentService implements IService { - if (owner == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); - } - -@@ -406,14 +385,11 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_DEBUG, e.getMessage()); - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); - } - -@@ -433,14 +409,11 @@ public class EnrollmentService implements IService { - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); - } catch (InvalidKeyException e) { - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); - } - } else if (keyAlg.equals("EC")) { -@@ -483,14 +456,11 @@ public class EnrollmentService implements IService { - CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", - rec.getSerialNumber().toString())); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } - -@@ -505,14 +475,11 @@ public class EnrollmentService implements IService { - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); - // TODO(alee) Set correct audit message here -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } - -@@ -523,14 +490,11 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } - if (i == 0) { -@@ -580,14 +544,10 @@ public class EnrollmentService implements IService { - ); - - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditRequesterID)); - - // store a message in the signed audit log file - auditPublicKey = auditPublicKey(rec); -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index 54953d1..de097b2 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -58,6 +58,7 @@ import com.netscape.certsrv.kra.IKeyService; - import com.netscape.certsrv.listeners.EListenersException; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.request.ARequestNotifier; - import com.netscape.certsrv.request.IPolicy; - import com.netscape.certsrv.request.IRequest; -@@ -751,11 +752,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(); - String auditPublicKey = auditPublicKey(rec); -- String auditArchiveID = ILogger.UNIDENTIFIED; - - IRequestQueue queue = null; - IRequest r = null; -- String id = null; - - // ensure that any low-level exceptions are reported - // to the signed audit log and stored as failures -@@ -764,34 +763,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - r = queue.newRequest(KRAService.ENROLLMENT); - -- if (r != null) { -- // overwrite "auditArchiveID" if and only if "id" != null -- id = r.getRequestId().toString(); -- if (id != null) { -- auditArchiveID = id.trim(); -- } -- } -- - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -- -+ auditRequesterID)); - throw eAudit1; - } - -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 636e93e..0885469 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; - import com.netscape.certsrv.security.IStorageKeyUnit; -@@ -142,7 +143,6 @@ public class NetkeyKeygenService implements IService { - throws EBaseException { - String auditMessage = null; - String auditSubjectID = null; -- String auditArchiveID = ILogger.UNIDENTIFIED; - byte[] wrapped_des_key; - - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -@@ -165,11 +165,6 @@ public class NetkeyKeygenService implements IService { - ; - String PubKey = ""; - -- String id = request.getRequestId().toString(); -- if (id != null) { -- auditArchiveID = id.trim(); -- } -- - String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); - if (rArchive.equals("true")) { - archive = true; -@@ -395,14 +390,10 @@ public class NetkeyKeygenService implements IService { - // - // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit( new SecurityDataArchivalEvent( - agentId, - ILogger.SUCCESS, -- auditSubjectID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditSubjectID)); - - CMS.debug("KRA encrypts private key to put on internal ldap db"); - byte privateKeyData[] = null; -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -index 38f7e93..b0bcff2 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -@@ -50,6 +50,7 @@ import com.netscape.certsrv.key.KeyRequestResponse; - import com.netscape.certsrv.key.SymKeyGenerationRequest; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestNotFoundException; - import com.netscape.cms.realm.PKIPrincipal; -@@ -354,13 +355,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - } - - public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { -- String msg = CMS.getLogMessage( -- AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST, -+ audit(new SecurityDataArchivalEvent( - getRequestor(), - status, -- requestId != null? requestId.toString(): "null", -- clientKeyID); -- auditor.log(msg); -+ requestId, -+ clientKeyID)); - } - - public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -index 02aa8c8..85db2cb 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -@@ -29,9 +29,9 @@ import com.netscape.certsrv.ca.AuthorityID; - import com.netscape.certsrv.ca.ICAService; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.connector.IConnector; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.ERejectException; - import com.netscape.certsrv.profile.IProfileUpdater; -@@ -80,15 +80,10 @@ public class CAEnrollProfile extends EnrollProfile { - throw new EProfileException("Profile Not Enabled"); - } - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(request); -- String auditArchiveID = ILogger.UNIDENTIFIED; -- - String id = request.getRequestId().toString(); -- if (id != null) { -- auditArchiveID = id.trim(); -- } -+ - - CMS.debug("CAEnrollProfile: execute request ID " + id); - -@@ -117,29 +112,21 @@ public class CAEnrollProfile extends EnrollProfile { - CMS.debug("CAEnrollProfile: KRA connector " + - "not configured"); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -- -+ auditRequesterID)); - } else { - CMS.debug("CAEnrollProfile: execute send request"); - kraConnector.send(request); - - // check response - if (!request.isSuccess()) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - if (request.getError(getLocale(request)) != null && - (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) { - CMS.debug("CAEnrollProfile: execute set request status: REJECTED"); -@@ -150,14 +137,10 @@ public class CAEnrollProfile extends EnrollProfile { - request.getError(getLocale(request))); - } - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID, -- auditArchiveID); -- -- audit(auditMessage); -+ auditRequesterID)); - } - } catch (Exception e) { - -@@ -167,14 +150,11 @@ public class CAEnrollProfile extends EnrollProfile { - CMS.debug("CAEnrollProfile: " + e); - CMS.debug(e); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, -+ audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID, -- auditArchiveID); -+ auditRequesterID)); - -- audit(auditMessage); - throw new EProfileException(e); - } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java -index 30d6b9c..2bcde64 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java -@@ -81,6 +81,16 @@ public class SubsystemService extends PKIService { - getClass().getSimpleName() + ": " + message); - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ auditor.log(message); -+ } -+ - public void audit(String message, String scope, String type, String id, Map params, String status) { - - String auditMessage = CMS.getLogMessage( -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 6bc2d82..03af216 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -1943,18 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA - # -- feature disabled -- - #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt - # --# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST --# - used when user private key archive request is made --# this is an option in a certificate enrollment request detected by RA or CA --# so should be seen logged right following the certificate request, if selected --# ReqID must be the certificate enrollment request ID associated with the --# CA archive option (even if the request was originally submitted via --# an RA) (this field is set to the "EntityID" in caase of server-side key gen) --# ArchiveID must be the DRM request ID associated with the enrollment ID, --# ReqID (this field will be "N/A" when logged by the CA) --# --LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ArchiveID={3}] private key archive request --# - # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED - # - used when user private key archive request is processed - # this is when DRM receives and processed the request -@@ -2490,7 +2478,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made - # - # - # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED --- -1.8.3.1 - - -From 3a35eceffed65862e66806c20cff3a3b64d75ae8 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 16 May 2017 22:16:30 -0400 -Subject: [PATCH 02/38] Encapsulate archival processed audit logs - -Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED -and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the -two audit events. - -Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7 ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- - .../event/SecurityDataArchivalProcessedEvent.java | 49 ++++++++++++++++++++++ - base/kra/shared/conf/CS.cfg | 2 +- - .../src/com/netscape/kra/EnrollmentService.java | 15 ++++--- - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 33 ++++++++------- - .../src/com/netscape/kra/NetkeyKeygenService.java | 13 +++--- - .../com/netscape/kra/SecurityDataProcessor.java | 8 ++-- - base/server/cmsbundle/src/LogMessages.properties | 10 +---- - 8 files changed, 86 insertions(+), 48 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index a224ae6..ce5cc4b 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String LOG_PATH_CHANGE = - "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - -- public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; - public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; - public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = -@@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String CONFIG_SERIAL_NUMBER = - "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - -- public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; - public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; - public static final String SECURITY_DATA_RECOVERY_REQUEST = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -new file mode 100644 -index 0000000..8d7593b ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -@@ -0,0 +1,49 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class SecurityDataArchivalProcessedEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED"; -+ -+ public SecurityDataArchivalProcessedEvent( -+ String subjectID, -+ String outcome, -+ String requestID, -+ String clientKeyID, -+ String keyID, -+ String failureReason, -+ String pubkey) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requestID, -+ clientKeyID, -+ keyID, -+ failureReason, -+ pubkey -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index be4ce71..23d2508 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index 0a1fe1f..cf2a88f 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -51,6 +51,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -@@ -153,13 +154,10 @@ public class EnrollmentService implements IService { - statsSub.startTiming("archival", true /* main action */); - } - -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(); - String auditPublicKey = ILogger.UNIDENTIFIED; - -- String id = request.getRequestId().toString(); -- - if (CMS.debugOn()) - CMS.debug("EnrollmentServlet: KRA services enrollment request"); - -@@ -551,13 +549,14 @@ public class EnrollmentService implements IService { - - // store a message in the signed audit log file - auditPublicKey = auditPublicKey(rec); -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -+ audit(new SecurityDataArchivalProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditPublicKey); -- -- audit(auditMessage); -+ request.getRequestId().toString(), -+ null, -+ rec.getSerialNumber().toString(), -+ null, -+ auditPublicKey)); - - // Xxx - should sign this proof of archival - ProofOfArchival mProof = new ProofOfArchival(serialNo, -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index de097b2..bc58d14 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -59,6 +59,7 @@ import com.netscape.certsrv.listeners.EListenersException; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.request.ARequestNotifier; - import com.netscape.certsrv.request.IPolicy; - import com.netscape.certsrv.request.IRequest; -@@ -786,23 +787,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - queue.processRequest(r); - } - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -- auditSubjectID, -- ILogger.SUCCESS, -- auditPublicKey); -- -- audit(auditMessage); -+ audit(new SecurityDataArchivalProcessedEvent( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ r.getRequestId().toString(), -+ null, -+ rec.getSerialNumber().toString(), -+ null, -+ auditPublicKey)); - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -- auditSubjectID, -- ILogger.FAILURE, -- auditPublicKey); -- -- audit(auditMessage); -+ audit(new SecurityDataArchivalProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ r.getRequestId().toString(), -+ null, -+ rec.getSerialNumber().toString(), -+ eAudit1.getMessage(), -+ auditPublicKey)); - - throw eAudit1; - } -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 0885469..cd1079d 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; - import com.netscape.certsrv.security.IStorageKeyUnit; -@@ -480,14 +481,14 @@ public class NetkeyKeygenService implements IService { - storage.addKeyRecord(rec); - CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, -+ audit(new SecurityDataArchivalProcessedEvent( - agentId, - ILogger.SUCCESS, -- PubKey); -- -- audit(auditMessage); -- -+ request.getRequestId().toString(), -+ null, -+ serialNo.toString(), -+ null, -+ PubKey)); - } //if archive - - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 344f376..fa12805 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -40,6 +40,7 @@ import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.RequestId; -@@ -867,14 +868,13 @@ public class SecurityDataProcessor { - - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - String keyID, String reason) { -- String auditMessage = CMS.getLogMessage( -- AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, -+ audit(new SecurityDataArchivalProcessedEvent( - subjectID, - status, - requestID.toString(), - clientKeyID, - keyID != null ? keyID : "None", -- reason); -- audit(auditMessage); -+ reason, -+ null)); - } - } -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 03af216..a7ce567 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -1943,14 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA - # -- feature disabled -- - #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt - # --# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED --# - used when user private key archive request is processed --# this is when DRM receives and processed the request --# PubKey must be the base-64 encoded public key associated with --# the private key to be archived --# --LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][PubKey={2}] private key archive request processed --# - # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS - # - used when user private key export request is made and processed with success - # - this is used in case of server-side keygen when keys generated on the server -@@ -2471,7 +2463,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEv - # Client ID must be the user supplied client ID associated with - # the security data to be archived - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] security data archival request processed -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed - # - # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST - # - used when security data recovery request is made --- -1.8.3.1 - - -From 90f6d8ece46d70a3566b97b549efb1053895f407 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 16 May 2017 23:11:34 -0400 -Subject: [PATCH 03/38] Encapsulate key recovery audit events - -Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and -KEY_RECOVERY_REQUEST audit events as audit event objects. -We have collapse to a single audit event type. - -Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- - .../event/SecurityDataArchivalProcessedEvent.java | 6 ++- - .../logging/event/SecurityDataRecoveryEvent.java | 48 +++++++++++++++++++++ - base/kra/shared/conf/CS.cfg | 4 +- - .../src/com/netscape/kra/EnrollmentService.java | 5 ++- - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 49 ++++++++++++++-------- - .../src/com/netscape/kra/NetkeyKeygenService.java | 5 ++- - .../com/netscape/kra/SecurityDataProcessor.java | 9 ++-- - .../com/netscape/kra/TokenKeyRecoveryService.java | 18 ++++---- - .../server/kra/rest/KeyRequestService.java | 10 ++--- - base/server/cmsbundle/src/LogMessages.properties | 2 +- - 11 files changed, 114 insertions(+), 46 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index ce5cc4b..da571fe 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -82,8 +82,6 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; - public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; -- public final static String KEY_RECOVERY_REQUEST = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - public final static String KEY_RECOVERY_REQUEST_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; - public final static String KEY_RECOVERY_AGENT_LOGIN = -@@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent { - - public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; -- public static final String SECURITY_DATA_RECOVERY_REQUEST = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; - public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; - public final static String SECURITY_DATA_RETRIEVE_KEY = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -index 8d7593b..eb4f6b3 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -@@ -17,7 +17,9 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.certsrv.logging.event; - -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; - - public class SecurityDataArchivalProcessedEvent extends AuditEvent { - -@@ -28,9 +30,9 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { - public SecurityDataArchivalProcessedEvent( - String subjectID, - String outcome, -- String requestID, -+ RequestId requestID, - String clientKeyID, -- String keyID, -+ KeyId keyID, - String failureReason, - String pubkey) { - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java -new file mode 100644 -index 0000000..97e3c96 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java -@@ -0,0 +1,48 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class SecurityDataRecoveryEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST"; -+ -+ public SecurityDataRecoveryEvent( -+ String subjectID, -+ String outcome, -+ RequestId recoveryID, -+ KeyId keyID, -+ String pubkey) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ recoveryID, -+ keyID, -+ pubkey -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 23d2508..54adae1 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index cf2a88f..b28fbc6 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -44,6 +44,7 @@ import com.netscape.certsrv.base.MetaInfo; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.kra.ProofOfArchival; -@@ -552,9 +553,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, -- request.getRequestId().toString(), -+ request.getRequestId(), - null, -- rec.getSerialNumber().toString(), -+ new KeyId(rec.getSerialNumber()), - null, - auditPublicKey)); - -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index bc58d14..8f86eef 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -52,6 +52,7 @@ import com.netscape.certsrv.base.ISubsystem; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.IDBSubsystem; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.kra.IKeyService; -@@ -60,6 +61,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; - import com.netscape.certsrv.request.ARequestNotifier; - import com.netscape.certsrv.request.IPolicy; - import com.netscape.certsrv.request.IRequest; -@@ -749,7 +751,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - */ - public IRequest archiveKey(KeyRecord rec) - throws EBaseException { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(); - String auditPublicKey = auditPublicKey(rec); -@@ -790,18 +791,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - audit(new SecurityDataArchivalProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, -- r.getRequestId().toString(), -+ r.getRequestId(), - null, -- rec.getSerialNumber().toString(), -+ new KeyId(rec.getSerialNumber()), - null, - auditPublicKey)); - } catch (EBaseException eAudit1) { - audit(new SecurityDataArchivalProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- r.getRequestId().toString(), -+ r.getRequestId(), - null, -- rec.getSerialNumber().toString(), -+ new KeyId(rec.getSerialNumber()), - eAudit1.getMessage(), - auditPublicKey)); - -@@ -994,7 +995,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - throws EBaseException { - String auditMessage = null; - String auditSubjectID = auditSubjectID(); -+ -+ // temporary variable till other audit events are converted - String auditRecoveryID = auditRecoveryID(); -+ -+ RequestId auditRequestID = auditRequestID(); - String auditPublicKey = auditPublicKey(cert); - String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - -@@ -1029,24 +1034,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent); - - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST, -+ audit(new SecurityDataRecoveryEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRecoveryID, -- auditPublicKey); -- -- audit(auditMessage); -+ auditRequestID, -+ null, -+ auditPublicKey)); - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST, -+ audit(new SecurityDataRecoveryEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- auditPublicKey); -- -- audit(auditMessage); -+ auditRequestID, -+ null, -+ auditPublicKey)); - - throw eAudit1; - } -@@ -1680,6 +1681,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - return recoveryID; - } -+ /* -+ * temporary function till other audit messages are converted -+ */ -+ private RequestId auditRequestID() { -+ SessionContext auditContext = SessionContext.getExistingContext(); -+ if (auditContext != null) { -+ String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); -+ if (recoveryID != null) { -+ return new RequestId(recoveryID.trim()); -+ } -+ } -+ -+ return null; -+ } - - /** - * Signed Audit Log Public Key -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index cd1079d..5463b92 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -46,6 +46,7 @@ import com.netscape.certsrv.base.MetaInfo; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -@@ -484,9 +485,9 @@ public class NetkeyKeygenService implements IService { - audit(new SecurityDataArchivalProcessedEvent( - agentId, - ILogger.SUCCESS, -- request.getRequestId().toString(), -+ request.getRequestId(), - null, -- serialNo.toString(), -+ new KeyId(serialNo), - null, - PubKey)); - } //if archive -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index fa12805..da8dd9b 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -@@ -300,7 +301,7 @@ public class SecurityDataProcessor { - keyRepository.addKeyRecord(rec); - - auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestId, -- clientKeyId, serialNo.toString(), "None"); -+ clientKeyId, new KeyId(serialNo), "None"); - - request.setExtData(ATTR_KEY_RECORD, serialNo); - request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); -@@ -867,13 +868,13 @@ public class SecurityDataProcessor { - } - - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, -- String keyID, String reason) { -+ KeyId keyID, String reason) { - audit(new SecurityDataArchivalProcessedEvent( - subjectID, - status, -- requestID.toString(), -+ requestID, - clientKeyID, -- keyID != null ? keyID : "None", -+ keyID, - reason, - null)); - } -diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -index 64f65a0..7aca24c 100644 ---- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -@@ -47,8 +47,10 @@ import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.security.IStorageKeyUnit; - import com.netscape.certsrv.security.ITransportKeyUnit; - import com.netscape.cmscore.dbs.KeyRecord; -@@ -211,6 +213,10 @@ public class TokenKeyRecoveryService implements IService { - if (id != null) { - auditRecoveryID = id.trim(); - } -+ -+ // temporary variable till other audit messages have been replaced -+ RequestId auditRequestID = request.getRequestId(); -+ - SessionContext sContext = SessionContext.getContext(); - String agentId = ""; - if (sContext != null) { -@@ -563,14 +569,12 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("TokenKeyRecoveryService: RSA PubKey base64 encoded"); - } - -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST, -+ audit(new SecurityDataRecoveryEvent( - auditSubjectID, -- ILogger.SUCCESS, -- auditRecoveryID, -- PubKey); -- -- audit(auditMessage); -+ ILogger.SUCCESS, -+ auditRequestID, -+ null, -+ PubKey)); - - if (PubKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -index b0bcff2..a2d01f1 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -@@ -51,6 +51,7 @@ import com.netscape.certsrv.key.SymKeyGenerationRequest; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; - import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestNotFoundException; - import com.netscape.cms.realm.PKIPrincipal; -@@ -345,13 +346,12 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - } - - public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { -- String msg = CMS.getLogMessage( -- AuditEvent.SECURITY_DATA_RECOVERY_REQUEST, -+ audit(new SecurityDataRecoveryEvent( - getRequestor(), - status, -- requestId != null? requestId.toString(): "null", -- dataId.toString()); -- auditor.log(msg); -+ requestId, -+ dataId, -+ null)); - } - - public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index a7ce567..d594f1c 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2486,7 +2486,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}] security data recovery request made -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}][PubKey={4}] security data recovery request made - # - # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE - # - used when DRM agents login as recovery agents to change --- -1.8.3.1 - - -From 58927bc0573769480dd35b564b9791eb086b267e Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 17 May 2017 14:10:37 -0400 -Subject: [PATCH 04/38] Encapsulate recovery processed audit events - -This creates audit events for KEY_RECOVERY_PROCESSED and -SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by -reducing the logs to the SECURITY_DATA ones. - -Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 - - .../event/SecurityDataRecoveryProcessedEvent.java | 50 ++++++ - base/kra/shared/conf/CS.cfg | 4 +- - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 94 +++-------- - .../com/netscape/kra/SecurityDataProcessor.java | 45 ++--- - .../com/netscape/kra/TokenKeyRecoveryService.java | 182 ++++++++++----------- - base/server/cmsbundle/src/LogMessages.properties | 12 +- - 7 files changed, 184 insertions(+), 207 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index da571fe..c9c8f96 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -86,8 +86,6 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; - public final static String KEY_RECOVERY_AGENT_LOGIN = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; -- public final static String KEY_RECOVERY_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; - public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; - public final static String KEY_GEN_ASYMMETRIC = -@@ -174,8 +172,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String CONFIG_SERIAL_NUMBER = - "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - -- public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; - public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; - public final static String SECURITY_DATA_RETRIEVE_KEY = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java -new file mode 100644 -index 0000000..8e5ad4b ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java -@@ -0,0 +1,50 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class SecurityDataRecoveryProcessedEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED"; -+ -+ public SecurityDataRecoveryProcessedEvent( -+ String subjectID, -+ String outcome, -+ RequestId recoveryID, -+ KeyId keyID, -+ String failureReason, -+ String recoveryAgents) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ recoveryID, -+ keyID, -+ failureReason, -+ recoveryAgents -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 54adae1..8f55a37 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index 8f86eef..670279e 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -62,6 +62,7 @@ import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; - import com.netscape.certsrv.request.ARequestNotifier; - import com.netscape.certsrv.request.IPolicy; - import com.netscape.certsrv.request.IRequest; -@@ -980,7 +981,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - * @param kid key identifier - * @param creds list of recovery agent credentials - * @param password password of the PKCS12 package -- * @param cert certficate that will be put in PKCS12 -+ * @param cert certificate that will be put in PKCS12 - * @param delivery file, mail or something else - * @param nickname string containing the nickname of the id cert for this - * subsystem -@@ -993,13 +994,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - String delivery, String nickname, - String agent) - throws EBaseException { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); -- -- // temporary variable till other audit events are converted -- String auditRecoveryID = auditRecoveryID(); -- -- RequestId auditRequestID = auditRequestID(); -+ RequestId auditRecoveryID = auditRecoveryID(); - String auditPublicKey = auditPublicKey(cert); - String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - -@@ -1037,16 +1033,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - audit(new SecurityDataRecoveryEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequestID, -- null, -+ auditRecoveryID, -+ new KeyId(kid), - auditPublicKey)); - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - audit(new SecurityDataRecoveryEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequestID, -- null, -+ auditRecoveryID, -+ new KeyId(kid), - auditPublicKey)); - - throw eAudit1; -@@ -1063,43 +1059,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - auditAgents = auditAgents(creds); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -- auditAgents); -- -- audit(auditMessage); -+ new KeyId(kid), -+ null, -+ auditAgents)); - - destroyVolatileRequest(r.getRequestId()); - - return pkcs12; - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -- auditAgents); -- -- audit(auditMessage); -+ new KeyId(kid), -+ r.getExtDataInString(IRequest.ERROR), -+ auditAgents)); - - throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); - } - } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -- auditSubjectID, -- ILogger.FAILURE, -- auditRecoveryID, -- auditAgents); -- -- audit(auditMessage); -- -+ audit(new SecurityDataRecoveryProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRecoveryID, -+ new KeyId(kid), -+ eAudit1.getMessage(), -+ auditAgents)); - throw eAudit1; - } - } -@@ -1646,45 +1635,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - return requesterID; - } - -- /** -- * Signed Audit Log Recovery ID -- * -- * This method is called to obtain the "RecoveryID" for -- * a signed audit log message. -- *

    -- * -- * @return id string containing the signed audit log message RecoveryID -- */ -- private String auditRecoveryID() { -- // if no signed audit object exists, bail -- if (mSignedAuditLogger == null) { -- return null; -- } -- -- String recoveryID = null; -- -- // Initialize recoveryID -- SessionContext auditContext = SessionContext.getExistingContext(); -- -- if (auditContext != null) { -- recoveryID = (String) -- auditContext.get(SessionContext.RECOVERY_ID); -- -- if (recoveryID != null) { -- recoveryID = recoveryID.trim(); -- } else { -- recoveryID = ILogger.UNIDENTIFIED; -- } -- } else { -- recoveryID = ILogger.UNIDENTIFIED; -- } -- -- return recoveryID; -- } - /* -- * temporary function till other audit messages are converted -+ * Returns the requestID for the recovery request for audit logs. - */ -- private RequestId auditRequestID() { -+ private RequestId auditRecoveryID() { - SessionContext auditContext = SessionContext.getExistingContext(); - if (auditContext != null) { - String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index da8dd9b..a44eb2f 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -42,6 +42,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.RequestId; -@@ -326,14 +327,15 @@ public class SecurityDataProcessor { - - Hashtable params = kra.getVolatileRequest( - request.getRequestId()); -- BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO); -- request.setExtData(ATTR_KEY_RECORD, serialno); -+ KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO)); -+ request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger()); - RequestId requestID = request.getRequestId(); -+ String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); - - if (params == null) { - CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params."); -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), -- "cannot get volatile params"); -+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -+ "cannot get volatile params", approvers); - throw new EBaseException("Can't obtain volatile params!"); - } - -@@ -355,7 +357,7 @@ public class SecurityDataProcessor { - return false; - } - -- KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(serialno); -+ KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(keyId.toBigInteger()); - - String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE); - if (dataType == null) dataType = KeyRequestResource.ASYMMETRIC_KEY_TYPE; -@@ -455,8 +457,8 @@ public class SecurityDataProcessor { - iv != null? new IVParameterSpec(iv): null, - iv_wrap != null? new IVParameterSpec(iv_wrap): null); - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), -- "Cannot generate wrapping params"); -+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -+ "Cannot generate wrapping params", approvers); - throw new EBaseException("Cannot generate wrapping params: " + e, e); - } - } -@@ -512,8 +514,8 @@ public class SecurityDataProcessor { - params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); - - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), -- "Cannot unwrap passphrase"); -+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -+ "Cannot unwrap passphrase", approvers); - throw new EBaseException("Cannot unwrap passphrase: " + e, e); - - } finally { -@@ -554,8 +556,8 @@ public class SecurityDataProcessor { - } - - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), -- "Cannot wrap symmetric key"); -+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -+ "Cannot wrap symmetric key", approvers); - throw new EBaseException("Cannot wrap symmetric key: " + e, e); - } - -@@ -573,7 +575,7 @@ public class SecurityDataProcessor { - wrapParams.getPayloadEncryptionIV()); - } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, -- serialno.toString(), "Cannot encrypt passphrase"); -+ keyId, "Cannot encrypt passphrase", approvers); - throw new EBaseException("Cannot encrypt passphrase: " + e, e); - } - -@@ -604,8 +606,8 @@ public class SecurityDataProcessor { - } - - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), -- "Cannot wrap private key"); -+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -+ "Cannot wrap private key", approvers); - throw new EBaseException("Cannot wrap private key: " + e, e); - } - } -@@ -639,8 +641,8 @@ public class SecurityDataProcessor { - - params.put(IRequest.SECURITY_DATA_TYPE, dataType); - -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, serialno.toString(), -- "None"); -+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId, -+ null, approvers); - request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); - - return false; //return true ? TODO -@@ -856,15 +858,14 @@ public class SecurityDataProcessor { - } - - private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, -- String keyID, String reason) { -- String auditMessage = CMS.getLogMessage( -- AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, -+ KeyId keyID, String reason, String recoveryAgents) { -+ audit(new SecurityDataRecoveryProcessedEvent( - subjectID, - status, -- requestID.toString(), -+ requestID, - keyID, -- reason); -- audit(auditMessage); -+ reason, -+ recoveryAgents)); - } - - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, -diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -index 7aca24c..2519a4d 100644 ---- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -@@ -43,11 +43,13 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; - import com.netscape.certsrv.request.RequestId; -@@ -183,9 +185,7 @@ public class TokenKeyRecoveryService implements IService { - * @exception EBaseException failed to serve - */ - public synchronized boolean serviceRequest(IRequest request) throws EBaseException { -- String auditMessage = null; - String auditSubjectID = null; -- String auditRecoveryID = ILogger.UNIDENTIFIED; - String iv_s = ""; - - CMS.debug("KRA services token key recovery request"); -@@ -209,12 +209,6 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); - } - -- String id = request.getRequestId().toString(); -- if (id != null) { -- auditRecoveryID = id.trim(); -- } -- -- // temporary variable till other audit messages have been replaced - RequestId auditRequestID = request.getRequestId(); - - SessionContext sContext = SessionContext.getContext(); -@@ -240,7 +234,7 @@ public class TokenKeyRecoveryService implements IService { - String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); - String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); - String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); -- // the request reocrd field delayLDAPCommit == "true" will cause -+ // the request record field delayLDAPCommit == "true" will cause - // updateRequest() to delay actual write to ldap - request.setExtData("delayLDAPCommit", "true"); - // wrappedDesKey no longer needed. removing. -@@ -272,32 +266,32 @@ public class TokenKeyRecoveryService implements IService { - } else { - CMS.debug("TokenKeyRecoveryService: not receive des key"); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -+ auditRequestID, -+ null, -+ "TokenRecoveryService: Did not receive DES key", -+ agentId)); - -- audit(auditMessage); - return false; - } - - // retrieve based on Certificate - String cert_s = request.getExtDataInString(ATTR_USER_CERT); - String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID); -+ KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID)); - /* have to have at least one */ - if ((cert_s == null) && (keyid_s == null)) { - CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); - request.setExtData(IRequest.RESULT, Integer.valueOf(3)); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -- auditSubjectID, -- ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ audit(new SecurityDataRecoveryProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequestID, -+ keyId, -+ "TokenRecoveryService: Did not receive cert or keyid", -+ agentId)); - return false; - } - -@@ -311,27 +305,25 @@ public class TokenKeyRecoveryService implements IService { - if (x509cert == null) { - CMS.debug("cert mapping failed"); - request.setExtData(IRequest.RESULT, Integer.valueOf(5)); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ auditRequestID, -+ keyId, -+ "TokenRecoveryService: cert mapping failed", -+ agentId)); - return false; - } - } catch (IOException e) { - CMS.debug("TokenKeyRecoveryService: mapCert failed"); - request.setExtData(IRequest.RESULT, Integer.valueOf(6)); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ auditRequestID, -+ keyId, -+ "TokenRecoveryService: mapCert failed: " + e.getMessage(), -+ agentId)); - return false; - } - } else { -@@ -363,27 +355,25 @@ public class TokenKeyRecoveryService implements IService { - else { - CMS.debug("key record not found"); - request.setExtData(IRequest.RESULT, Integer.valueOf(8)); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ auditRequestID, -+ keyId, -+ "TokenRecoveryService: key record not found", -+ agentId)); - return false; - } - } catch (Exception e) { - com.netscape.cmscore.util.Debug.printStackTrace(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(9)); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ auditRequestID, -+ keyId, -+ "TokenRecoveryService: error reading key record: " + e.getMessage(), -+ agentId)); - return false; - } - -@@ -410,14 +400,14 @@ public class TokenKeyRecoveryService implements IService { - - if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -+ auditRequestID, -+ keyId, -+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"), -+ agentId)); - -- audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } -@@ -425,14 +415,13 @@ public class TokenKeyRecoveryService implements IService { - for (int i = 0; i < pubData.length; i++) { - if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ auditRequestID, -+ keyId, -+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"), -+ agentId)); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } -@@ -455,13 +444,13 @@ public class TokenKeyRecoveryService implements IService { - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -- auditSubjectID, -- ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- audit(auditMessage); -+ audit(new SecurityDataRecoveryProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequestID, -+ keyId, -+ "TokenKeyRecoveryService: failed getting private key", -+ agentId)); - return false; - } - CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); -@@ -485,14 +474,13 @@ public class TokenKeyRecoveryService implements IService { - if (verifyKeyPair(pubData, privateKeyData) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -- auditSubjectID, -- ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ audit(new SecurityDataRecoveryProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequestID, -+ keyId, -+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"), -+ agentId)); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } else { -@@ -511,14 +499,13 @@ public class TokenKeyRecoveryService implements IService { - if (privKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -- auditSubjectID, -- ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ audit(new SecurityDataRecoveryProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequestID, -+ keyId, -+ "TokenKeyRecoveryService: failed getting private key", -+ agentId)); - return false; - } - -@@ -541,14 +528,13 @@ public class TokenKeyRecoveryService implements IService { - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ auditRequestID, -+ keyId, -+ "TokenKeyRecoveryService: failed generating wrapped private key", -+ agentId)); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); -@@ -579,14 +565,13 @@ public class TokenKeyRecoveryService implements IService { - if (PubKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -+ auditRequestID, -+ keyId, -+ "TokenKeyRecoveryService: failed getting publickey encoded", -+ agentId)); - return false; - } else { - //CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " + -@@ -594,15 +579,14 @@ public class TokenKeyRecoveryService implements IService { - CMS.debug("TokenKeyRecoveryService: got publicKeyData"); - } - request.setExtData("public_key", PubKey); -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, -+ -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRecoveryID, -- agentId); -- -- audit(auditMessage); -- -+ auditRequestID, -+ keyId, -+ null, -+ agentId)); - return true; - - } catch (Exception e) { -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index d594f1c..b85310c 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2009,15 +2009,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login - # --# --# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED --# - used when key recovery request is processed --# RecoveryID must be the recovery request ID --# RecoveryAgents must be a comma-separated list of --# UIDs of the recovery agents approving this request --# --LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgents={3}] key recovery request processed --# - # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC - # - used when key recovery request is processed - # RequestID must be the recovery request ID -@@ -2477,8 +2468,9 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}] security data recovery request processed -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}][RecoveryAgents={5}] security data recovery request processed - # - # - # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST --- -1.8.3.1 - - -From f52f5be832e37cc45e665708d3b59d2a3aa04370 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 17 May 2017 16:17:30 -0400 -Subject: [PATCH 05/38] Eliminate async recovery audit events - -There are now many ways to recover keys. From an -auditing point of view, its not helpful to distinguish -between sync or async requests. So we just use -SECURITY_DATA ... - -Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089 ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- - base/kra/shared/conf/CS.cfg | 4 +- - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 75 +++++++++------------- - base/server/cmsbundle/src/LogMessages.properties | 17 ----- - 4 files changed, 34 insertions(+), 66 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index c9c8f96..03340e1 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -82,12 +82,8 @@ public class AuditEvent implements IBundleLogEvent { - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; - public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; -- public final static String KEY_RECOVERY_REQUEST_ASYNC = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; - public final static String KEY_RECOVERY_AGENT_LOGIN = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; -- public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = -- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; - public final static String KEY_GEN_ASYMMETRIC = - "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; - -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 8f55a37..90ef4bc 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index 670279e..3c29bbf 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -820,8 +820,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - throws EBaseException { - - String auditPublicKey = auditPublicKey(cert); -- String auditRecoveryID = "undefined"; -- String auditMessage = null; -+ RequestId auditRecoveryID = null; - String auditSubjectID = auditSubjectID(); - - IRequestQueue queue = null; -@@ -838,28 +837,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - r.setRequestStatus(RequestStatus.PENDING); - r.setRealm(realm); - queue.updateRequest(r); -- auditRecoveryID = r.getRequestId().toString(); -+ auditRecoveryID = r.getRequestId(); - - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, -+ audit(new SecurityDataRecoveryEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -- auditPublicKey); -- -- audit(auditMessage); -+ null, -+ auditPublicKey)); - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, -- auditSubjectID, -- ILogger.FAILURE, -- auditRecoveryID, -- auditPublicKey); -- -- audit(auditMessage); -- -+ audit(new SecurityDataRecoveryEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRecoveryID, -+ null, -+ auditPublicKey)); - throw eAudit1; - } - -@@ -1115,10 +1109,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - String reqID, - String password) - throws EBaseException { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); -- String auditRecoveryID = reqID; -+ RequestId auditRecoveryID = new RequestId(reqID); - String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; -+ KeyId keyID = null; - - IRequestQueue queue = null; - IRequest r = null; -@@ -1129,6 +1123,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - r = queue.findRequest(new RequestId(reqID)); - - auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); -+ keyID = new KeyId(r.getExtDataInBigInteger("serialNumber")); - - // set transient parameters - params = createVolatileRequest(r.getRequestId()); -@@ -1147,42 +1142,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - byte pkcs12[] = (byte[]) params.get( - RecoveryService.ATTR_PKCS12); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, -- auditAgents); -- -- audit(auditMessage); -+ keyID, -+ null, -+ auditAgents)); - - destroyVolatileRequest(r.getRequestId()); - - return pkcs12; - } else { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, -- auditSubjectID, -- ILogger.FAILURE, -- auditRecoveryID, -- auditAgents); -- -- audit(auditMessage); -- -- throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); -- } -- } catch (EBaseException eAudit1) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, -+ audit(new SecurityDataRecoveryProcessedEvent( - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, -- auditAgents); -+ keyID, -+ r.getExtDataInString(IRequest.ERROR), -+ auditAgents)); - -- audit(auditMessage); -+ throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); -+ } -+ } catch (EBaseException eAudit1) { -+ audit(new SecurityDataRecoveryProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRecoveryID, -+ keyID, -+ eAudit1.getMessage(), -+ auditAgents)); - throw eAudit1; - } - } -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index b85310c..5a01e13 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -1991,15 +1991,6 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made - # --# --# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC --# - used when asynchronous key recovery request is made --# RequestID must be the recovery request ID --# PubKey must be the base-64 encoded public key associated with --# the private key to be recovered --# --LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][PubKey={3}] asynchronous key recovery request made --# - # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN - # - used when DRM agents login as recovery agents to approve - # key recovery requests -@@ -2009,14 +2000,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login - # --# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC --# - used when key recovery request is processed --# RequestID must be the recovery request ID --# RecoveryAgents must be a comma-separated list of --# UIDs of the recovery agents approving this request --# --LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][RecoveryAgents={3}] asynchronous key recovery request processed --# - # LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC - # - used when asymmetric keys are generated - # (like when CA certificate requests are generated - --- -1.8.3.1 - - -From 0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 18 May 2017 01:27:12 -0400 -Subject: [PATCH 06/38] Encapsulate key retrieval audit events - -Key retrieval is when the key/secret is extracted and returned -to the client (once the recovery request is approved). We combine -SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. - -Note: an analysis of the key retrieval rest flow (and the auditing -there will be done in a subsequent patch). - -Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 6 -- - .../logging/event/SecurityDataExportEvent.java | 70 ++++++++++++++++++++++ - base/kra/shared/conf/CS.cfg | 4 +- - .../src/com/netscape/kra/NetkeyKeygenService.java | 18 +++--- - .../org/dogtagpki/server/kra/rest/KeyService.java | 14 ++--- - .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 25 ++++---- - .../src/com/netscape/cms/servlet/key/GetPk12.java | 26 ++++---- - base/server/cmsbundle/src/LogMessages.properties | 26 ++------ - 8 files changed, 117 insertions(+), 72 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 03340e1..45907d0 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -72,10 +72,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String LOG_PATH_CHANGE = - "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - -- public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; -- public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; - public final static String SERVER_SIDE_KEYGEN_REQUEST = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; - public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = -@@ -170,8 +166,6 @@ public class AuditEvent implements IBundleLogEvent { - - public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; -- public final static String SECURITY_DATA_RETRIEVE_KEY = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; - public final static String KEY_STATUS_CHANGE = - "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; - public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java -new file mode 100644 -index 0000000..a2c7939 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java -@@ -0,0 +1,70 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class SecurityDataExportEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY"; -+ -+ public SecurityDataExportEvent( -+ String subjectID, -+ String outcome, -+ RequestId recoveryID, -+ KeyId keyID, -+ String failureReason, -+ String pubKey) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ recoveryID, -+ keyID, -+ failureReason, -+ pubKey -+ }); -+ } -+ -+ public SecurityDataExportEvent( -+ String subjectID, -+ String outcome, -+ String recoveryID, -+ KeyId keyID, -+ String failureReason, -+ String pubKey) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ recoveryID, -+ keyID, -+ failureReason, -+ pubKey -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 90ef4bc..298e35a 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 5463b92..df42a4f 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; -+import com.netscape.certsrv.logging.event.SecurityDataExportEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; - import com.netscape.certsrv.security.IStorageKeyUnit; -@@ -356,25 +357,26 @@ public class NetkeyKeygenService implements IService { - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, -+ audit(new SecurityDataExportEvent( - agentId, - ILogger.FAILURE, - auditSubjectID, -- PubKey); -+ null, -+ "NetkeyKeygenService: failed generating wrapped private key", -+ PubKey)); - - audit(auditMessage); - return false; - } else { - request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, -+ -+ audit(new SecurityDataExportEvent( - agentId, - ILogger.SUCCESS, - auditSubjectID, -- PubKey); -- -- audit(auditMessage); -+ null, -+ null, -+ PubKey)); - } - - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -index 7a21971..87e6f15 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -@@ -62,6 +62,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.kra.IKeyService; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataExportEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; - import com.netscape.certsrv.request.RequestId; -@@ -601,15 +602,14 @@ public class KeyService extends SubsystemService implements KeyResource { - } - - public void auditRetrieveKey(String status, String reason) { -- String msg = CMS.getLogMessage( -- AuditEvent.SECURITY_DATA_RETRIEVE_KEY, -+ audit(new SecurityDataExportEvent( - servletRequest.getUserPrincipal().getName(), - status, -- requestId != null ? requestId.toString(): "null", -- keyId != null ? keyId.toString(): "null", -- (reason != null) ? auditInfo + ";" + reason : auditInfo -- ); -- auditor.log(msg); -+ requestId, -+ keyId, -+ (reason != null) ? auditInfo + ";" + reason : auditInfo, -+ null -+ )); - } - - public void auditRetrieveKey(String status) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java -index f0065e1..b28132d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java -@@ -35,8 +35,9 @@ import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataExportEvent; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cms.servlet.common.CMSTemplate; -@@ -207,14 +208,13 @@ public class GetAsyncPk12 extends CMSServlet { - resp.getOutputStream().write(pkcs12); - mRenderResult = false; - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, -+ audit(new SecurityDataExportEvent( - agent, - ILogger.SUCCESS, -- reqID, -- ""); -- -- audit(auditMessage); -+ new RequestId(reqID), -+ null, -+ null, -+ null)); - - return; - } catch (IOException e) { -@@ -233,14 +233,13 @@ public class GetAsyncPk12 extends CMSServlet { - } - - if ((agent != null) && (reqID != null)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, -+ audit(new SecurityDataExportEvent( - agent, - ILogger.FAILURE, -- reqID, -- ""); -- -- audit(auditMessage); -+ new RequestId(reqID), -+ null, -+ null, -+ null)); - } - - try { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java -index 9bb52cd..c878605 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java -@@ -36,8 +36,9 @@ import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataExportEvent; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cms.servlet.common.CMSTemplate; -@@ -201,15 +202,13 @@ public class GetPk12 extends CMSServlet { - resp.getOutputStream().write(pkcs12); - mRenderResult = false; - -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, -+ audit(new SecurityDataExportEvent( - agent, - ILogger.SUCCESS, -- recoveryID, -- ""); -- -- audit(auditMessage); -- -+ new RequestId(recoveryID), -+ null, -+ null, -+ null)); - return; - } catch (IOException e) { - header.addStringValue(OUT_ERROR, -@@ -227,14 +226,13 @@ public class GetPk12 extends CMSServlet { - } - - if ((agent != null) && (recoveryID != null)) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, -+ audit(new SecurityDataExportEvent( - agent, - ILogger.FAILURE, -- recoveryID, -- ""); -- -- audit(auditMessage); -+ new RequestId(recoveryID), -+ null, -+ null, -+ null)); - } - - try { -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 5a01e13..9cdcae6 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -1943,26 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA - # -- feature disabled -- - #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt - # --# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS --# - used when user private key export request is made and processed with success --# - this is used in case of server-side keygen when keys generated on the server --# need to be transported back to the client --# EntityID must be the id that represents the client --# PubKey must be the base-64 encoded public key associated with --# the private key to be archived --# --LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with success --# --# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE --# - used when user private key export request is made and processed with failure --# - this is used in case of server-side keygen when keys generated on the server --# need to be transported back to the client --# EntityID must be the id that represents the client --# PubKey must be the base-64 encoded public key associated with --# the private key to be archived --# --LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with failure --# - # LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST - # - used when server-side key generation request is made - # This is for tokenkeys -@@ -2476,9 +2456,11 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=:[AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}] security data retrieval request -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request - # - # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE - # - used when modify key status is executed --- -1.8.3.1 - - -From 8016ed7972d9211e7f0db14e45bc9658a7b292ef Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 22 May 2017 22:34:58 +0200 -Subject: [PATCH 07/38] Enabling all subsystems on startup. - -The operations script has been modified to enable all subsystems -on startup by default. If the selftest fails, the subsystem will -be shutdown again automatically as before. A pki.conf option has -been added to configure this behavior. - -https://pagure.io/dogtagpki/issue/2699 - -Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50 ---- - base/common/share/etc/pki.conf | 6 +++ - base/server/python/pki/server/cli/subsystem.py | 58 +++++++++++++++++++------- - base/server/scripts/operations | 14 +++++-- - 3 files changed, 59 insertions(+), 19 deletions(-) - -diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf -index e9b5522..14bb8dd 100644 ---- a/base/common/share/etc/pki.conf -+++ b/base/common/share/etc/pki.conf -@@ -60,3 +60,9 @@ export SSL_CIPHERS - # Key Wrapping: AES KeyWrap with Padding - KEY_WRAP_PARAMETER_SET=1 - export KEY_WRAP_PARAMETER_SET -+ -+# Auto-enable subsystems -+# This boolean parameter determines whether to automatically enable all -+# subsystems on startup. -+PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS="true" -+export PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS -diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py -index ee5d2d2..8395bd2 100644 ---- a/base/server/python/pki/server/cli/subsystem.py -+++ b/base/server/python/pki/server/cli/subsystem.py -@@ -200,7 +200,7 @@ class SubsystemEnableCLI(pki.cli.CLI): - - try: - opts, args = getopt.gnu_getopt(argv, 'i:v', [ -- 'instance=', -+ 'instance=', 'all', - 'verbose', 'help']) - - except getopt.GetoptError as e: -@@ -209,11 +209,15 @@ class SubsystemEnableCLI(pki.cli.CLI): - sys.exit(1) - - instance_name = 'pki-tomcat' -+ all_subsystems = False - - for o, a in opts: - if o in ('-i', '--instance'): - instance_name = a - -+ elif o == '--all': -+ all_subsystems = True -+ - elif o in ('-v', '--verbose'): - self.set_verbose(True) - -@@ -226,13 +230,6 @@ class SubsystemEnableCLI(pki.cli.CLI): - self.usage() - sys.exit(1) - -- if len(args) != 1: -- print('ERROR: missing subsystem ID') -- self.usage() -- sys.exit(1) -- -- subsystem_name = args[0] -- - instance = pki.server.PKIInstance(instance_name) - - if not instance.is_valid(): -@@ -241,6 +238,22 @@ class SubsystemEnableCLI(pki.cli.CLI): - - instance.load() - -+ if all_subsystems: -+ for subsystem in instance.subsystems: -+ if not subsystem.is_enabled(): -+ subsystem.enable() -+ -+ self.print_message('Enabled all subsystems') -+ -+ return -+ -+ if len(args) != 1: -+ print('ERROR: missing subsystem ID') -+ self.usage() -+ sys.exit(1) -+ -+ subsystem_name = args[0] -+ - subsystem = instance.get_subsystem(subsystem_name) - if not subsystem: - print('ERROR: No %s subsystem in instance ' -@@ -276,7 +289,7 @@ class SubsystemDisableCLI(pki.cli.CLI): - - try: - opts, args = getopt.gnu_getopt(argv, 'i:v', [ -- 'instance=', -+ 'instance=', 'all', - 'verbose', 'help']) - - except getopt.GetoptError as e: -@@ -285,11 +298,15 @@ class SubsystemDisableCLI(pki.cli.CLI): - sys.exit(1) - - instance_name = 'pki-tomcat' -+ all_subsystems = False - - for o, a in opts: - if o in ('-i', '--instance'): - instance_name = a - -+ elif o == '--all': -+ all_subsystems = True -+ - elif o in ('-v', '--verbose'): - self.set_verbose(True) - -@@ -302,13 +319,6 @@ class SubsystemDisableCLI(pki.cli.CLI): - self.usage() - sys.exit(1) - -- if len(args) != 1: -- print('ERROR: missing subsystem ID') -- self.usage() -- sys.exit(1) -- -- subsystem_name = args[0] -- - instance = pki.server.PKIInstance(instance_name) - - if not instance.is_valid(): -@@ -317,6 +327,22 @@ class SubsystemDisableCLI(pki.cli.CLI): - - instance.load() - -+ if all_subsystems: -+ for subsystem in instance.subsystems: -+ if subsystem.is_enabled(): -+ subsystem.disable() -+ -+ self.print_message('Disabled all subsystems') -+ -+ return -+ -+ if len(args) != 1: -+ print('ERROR: missing subsystem ID') -+ self.usage() -+ sys.exit(1) -+ -+ subsystem_name = args[0] -+ - subsystem = instance.get_subsystem(subsystem_name) - if not subsystem: - print('ERROR: No %s subsystem in instance ' -diff --git a/base/server/scripts/operations b/base/server/scripts/operations -index 5b50178..907dd0e 100644 ---- a/base/server/scripts/operations -+++ b/base/server/scripts/operations -@@ -30,11 +30,14 @@ - # 200-254 reserved - # - --# Read default PKI configuration. -+# default PKI configuration - . /usr/share/pki/etc/pki.conf - --# Read user-defined PKI configuration. --. /etc/pki/pki.conf -+# system-wide PKI configuration -+if [ -f /etc/pki/pki.conf ] -+then -+ . /etc/pki/pki.conf -+fi - - default_error=0 - -@@ -1294,6 +1297,11 @@ EOF - /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ - /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy - -+ if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then -+ # enable all subsystems -+ pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all -+ fi -+ - # We no longer start tomcat instances here. - # instead we rely on the tomcat unit scripts - --- -1.8.3.1 - - -From 3027b565320c96857b7f7fdffed9a5fbec084bab Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 18 May 2017 16:05:07 -0400 -Subject: [PATCH 08/38] Fix auditing in retrieveKey - -The auditing in retrieveKey is all messed up. -* Added new audit event to track accesses to KeyInfo queries. - They may produce a lot of events, especially if events are - generated for every listing of data. By default, this event - may be turned off. -* Added audit events for generation and processing of key - recovery requests. - -Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182 ---- - .../logging/event/SecurityDataInfoEvent.java | 49 ++++++++++++ - base/kra/shared/conf/CS.cfg | 2 +- - .../org/dogtagpki/server/kra/rest/KeyService.java | 88 +++++++++++++++++----- - base/server/cmsbundle/src/LogMessages.properties | 12 ++- - 4 files changed, 132 insertions(+), 19 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java -new file mode 100644 -index 0000000..82c049e ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java -@@ -0,0 +1,49 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class SecurityDataInfoEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO"; -+ -+ public SecurityDataInfoEvent( -+ String subjectID, -+ String outcome, -+ KeyId keyID, -+ String clientKeyID, -+ String failureReason, -+ String pubKey) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ keyID, -+ clientKeyID, -+ failureReason, -+ pubKey -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 298e35a..4b6ff74 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -index 87e6f15..52799e6 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -@@ -63,6 +63,9 @@ import com.netscape.certsrv.kra.IKeyService; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataExportEvent; -+import com.netscape.certsrv.logging.event.SecurityDataInfoEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; - import com.netscape.certsrv.request.RequestId; -@@ -92,6 +95,7 @@ public class KeyService extends SubsystemService implements KeyResource { - private RequestId requestId; - private KeyId keyId; - private String auditInfo; -+ private String approvers; - - public KeyService() { - kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); -@@ -112,12 +116,14 @@ public class KeyService extends SubsystemService implements KeyResource { - @Override - public Response retrieveKey(KeyRecoveryRequest data) { - try { -- return retrieveKeyImpl(data); -+ Response response = retrieveKeyImpl(data); -+ auditRetrieveKey(ILogger.SUCCESS); -+ return response; - } catch(RuntimeException e) { -- auditError(e.getMessage()); -+ auditRetrieveKeyError(e.getMessage()); - throw e; - } catch (Exception e) { -- auditError(e.getMessage()); -+ auditRetrieveKeyError(e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - } -@@ -191,17 +197,20 @@ public class KeyService extends SubsystemService implements KeyResource { - try { - queue.updateRequest(request); - } catch (EBaseException e) { -+ auditRecoveryRequest(ILogger.FAILURE); - e.printStackTrace(); - throw new PKIException(e.getMessage(), e); - } - - CMS.debug("Returning created recovery request"); -- auditRetrieveKey(ILogger.SUCCESS, "Created recovery request"); -+ auditRecoveryRequest(ILogger.SUCCESS); - - KeyData keyData = new KeyData(); - keyData.setRequestID(requestId); - return createOKResponse(keyData); - } -+ -+ auditRecoveryRequest(ILogger.SUCCESS); - } - - data.setRequestId(requestId); -@@ -226,15 +235,19 @@ public class KeyService extends SubsystemService implements KeyResource { - throw new BadRequestException("Invalid request type: " + type); - } - } catch (Exception e) { -+ auditRecoveryRequestProcessed(ILogger.FAILURE, e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - - if (keyData == null) { -+ auditRecoveryRequestProcessed(ILogger.FAILURE, "No key record"); - throw new HTTPGoneException("No key record."); - } - -+ approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); -+ auditRecoveryRequestProcessed(ILogger.SUCCESS, null); -+ - CMS.debug("KeyService: key retrieved"); -- auditRetrieveKey(ILogger.SUCCESS); - return createOKResponse(keyData); - } - -@@ -408,10 +421,8 @@ public class KeyService extends SubsystemService implements KeyResource { - try { - return createOKResponse(listKeyInfos(clientKeyID, status, maxResults, maxTime, start, size, realm)); - } catch (RuntimeException e) { -- auditError(e.getMessage()); - throw e; - } catch (Exception e) { -- auditError(e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - } -@@ -449,7 +460,6 @@ public class KeyService extends SubsystemService implements KeyResource { - try { - Enumeration e = repo.searchKeys(filter, maxResults, maxTime); - if (e == null) { -- auditRetrieveKey(ILogger.SUCCESS); - return infos; - } - -@@ -458,7 +468,11 @@ public class KeyService extends SubsystemService implements KeyResource { - while (e.hasMoreElements()) { - IKeyRecord rec = e.nextElement(); - if (rec == null) continue; -- results.add(createKeyDataInfo(rec, false)); -+ -+ KeyInfo info = createKeyDataInfo(rec, false); -+ results.add(info); -+ -+ auditKeyInfoSuccess(info.getKeyId(), null); - } - - int total = results.size(); -@@ -482,7 +496,6 @@ public class KeyService extends SubsystemService implements KeyResource { - } catch (EBaseException e) { - throw new PKIException(e.getMessage(), e); - } -- auditRetrieveKey(ILogger.SUCCESS); - - return infos; - } -@@ -492,10 +505,10 @@ public class KeyService extends SubsystemService implements KeyResource { - try { - return getActiveKeyInfoImpl(clientKeyID); - } catch (RuntimeException e) { -- auditError(e.getMessage()); -+ auditKeyInfoError(null, clientKeyID, e.getMessage()); - throw e; - } catch (Exception e) { -- auditError(e.getMessage()); -+ auditKeyInfoError(null, clientKeyID, e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - } -@@ -531,7 +544,7 @@ public class KeyService extends SubsystemService implements KeyResource { - throw new PKIException(e.toString(), e); - } - -- auditRetrieveKey(ILogger.SUCCESS); -+ auditKeyInfoSuccess(info.getKeyId(), clientKeyID); - - return createOKResponse(info); - } -@@ -616,11 +629,31 @@ public class KeyService extends SubsystemService implements KeyResource { - auditRetrieveKey(status, null); - } - -- public void auditError(String message) { -+ public void auditRetrieveKeyError(String message) { - CMS.debug(message); - auditRetrieveKey(ILogger.FAILURE, message); - } - -+ public void auditKeyInfo(KeyId keyId, String clientKeyId, String status, String reason) { -+ audit(new SecurityDataInfoEvent( -+ servletRequest.getUserPrincipal().getName(), -+ status, -+ keyId, -+ clientKeyId, -+ (reason != null) ? auditInfo + ";" + reason : auditInfo, -+ null -+ )); -+ } -+ -+ public void auditKeyInfoSuccess(KeyId keyid, String clientKeyId) { -+ auditKeyInfo(keyId, clientKeyId, ILogger.SUCCESS, null); -+ } -+ -+ public void auditKeyInfoError(KeyId keyId, String clientKeyId, String message) { -+ CMS.debug(message); -+ auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message); -+ } -+ - public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, - String newKeyStatus, String info) { - String msg = CMS.getLogMessage( -@@ -634,6 +667,27 @@ public class KeyService extends SubsystemService implements KeyResource { - auditor.log(msg); - } - -+ public void auditRecoveryRequest(String status) { -+ audit(new SecurityDataRecoveryEvent( -+ servletRequest.getUserPrincipal().getName(), -+ status, -+ requestId, -+ keyId, -+ null -+ )); -+ } -+ -+ public void auditRecoveryRequestProcessed(String status, String reason) { -+ audit(new SecurityDataRecoveryProcessedEvent( -+ servletRequest.getUserPrincipal().getName(), -+ status, -+ requestId, -+ keyId, -+ (reason != null) ? auditInfo + ";" + reason : auditInfo, -+ approvers -+ )); -+ } -+ - /** - * Used to retrieve a key - * @param data -@@ -697,10 +751,10 @@ public class KeyService extends SubsystemService implements KeyResource { - try { - return getKeyInfoImpl(keyId); - } catch (RuntimeException e) { -- auditError(e.getMessage()); -+ auditKeyInfoError(keyId, null, e.getMessage()); - throw e; - } catch (Exception e) { -- auditError(e.getMessage()); -+ auditKeyInfoError(keyId, null, e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - } -@@ -715,7 +769,7 @@ public class KeyService extends SubsystemService implements KeyResource { - rec = repo.readKeyRecord(keyId.toBigInteger()); - authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "certServer.kra.key", "read"); - KeyInfo info = createKeyDataInfo(rec, true); -- auditRetrieveKey(ILogger.SUCCESS); -+ auditKeyInfoSuccess(keyId, null); - - return createOKResponse(info); - } catch (EAuthzAccessDenied e) { -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 9cdcae6..3b998d9 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2451,7 +2451,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change - # --# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY -+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY - # - used when user attempts to retrieve key after the recovery request - # has been approved. - # -@@ -2462,6 +2462,16 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request - # -+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO -+# - used when user attempts to get metadata information about a key -+# -+# RecoveryID must be the recovery request ID -+# KeyID is the key being retrieved -+# Info is the failure reason if the export fails. -+# PubKey is the public key for the private key being retrieved -+# -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SECURITY_DATA_INFO][SubjectID={0}][Outcome={1}][KeyID={2}][ClientKeyId={3}[Info={4}][PubKey={5}] security data info request -+# - # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE - # - used when modify key status is executed - # keyID must be an existing key id in the database --- -1.8.3.1 - - -From f40d0aaf446b162994e9c8598a7b00a6d4c906f2 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 23 May 2017 10:01:47 -0400 -Subject: [PATCH 09/38] Encapsulate recovery request approval audit logs - -The audit logs where an agent grants an asynchronous recovery request -and the case where recovery request is appproved from the REST API -are consolidated and encapsulated in a class. - -Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701 ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 2 - - .../SecurityDataRecoveryStateChangeEvent.java | 45 +++++++++++++++ - .../server/kra/rest/KeyRequestService.java | 9 ++- - .../cms/servlet/key/GrantAsyncRecovery.java | 65 ++++------------------ - base/server/cmsbundle/src/LogMessages.properties | 2 +- - 5 files changed, 61 insertions(+), 62 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 45907d0..891398d 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -164,8 +164,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String CONFIG_SERIAL_NUMBER = - "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - -- public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = -- "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; - public final static String KEY_STATUS_CHANGE = - "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; - public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java -new file mode 100644 -index 0000000..d0e97f8 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java -@@ -0,0 +1,45 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class SecurityDataRecoveryStateChangeEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE"; -+ -+ public SecurityDataRecoveryStateChangeEvent( -+ String subjectID, -+ String outcome, -+ RequestId recoveryID, -+ String operation) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ recoveryID, -+ operation -+ }); -+ } -+} -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -index a2d01f1..12040e0 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; - import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestNotFoundException; - import com.netscape.cms.realm.PKIPrincipal; -@@ -336,13 +337,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - } - - public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) { -- String msg = CMS.getLogMessage( -- AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, -+ audit(new SecurityDataRecoveryStateChangeEvent( - getRequestor(), - status, -- requestId.toString(), -- operation); -- auditor.log(msg); -+ requestId, -+ operation)); - } - - public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java -index c410525..2a50067 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java -@@ -34,8 +34,9 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; - import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.kra.IKeyService; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.cms.servlet.base.CMSServlet; - import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cms.servlet.common.CMSTemplate; -@@ -194,32 +195,7 @@ public class GrantAsyncRecovery extends CMSServlet { - String agentID, - HttpServletRequest req, HttpServletResponse resp, - Locale locale) { -- String auditMessage = null; - String auditSubjectID = auditSubjectID(); -- String auditRequestID = reqID; -- String auditAgentID = agentID; -- -- // "normalize" the "reqID" -- if (auditRequestID != null) { -- auditRequestID = auditRequestID.trim(); -- -- if (auditRequestID.equals("")) { -- auditRequestID = ILogger.UNIDENTIFIED; -- } -- } else { -- auditRequestID = ILogger.UNIDENTIFIED; -- } -- -- // "normalize" the "auditAgentID" -- if (auditAgentID != null) { -- auditAgentID = auditAgentID.trim(); -- -- if (auditAgentID.equals("")) { -- auditAgentID = ILogger.UNIDENTIFIED; -- } -- } else { -- auditAgentID = ILogger.UNIDENTIFIED; -- } - - try { - header.addStringValue(OUT_OP, -@@ -233,40 +209,21 @@ public class GrantAsyncRecovery extends CMSServlet { - header.addStringValue("requestID", reqID); - header.addStringValue("agentID", agentID); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_AGENT_LOGIN, -- auditSubjectID, -- ILogger.SUCCESS, -- auditRequestID, -- auditAgentID); - -- audit(auditMessage); -- -- } catch (EBaseException e) { -- header.addStringValue(OUT_ERROR, e.toString(locale)); -- -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_AGENT_LOGIN, -+ audit(new SecurityDataRecoveryStateChangeEvent( - auditSubjectID, -- ILogger.FAILURE, -- auditRequestID, -- auditAgentID); -+ ILogger.SUCCESS, -+ new RequestId(reqID), -+ "approve")); - -- audit(auditMessage); - } catch (Exception e) { - header.addStringValue(OUT_ERROR, e.toString()); - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.KEY_RECOVERY_AGENT_LOGIN, -- auditSubjectID, -- ILogger.FAILURE, -- auditRequestID, -- auditAgentID); -- -- audit(auditMessage); -+ audit(new SecurityDataRecoveryStateChangeEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ new RequestId(reqID), -+ "approve")); - } - } - } -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 3b998d9..44eec23 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2449,7 +2449,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change - # - # LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY - # - used when user attempts to retrieve key after the recovery request --- -1.8.3.1 - - -From 6dd0800d8bb24d9d2d3f9e377a90f641612c7c78 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 May 2017 02:37:18 +0200 -Subject: [PATCH 10/38] Moved TokenServlet into pki-tks package. - -The TokenServlet has been moved into pki-tks package in order to -use the JssSubsystem in pki-cmscore package. - -Some constants in SecureChannelProtocol have been made public so -they can be accessed by the TokenServlet. - -https://pagure.io/dogtagpki/issue/2695 - -Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c ---- - .../cms/servlet/tks/SecureChannelProtocol.java | 27 +- - .../com/netscape/cms/servlet/tks/TokenServlet.java | 3223 ------------------- - base/tks/shared/webapps/tks/WEB-INF/web.xml | 8 +- - .../dogtagpki/server/tks/servlet/TokenServlet.java | 3226 ++++++++++++++++++++ - 4 files changed, 3244 insertions(+), 3240 deletions(-) - delete mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java - create mode 100644 base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -index ef0c61b..0542470 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -@@ -25,12 +25,12 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; - import org.mozilla.jss.crypto.SymmetricKeyDeriver; - import org.mozilla.jss.crypto.TokenException; - --import sun.security.pkcs11.wrapper.PKCS11Constants; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.cmsutil.crypto.CryptoUtil; - -+import sun.security.pkcs11.wrapper.PKCS11Constants; -+ - public class SecureChannelProtocol { - - static String sharedSecretKeyName = null; -@@ -47,17 +47,18 @@ public class SecureChannelProtocol { - static final String DEFKEYSET_NAME = "defKeySet"; - static int protocol = 1; - -- static final String encType = "enc"; -- static final String macType = "mac"; -- static final String kekType = "kek"; -- static final String authType = "auth"; -- static final String dekType = "dek"; -- static final String rmacType = "rmac"; -- static final int PROTOCOL_ONE = 1; -- static final int PROTOCOL_TWO = 2; -- static final int PROTOCOL_THREE = 3; -- static final int HOST_CRYPTOGRAM = 0; -- static final int CARD_CRYPTOGRAM = 1; -+ public static final String encType = "enc"; -+ public static final String macType = "mac"; -+ public static final String kekType = "kek"; -+ public static final String authType = "auth"; -+ public static final String dekType = "dek"; -+ public static final String rmacType = "rmac"; -+ public static final int PROTOCOL_ONE = 1; -+ public static final int PROTOCOL_TWO = 2; -+ public static final int PROTOCOL_THREE = 3; -+ public static final int HOST_CRYPTOGRAM = 0; -+ public static final int CARD_CRYPTOGRAM = 1; -+ - //Size of long type in bytes, since java7 has no define for this - static final int LONG_SIZE = 8; - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -deleted file mode 100644 -index 1377055..0000000 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java -+++ /dev/null -@@ -1,3223 +0,0 @@ --// --- BEGIN COPYRIGHT BLOCK --- --// This program is free software; you can redistribute it and/or modify --// it under the terms of the GNU General Public License as published by --// the Free Software Foundation; version 2 of the License. --// --// This program is distributed in the hope that it will be useful, --// but WITHOUT ANY WARRANTY; without even the implied warranty of --// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --// GNU General Public License for more details. --// --// You should have received a copy of the GNU General Public License along --// with this program; if not, write to the Free Software Foundation, Inc., --// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --// --// (C) 2007 Red Hat, Inc. --// All rights reserved. --// --- END COPYRIGHT BLOCK --- --package com.netscape.cms.servlet.tks; -- --import java.io.ByteArrayOutputStream; --import java.io.IOException; --import java.io.OutputStream; --import java.security.PublicKey; --import java.security.SecureRandom; --import java.util.ArrayList; --import java.util.StringTokenizer; -- --import javax.servlet.ServletConfig; --import javax.servlet.ServletException; --import javax.servlet.http.HttpServletRequest; --import javax.servlet.http.HttpServletResponse; -- --import org.dogtagpki.server.connector.IRemoteRequest; --import org.mozilla.jss.CryptoManager; --import org.mozilla.jss.CryptoManager.NotInitializedException; --import org.mozilla.jss.crypto.CryptoToken; --import org.mozilla.jss.crypto.KeyWrapAlgorithm; --import org.mozilla.jss.crypto.KeyWrapper; --import org.mozilla.jss.crypto.SymmetricKey; --import org.mozilla.jss.crypto.X509Certificate; --import org.mozilla.jss.pkcs11.PK11SymKey; -- --import com.netscape.certsrv.apps.CMS; --import com.netscape.certsrv.authentication.IAuthToken; --import com.netscape.certsrv.authorization.AuthzToken; --import com.netscape.certsrv.base.EBaseException; --import com.netscape.certsrv.base.IConfigStore; --import com.netscape.certsrv.base.IPrettyPrintFormat; --import com.netscape.certsrv.base.SessionContext; --import com.netscape.certsrv.logging.AuditEvent; --import com.netscape.certsrv.logging.ILogger; --import com.netscape.cms.servlet.base.CMSServlet; --import com.netscape.cms.servlet.common.CMSRequest; --import com.netscape.cmsutil.crypto.CryptoUtil; --import com.netscape.symkey.SessionKey; -- --/** -- * A class representings an administration servlet for Token Key -- * Service Authority. This servlet is responsible to serve -- * tks administrative operation such as configuration -- * parameter updates. -- * -- * @version $Revision$, $Date$ -- */ --public class TokenServlet extends CMSServlet { -- /** -- * -- */ -- private static final long serialVersionUID = 8687436109695172791L; -- protected static final String PROP_ENABLED = "enabled"; -- protected static final String TRANSPORT_KEY_NAME = "sharedSecret"; -- private final static String INFO = "TokenServlet"; -- public static int ERROR = 1; -- String mKeyNickName = null; -- String mNewKeyNickName = null; -- String mCurrentUID = null; -- IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); -- -- // Derivation Constants for SCP02 -- public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; -- public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; -- public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 }; -- public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 }; -- -- /** -- * Constructs tks servlet. -- */ -- public TokenServlet() { -- super(); -- -- } -- -- public static String trim(String a) { -- StringBuffer newa = new StringBuffer(); -- StringTokenizer tokens = new StringTokenizer(a, "\n"); -- while (tokens.hasMoreTokens()) { -- newa.append(tokens.nextToken()); -- } -- return newa.toString(); -- } -- -- public void init(ServletConfig config) throws ServletException { -- super.init(config); -- } -- -- /** -- * Returns serlvet information. -- * -- * @return name of this servlet -- */ -- public String getServletInfo() { -- return INFO; -- } -- -- /** -- * Process the HTTP request. -- * -- * @param s The URL to decode. -- */ -- protected String URLdecode(String s) { -- if (s == null) -- return null; -- ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); -- -- for (int i = 0; i < s.length(); i++) { -- int c = s.charAt(i); -- -- if (c == '+') { -- out.write(' '); -- } else if (c == '%') { -- int c1 = Character.digit(s.charAt(++i), 16); -- int c2 = Character.digit(s.charAt(++i), 16); -- -- out.write((char) (c1 * 16 + c2)); -- } else { -- out.write(c); -- } -- } // end for -- return out.toString(); -- } -- -- private void setDefaultSlotAndKeyName(HttpServletRequest req) { -- try { -- -- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -- if (keySet == null || keySet.equals("")) { -- keySet = "defKeySet"; -- } -- CMS.debug("keySet selected: " + keySet); -- -- String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); -- String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx -- String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; -- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -- if (mappingValue != null) { -- StringTokenizer st = new StringTokenizer(mappingValue, ":"); -- int tokenNumber = 0; -- while (st.hasMoreTokens()) { -- -- String currentToken = st.nextToken(); -- if (tokenNumber == 1) -- mKeyNickName = currentToken; -- tokenNumber++; -- -- } -- } -- if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification -- { -- temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx -- String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; -- String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); -- if (newMappingValue != null) { -- StringTokenizer st = new StringTokenizer(newMappingValue, ":"); -- int tokenNumber = 0; -- while (st.hasMoreTokens()) { -- String currentToken = st.nextToken(); -- if (tokenNumber == 1) -- mNewKeyNickName = currentToken; -- tokenNumber++; -- -- } -- } -- } -- -- CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix); -- -- SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix); -- /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/ -- -- } catch (Exception e) { -- e.printStackTrace(); -- CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName"); -- } -- -- } -- -- // AC: KDF SPEC CHANGE - read new setting value from config file -- // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility) -- // CAREFUL: Result returned may be negative due to java's lack of unsigned types. -- // Negative values need to be treated as higher key numbers than positive key numbers. -- private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception { -- String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion"; -- // KDF phase1: default to 00 -- String nistSP800_108KdfOnKeyVersion_value = -- CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/); -- short nistSP800_108KdfOnKeyVersion_short = 0; -- // if value does not exist in file -- if (nistSP800_108KdfOnKeyVersion_value == null) { -- // throw -- // (we want admins to pay attention to this configuration item rather than guessing for them) -- throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map -- + "\" missing from configuration file."); -- } -- // convert setting value (in ASCII-hex) to short -- try { -- nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16); -- if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) { -- throw new Exception("Out of range."); -- } -- } catch (Throwable t) { -- throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map -- + "\" is in incorrect format. " + -- "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map -- + "=xx\" where xx is key version specified in ASCII-HEX format.", t); -- } -- // convert to byte (anything higher than 0x7F is represented as a negative) -- byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short; -- return nistSP800_108KdfOnKeyVersion_byte; -- } -- -- // AC: KDF SPEC CHANGE - read new setting value from config file -- // (This value allows configuration of the NIST SP800-108 KDF: -- // If "true" we use the CUID parameter within the NIST SP800-108 KDF. -- // If "false" we use the KDD parameter within the NIST SP800-108 KDF. -- private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception { -- String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd"; -- // KDF phase1: default to "false" -- String setting_str = -- CMS.getConfigStore().getString(setting_map, "false" /*null*/); -- boolean setting_boolean = false; -- // if value does not exist in file -- if (setting_str == null) { -- // throw -- // (we want admins to pay attention to this configuration item rather than guessing for them) -- throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file."); -- } -- // convert setting value to boolean -- try { -- setting_boolean = Boolean.parseBoolean(setting_str); -- } catch (Throwable t) { -- throw new Exception("Configuration value \"" + setting_map -- + "\" is in incorrect format. Should be either \"true\" or \"false\".", t); -- } -- return setting_boolean; -- } -- -- // AC: KDF SPEC CHANGE - Audit logging helper functions. -- // Converts a byte array to an ASCII-hex string. -- // We implemented this ourselves rather than using this.pp.toHexArray() because -- // the team preferred CUID and KDD strings to be without ":" separators every byte. -- final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray(); -- -- private String bytesToHex(byte[] bytes) { -- char[] hexChars = new char[bytes.length * 2]; -- for (int i = 0; i < bytes.length; i++) { -- int thisChar = bytes[i] & 0x000000FF; -- hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16 -- hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F]; -- } -- return new String(hexChars); -- } -- -- // AC: KDF SPEC CHANGE - Audit logging helper functions. -- // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa -- // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0]. -- // Returns "null" if parameter is null. -- // Returns "invalid" if parameter.length < 1 -- private String log_string_from_keyInfo(byte[] xkeyInfo) { -- return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x" -- + Integer.toHexString((xkeyInfo[0]) & 0x000000FF)); -- } -- -- // AC: KDF SPEC CHANGE - Audit logging helper functions. -- // Safely converts a byte array containing specialDecoded information to an ASCII-hex string. -- // Parameters: -- // specialDecoded - byte array containing data. May be null. -- // Returns: -- // if specialDecoded is blank, returns "null" -- // if specialDecoded != null, returns -- private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) { -- if (specialDecoded == null) { -- return "null"; -- } else { -- return bytesToHex(specialDecoded); -- } -- } -- -- /* Compute Session Key for SCP02 -- * For simplicity compute just one session key,unless it is the DEK key case. -- */ -- -- private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { -- -- CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering.."); -- String auditMessage = null; -- String errorMsg = ""; -- String badParams = ""; -- String transportKeyName = ""; -- boolean missingParam = false; -- String selectedToken = null; -- String keyNickName = null; -- byte[] drm_trans_wrapped_desKey = null; -- -- byte[] xKDD = null; -- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -- boolean nistSP800_108KdfUseCuidAsKdd = false; -- -- IConfigStore sconfig = CMS.getConfigStore(); -- -- boolean isCryptoValidate = false; -- byte[] keyInfo, xCUID = null, session_key = null; -- -- Exception missingSettingException = null; -- -- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -- -- String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD); -- -- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -- -- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -- badParams += " KeyInfo,"; -- CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info"); -- missingParam = true; -- } -- -- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -- -- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -- -- if (keySet == null || keySet.equals("")) { -- keySet = "defKeySet"; -- } -- CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo); -- -- boolean serversideKeygen = false; -- -- String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); -- String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER); -- -- if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) { -- badParams += " derivation_constant,"; -- CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant."); -- missingParam = true; -- } -- -- if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) { -- badParams += " sequence_counter,"; -- CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter."); -- missingParam = true; -- } -- -- SessionContext sContext = SessionContext.getContext(); -- -- String agentId = ""; -- if (sContext != null) { -- agentId = -- (String) sContext.get(SessionContext.USER_ID); -- } -- -- auditMessage = CMS.getLogMessage( -- AuditEvent.COMPUTE_SESSION_KEY_REQUEST, -- rCUID, -- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -- ILogger.SUCCESS, -- agentId); -- -- audit(auditMessage); -- -- if (!missingParam) { -- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -- -- if (xCUID == null || xCUID.length != 10) { -- badParams += " CUID length,"; -- CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length"); -- missingParam = true; -- } -- -- if ((rKDD == null) || (rKDD.length() == 0)) { -- CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD"); -- badParams += " KDD,"; -- missingParam = true; -- } -- -- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -- if (xKDD == null || xKDD.length != 10) { -- badParams += " KDD length,"; -- CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length"); -- missingParam = true; -- } -- -- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -- if (keyInfo == null || keyInfo.length != 2) { -- badParams += " KeyInfo length,"; -- CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length."); -- missingParam = true; -- } -- -- try { -- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -- -- // log settings read in to debug log along with xkeyInfo -- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): keyInfo[0] = 0x" -- + Integer.toHexString((keyInfo[0]) & 0x0000000FF) -- + ", xkeyInfo[1] = 0x" -- + Integer.toHexString((keyInfo[1]) & 0x0000000FF) -- ); -- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF will be used for key versions >= 0x" -- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -- ); -- if (nistSP800_108KdfUseCuidAsKdd == true) { -- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -- } else { -- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use KDD."); -- } -- // conform to the set-an-error-flag mentality -- } catch (Exception e) { -- missingSettingException = e; -- CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Exception reading Nist SP800-108 KDF config values: " -- + e.toString()); -- } -- -- } -- -- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx -- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -- if (mappingValue == null) { -- selectedToken = -- CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -- keyNickName = rKeyInfo; -- } else { -- StringTokenizer st = new StringTokenizer(mappingValue, ":"); -- if (st.hasMoreTokens()) -- selectedToken = st.nextToken(); -- if (st.hasMoreTokens()) -- keyNickName = st.nextToken(); -- } -- -- keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx -- try { -- mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -- } catch (EBaseException e1) { -- -- e1.printStackTrace(); -- } -- if (mappingValue == null) { -- try { -- selectedToken = -- CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -- } catch (EBaseException e) { -- -- e.printStackTrace(); -- } -- keyNickName = rKeyInfo; -- } else { -- StringTokenizer st = new StringTokenizer(mappingValue, ":"); -- if (st.hasMoreTokens()) -- selectedToken = st.nextToken(); -- if (st.hasMoreTokens()) -- keyNickName = st.nextToken(); -- } -- -- CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName); -- String useSoftToken_s = null; -- try { -- useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -- } catch (EBaseException e1) { -- // TODO Auto-generated catch block -- e1.printStackTrace(); -- } -- if (!useSoftToken_s.equalsIgnoreCase("true")) -- useSoftToken_s = "false"; -- -- String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); -- if (rServersideKeygen.equals("true")) { -- CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested"); -- serversideKeygen = true; -- } else { -- CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested"); -- } -- -- transportKeyName = null; -- try { -- transportKeyName = getSharedSecretName(sconfig); -- } catch (EBaseException e1) { -- // TODO Auto-generated catch block -- e1.printStackTrace(); -- CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!"); -- -- } -- -- CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); -- -- try { -- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -- } catch (EBaseException eee) { -- } -- -- byte macKeyArray[] = null; -- byte sequenceCounter[] = null; -- byte derivationConstant[] = null; -- -- boolean errorFound = false; -- -- String dek_wrapped_desKeyString = null; -- String keycheck_s = null; -- -- if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) { -- try { -- macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".mac_key")); -- -- sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter); -- derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant); -- -- //Use old style for the moment. -- //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey -- //Perform in next ticket to fully implement nistXP800 -- -- session_key = SessionKey.ComputeSessionKeySCP02( -- selectedToken, keyNickName, -- keyInfo, -- nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value -- nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant, -- useSoftToken_s, keySet, -- transportKeyName); -- -- if (session_key == null) { -- CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL "); -- throw new EBaseException("Can't compute session key for SCP02!"); -- -- } -- -- //Only do this for the dekSessionKey and if we are in the server side keygen case. -- if (derivationConstant[0] == DEKDerivationConstant[0] -- && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) { -- -- CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token."); -- -- /** -- * 0. generate des key -- * 1. encrypt des key with dek key -- * 2. encrypt des key with DRM transport key -- * These two wrapped items are to be sent back to -- * TPS. 2nd item is to DRM -- **/ -- -- PK11SymKey desKey = null; -- PK11SymKey dekKey = null; -- -- /*generate it on whichever token the master key is at*/ -- if (useSoftToken_s.equals("true")) { -- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal"); -- -- desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME); -- -- } else { -- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on " -- + selectedToken); -- desKey = SessionKey.GenerateSymkey(selectedToken); -- } -- if (desKey != null) -- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID); -- else { -- CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for " -- + rCUID); -- throw new EBaseException( -- "TokenServlet.computeSessionKeySCP02: can't generate key encryption key"); -- } -- -- CryptoToken token = null; -- if (useSoftToken_s.equals("true")) { -- token = CryptoUtil.getCryptoToken(null); -- } else { -- token = CryptoUtil.getCryptoToken(selectedToken); -- } -- -- //Now we have to create a sym key object for the wrapped session_key (dekKey) -- // session_key wrapped by the shared Secret -- -- PK11SymKey sharedSecret = getSharedSecretKey(); -- -- if (sharedSecret == null) { -- throw new EBaseException( -- "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!"); -- } -- -- dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret, -- session_key); -- -- if (dekKey == null) { -- throw new EBaseException( -- "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!"); -- } -- -- /* -- * ECBencrypt actually takes the 24 byte DES2 key -- * and discard the last 8 bytes before it encrypts. -- * This is done so that the applet can digest it -- */ -- byte[] encDesKey = -- SessionKey.ECBencrypt(dekKey, -- desKey); -- -- if (encDesKey == null) { -- throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!"); -- } -- -- dek_wrapped_desKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); -- -- byte[] keycheck = -- SessionKey.ComputeKeyCheck(desKey); -- -- if (keycheck == null) { -- throw new EBaseException( -- "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!"); -- } -- -- keycheck_s = -- com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); -- -- //use DRM transport cert to wrap desKey -- String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); -- -- if ((drmTransNickname == null) || (drmTransNickname == "")) { -- CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname"); -- throw new EBaseException("can't find DRM transport certificate nickname"); -- } else { -- CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname); -- } -- -- X509Certificate drmTransCert = null; -- drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); -- // wrap kek session key with DRM transport public key -- -- PublicKey pubKey = drmTransCert.getPublicKey(); -- String pubKeyAlgo = pubKey.getAlgorithm(); -- -- KeyWrapper keyWrapper = null; -- //For wrapping symmetric keys don't need IV, use ECB -- if (pubKeyAlgo.equals("EC")) { -- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); -- keyWrapper.initWrap(pubKey, null); -- } else { -- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); -- keyWrapper.initWrap(pubKey, null); -- } -- -- drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); -- CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key."); -- -- CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out."); -- -- } -- -- } catch (Exception e) { -- CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString()); -- errorFound = true; -- -- } -- -- } -- -- String status = "0"; -- String value = ""; -- String outputString = ""; -- -- boolean statusDeclared = false; -- -- if (session_key != null && session_key.length > 0 && errorFound == false) { -- outputString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); -- } else { -- -- status = "1"; -- statusDeclared = true; -- } -- -- if (selectedToken == null || keyNickName == null) { -- if (!statusDeclared) { -- status = "4"; -- statusDeclared = true; -- } -- } -- -- if (missingSettingException != null) { -- if (!statusDeclared) { -- status = "6"; -- statusDeclared = true; -- } -- } -- -- if (missingParam) { -- status = "3"; -- } -- -- String drm_trans_wrapped_desKeyString = null; -- -- if (!status.equals("0")) { -- if (status.equals("1")) { -- errorMsg = "Problem generating session key info."; -- } -- -- if (status.equals("4")) { -- errorMsg = "Problem obtaining token information."; -- } -- -- if (status.equals("3")) { -- if (badParams.endsWith(",")) { -- badParams = badParams.substring(0, badParams.length() - 1); -- } -- errorMsg = "Missing input parameters :" + badParams; -- } -- -- if (status.equals("6")) { -- errorMsg = "Problem reading required configuration value."; -- } -- -- } else { -- -- if (serversideKeygen == true) { -- -- if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) { -- drm_trans_wrapped_desKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); -- } -- -- StringBuffer sb = new StringBuffer(); -- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -- sb.append(outputString); -- -- //Now add the trans wrapped des key -- -- if (drm_trans_wrapped_desKeyString != null) { -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); -- sb.append(drm_trans_wrapped_desKeyString); -- } -- -- if (dek_wrapped_desKeyString != null) { -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); -- sb.append(dek_wrapped_desKeyString); -- } -- -- if (keycheck_s != null) { -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); -- sb.append(keycheck_s); -- } -- -- value = sb.toString(); -- } else { -- StringBuffer sb = new StringBuffer(); -- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -- sb.append(outputString); -- value = sb.toString(); -- } -- -- } -- -- //CMS.debug("TokenServlet:outputString.encode " + value); -- -- try { -- resp.setContentLength(value.length()); -- CMS.debug("TokenServlet:outputString.length " + value.length()); -- OutputStream ooss = resp.getOutputStream(); -- ooss.write(value.getBytes()); -- ooss.flush(); -- mRenderResult = false; -- } catch (IOException e) { -- CMS.debug("TokenServlet: " + e.toString()); -- } -- -- if (status.equals("0")) { -- -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.SUCCESS, // Outcome -- status, // status -- agentId, // AgentID -- isCryptoValidate ? "true" : "false", // IsCryptoValidate -- serversideKeygen ? "true" : "false", // IsServerSideKeygen -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -- logParams); -- -- } else { -- -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.FAILURE, // Outcome -- status, // status -- agentId, // AgentID -- isCryptoValidate ? "true" : "false", // IsCryptoValidate -- serversideKeygen ? "true" : "false", // IsServerSideKeygen -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -- errorMsg // Error -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -- logParams); -- } -- -- audit(auditMessage); -- -- } -- -- private void processComputeSessionKey(HttpServletRequest req, -- HttpServletResponse resp) throws EBaseException { -- byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD -- -- // AC: KDF SPEC CHANGE - new config file values (needed for symkey) -- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -- boolean nistSP800_108KdfUseCuidAsKdd = false; -- -- byte[] card_crypto, host_cryptogram, input_card_crypto; -- byte[] xcard_challenge, xhost_challenge; -- byte[] enc_session_key, xkeyInfo; -- String auditMessage = null; -- String errorMsg = ""; -- String badParams = ""; -- String transportKeyName = ""; -- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- String rKDD = req.getParameter("KDD"); -- if ((rKDD == null) || (rKDD.length() == 0)) { -- // KDF phase1: default to rCUID if not present -- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -- rKDD = rCUID; -- } -- -- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -- if (keySet == null || keySet.equals("")) { -- keySet = "defKeySet"; -- } -- CMS.debug("keySet selected: " + keySet); -- -- boolean serversideKeygen = false; -- byte[] drm_trans_wrapped_desKey = null; -- SymmetricKey desKey = null; -- // PK11SymKey kek_session_key; -- SymmetricKey kek_key; -- -- IConfigStore sconfig = CMS.getConfigStore(); -- boolean isCryptoValidate = true; -- boolean missingParam = false; -- -- // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting -- Exception missingSetting_exception = null; -- -- session_key = null; -- card_crypto = null; -- host_cryptogram = null; -- enc_session_key = null; -- // kek_session_key = null; -- -- SessionContext sContext = SessionContext.getContext(); -- -- String agentId = ""; -- if (sContext != null) { -- agentId = -- (String) sContext.get(SessionContext.USER_ID); -- } -- -- // AC: KDF SPEC CHANGE: Need to log both KDD and CUID -- auditMessage = CMS.getLogMessage( -- AuditEvent.COMPUTE_SESSION_KEY_REQUEST, -- rCUID, -- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -- ILogger.SUCCESS, -- agentId); -- -- audit(auditMessage); -- -- String kek_wrapped_desKeyString = null; -- String keycheck_s = null; -- -- CMS.debug("processComputeSessionKey:"); -- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -- if (!useSoftToken_s.equalsIgnoreCase("true")) -- useSoftToken_s = "false"; -- -- String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); -- if (rServersideKeygen.equals("true")) { -- CMS.debug("TokenServlet: serversideKeygen requested"); -- serversideKeygen = true; -- } else { -- CMS.debug("TokenServlet: serversideKeygen not requested"); -- } -- -- try { -- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -- } catch (EBaseException eee) { -- } -- -- transportKeyName = getSharedSecretName(sconfig); -- -- String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); -- String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); -- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -- String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); -- if ((rCUID == null) || (rCUID.equals(""))) { -- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID"); -- badParams += " CUID,"; -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- if ((rKDD == null) || (rKDD.length() == 0)) { -- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD"); -- badParams += " KDD,"; -- missingParam = true; -- } -- -- if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { -- badParams += " card_challenge,"; -- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); -- missingParam = true; -- } -- -- if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { -- badParams += " host_challenge,"; -- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge"); -- missingParam = true; -- } -- -- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -- badParams += " KeyInfo,"; -- CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info"); -- missingParam = true; -- } -- -- String selectedToken = null; -- String keyNickName = null; -- boolean sameCardCrypto = true; -- -- // AC: KDF SPEC CHANGE -- xCUID = null; // avoid errors about non-initialization -- xKDD = null; // avoid errors about non-initialization -- xkeyInfo = null; // avoid errors about non-initialization -- -- if (!missingParam) { -- -- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -- if (xCUID == null || xCUID.length != 10) { -- badParams += " CUID length,"; -- CMS.debug("TokenServlet: Invalid CUID length"); -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -- if (xKDD == null || xKDD.length != 10) { -- badParams += " KDD length,"; -- CMS.debug("TokenServlet: Invalid KDD length"); -- missingParam = true; -- } -- -- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -- if (xkeyInfo == null || xkeyInfo.length != 2) { -- badParams += " KeyInfo length,"; -- CMS.debug("TokenServlet: Invalid key info length."); -- missingParam = true; -- } -- xcard_challenge = -- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -- if (xcard_challenge == null || xcard_challenge.length != 8) { -- badParams += " card_challenge length,"; -- CMS.debug("TokenServlet: Invalid card challenge length."); -- missingParam = true; -- } -- -- xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -- if (xhost_challenge == null || xhost_challenge.length != 8) { -- badParams += " host_challenge length,"; -- CMS.debug("TokenServlet: Invalid host challenge length"); -- missingParam = true; -- } -- -- } -- -- if (!missingParam) { -- card_challenge = -- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -- -- host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -- -- // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) -- //ToDo: Will use these values after completing next ticket -- try { -- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -- -- // log settings read in to debug log along with xkeyInfo -- CMS.debug("TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x" -- + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) -- + ", xkeyInfo[1] = 0x" -- + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) -- ); -- CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x" -- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -- ); -- if (nistSP800_108KdfUseCuidAsKdd == true) { -- CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -- } else { -- CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD."); -- } -- // conform to the set-an-error-flag mentality -- } catch (Exception e) { -- missingSetting_exception = e; -- CMS.debug("TokenServlet: ComputeSessionKey(): Exception reading Nist SP800-108 KDF config values: " -- + e.toString()); -- } -- -- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx -- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -- if (mappingValue == null) { -- selectedToken = -- CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -- keyNickName = rKeyInfo; -- } else { -- StringTokenizer st = new StringTokenizer(mappingValue, ":"); -- if (st.hasMoreTokens()) -- selectedToken = st.nextToken(); -- if (st.hasMoreTokens()) -- keyNickName = st.nextToken(); -- } -- -- if (selectedToken != null && keyNickName != null -- // AC: KDF SPEC CHANGE - check for error flag -- && missingSetting_exception == null) { -- -- try { -- -- byte macKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".mac_key")); -- CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" -- + selectedToken + " keyNickName=" + keyNickName); -- -- SecureChannelProtocol protocol = new SecureChannelProtocol(); -- SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType, -- selectedToken, -- keyNickName, card_challenge, -- host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, -- xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName); -- -- session_key = protocol.wrapSessionKey(selectedToken, macKey, null); -- -- if (session_key == null) { -- CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); -- throw new Exception("Can't compute session key!"); -- -- } -- -- byte encKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".auth_key")); -- SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType, -- selectedToken, -- keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, -- nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet, -- transportKeyName); -- -- enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null); -- -- if (enc_session_key == null) { -- CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); -- throw new Exception("Can't compute enc session key!"); -- -- } -- -- if (serversideKeygen == true) { -- -- /** -- * 0. generate des key -- * 1. encrypt des key with kek key -- * 2. encrypt des key with DRM transport key -- * These two wrapped items are to be sent back to -- * TPS. 2nd item is to DRM -- **/ -- CMS.debug("TokenServlet: calling ComputeKekKey"); -- -- byte kekKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".kek_key")); -- -- kek_key = protocol.computeKEKKey_SCP01(selectedToken, -- keyNickName, -- keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, -- xCUID, -- xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName); -- -- CMS.debug("TokenServlet: called ComputeKekKey"); -- -- if (kek_key == null) { -- CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL "); -- throw new Exception("Can't compute kek key!"); -- -- } -- // now use kek key to wrap kek session key.. -- CMS.debug("computeSessionKey:kek key len =" + -- kek_key.getLength()); -- -- // (1) generate DES key -- /* applet does not support DES3 -- org.mozilla.jss.crypto.KeyGenerator kg = -- internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); -- desKey = kg.generate();*/ -- -- /* -- * GenerateSymkey firt generates a 16 byte DES2 key. -- * It then pads it into a 24 byte key with last -- * 8 bytes copied from the 1st 8 bytes. Effectively -- * making it a 24 byte DES2 key. We need this for -- * wrapping private keys on DRM. -- */ -- /*generate it on whichever token the master key is at*/ -- if (useSoftToken_s.equals("true")) { -- CMS.debug("TokenServlet: key encryption key generated on internal"); -- //cfu audit here? sym key gen -- -- desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME); -- //cfu audit here? sym key gen done -- } else { -- CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); -- desKey = protocol.generateSymKey(selectedToken); -- } -- if (desKey != null) { -- // AC: KDF SPEC CHANGE - Output using CUID and KDD -- CMS.debug("TokenServlet: key encryption key generated for CUID=" + -- trim(pp.toHexString(xCUID)) + -- ", KDD=" + -- trim(pp.toHexString(xKDD))); -- } else { -- // AC: KDF SPEC CHANGE - Output using CUID and KDD -- CMS.debug("TokenServlet: key encryption key generation failed for CUID=" + -- trim(pp.toHexString(xCUID)) + -- ", KDD=" + -- trim(pp.toHexString(xKDD))); -- -- throw new Exception("can't generate key encryption key"); -- } -- -- /* -- * ECBencrypt actually takes the 24 byte DES2 key -- * and discard the last 8 bytes before it encrypts. -- * This is done so that the applet can digest it -- */ -- -- byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken); -- -- /* -- CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); -- CMS.debug(encDesKey); -- */ -- -- kek_wrapped_desKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); -- -- // get keycheck -- -- byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken); -- /* -- CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); -- CMS.debug(keycheck); -- */ -- keycheck_s = -- com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); -- -- //use DRM transport cert to wrap desKey -- String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); -- -- if ((drmTransNickname == null) || (drmTransNickname == "")) { -- CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); -- throw new Exception("can't find DRM transport certificate nickname"); -- } else { -- CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname); -- } -- -- X509Certificate drmTransCert = null; -- drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); -- // wrap kek session key with DRM transport public key -- CryptoToken token = null; -- if (useSoftToken_s.equals("true")) { -- token = CryptoUtil.getCryptoToken(null); -- } else { -- token = CryptoUtil.getCryptoToken(selectedToken); -- } -- PublicKey pubKey = drmTransCert.getPublicKey(); -- String pubKeyAlgo = pubKey.getAlgorithm(); -- CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); -- KeyWrapper keyWrapper = null; -- //For wrapping symmetric keys don't need IV, use ECB -- if (pubKeyAlgo.equals("EC")) { -- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); -- keyWrapper.initWrap(pubKey, null); -- } else { -- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); -- keyWrapper.initWrap(pubKey, null); -- } -- CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); -- drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); -- CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); -- -- } // if (serversideKeygen == true) -- -- byte authKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".auth_key")); -- -- host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, -- host_challenge, -- xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM, -- authKeyArray, useSoftToken_s, keySet, transportKeyName); -- -- if (host_cryptogram == null) { -- CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); -- throw new Exception("Can't compute host cryptogram!"); -- -- } -- -- card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, -- host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, -- xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName); -- -- if (card_crypto == null) { -- CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); -- throw new Exception("Can't compute card cryptogram!"); -- -- } -- -- if (isCryptoValidate) { -- if (rcard_cryptogram == null) { -- CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram"); -- throw new Exception("Missing card cryptogram"); -- } -- input_card_crypto = -- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); -- -- //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto"); -- //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto"); -- -- if (card_crypto.length == input_card_crypto.length) { -- for (int i = 0; i < card_crypto.length; i++) { -- if (card_crypto[i] != input_card_crypto[i]) { -- sameCardCrypto = false; -- break; -- } -- } -- } else { -- // different length; must be different -- sameCardCrypto = false; -- } -- } -- -- // AC: KDF SPEC CHANGE - print both KDD and CUID -- CMS.getLogger().log(ILogger.EV_AUDIT, -- ILogger.S_TKS, -- ILogger.LL_INFO, "processComputeSessionKey for CUID=" + -- trim(pp.toHexString(xCUID)) + -- ", KDD=" + -- trim(pp.toHexString(xKDD))); -- } catch (Exception e) { -- CMS.debug(e); -- CMS.debug("TokenServlet Computing Session Key: " + e.toString()); -- if (isCryptoValidate) -- sameCardCrypto = false; -- } -- } -- } // ! missingParam -- -- String value = ""; -- -- resp.setContentType("text/html"); -- -- String outputString = ""; -- String encSessionKeyString = ""; -- String drm_trans_wrapped_desKeyString = ""; -- String cryptogram = ""; -- String status = "0"; -- if (session_key != null && session_key.length > 0) { -- outputString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); -- } else { -- -- status = "1"; -- } -- -- if (enc_session_key != null && enc_session_key.length > 0) { -- encSessionKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); -- } else { -- status = "1"; -- } -- -- if (serversideKeygen == true) { -- if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) -- drm_trans_wrapped_desKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); -- else { -- status = "1"; -- } -- } -- -- if (host_cryptogram != null && host_cryptogram.length > 0) { -- cryptogram = -- com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); -- } else { -- // AC: Bugfix: Don't override status's value if an error was already flagged -- if (status.equals("0") == true) { -- status = "2"; -- } -- } -- -- if (selectedToken == null || keyNickName == null) { -- // AC: Bugfix: Don't override status's value if an error was already flagged -- if (status.equals("0") == true) { -- status = "4"; -- } -- } -- -- if (!sameCardCrypto) { -- // AC: Bugfix: Don't override status's value if an error was already flagged -- if (status.equals("0") == true) { -- // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues -- status = "5"; -- } -- } -- -- // AC: KDF SPEC CHANGE - check for settings file issue (flag) -- if (missingSetting_exception != null) { -- // AC: Intentionally override previous errors if config file settings were missing. -- status = "6"; -- } -- -- if (missingParam) { -- // AC: Intentionally override previous errors if parameters were missing. -- status = "3"; -- } -- -- if (!status.equals("0")) { -- -- if (status.equals("1")) { -- errorMsg = "Problem generating session key info."; -- } -- -- if (status.equals("2")) { -- errorMsg = "Problem creating host_cryptogram."; -- } -- -- // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues -- if (status.equals("5")) { -- errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; -- } -- -- if (status.equals("4")) { -- errorMsg = "Problem obtaining token information."; -- } -- -- // AC: KDF SPEC CHANGE - handle missing configuration item -- if (status.equals("6")) { -- errorMsg = "Problem reading required configuration value."; -- } -- -- if (status.equals("3")) { -- if (badParams.endsWith(",")) { -- badParams = badParams.substring(0, badParams.length() - 1); -- } -- errorMsg = "Missing input parameters :" + badParams; -- } -- -- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -- } else { -- if (serversideKeygen == true) { -- StringBuffer sb = new StringBuffer(); -- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -- sb.append(outputString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -- sb.append(cryptogram); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -- sb.append(encSessionKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); -- sb.append(kek_wrapped_desKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); -- sb.append(keycheck_s); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); -- sb.append(drm_trans_wrapped_desKeyString); -- value = sb.toString(); -- } else { -- -- StringBuffer sb = new StringBuffer(); -- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -- sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -- sb.append(outputString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -- sb.append(cryptogram); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -- sb.append(encSessionKeyString); -- value = sb.toString(); -- } -- -- } -- //CMS.debug("TokenServlet:outputString.encode " + value); -- -- try { -- resp.setContentLength(value.length()); -- CMS.debug("TokenServlet:outputString.length " + value.length()); -- OutputStream ooss = resp.getOutputStream(); -- ooss.write(value.getBytes()); -- ooss.flush(); -- mRenderResult = false; -- } catch (IOException e) { -- CMS.debug("TokenServlet: " + e.toString()); -- } -- -- if (status.equals("0")) { -- // AC: KDF SPEC CHANGE - Log both CUID and KDD. -- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.SUCCESS, // Outcome -- status, // status -- agentId, // AgentID -- isCryptoValidate ? "true" : "false", // IsCryptoValidate -- serversideKeygen ? "true" : "false", // IsServerSideKeygen -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -- logParams); -- -- } else { -- // AC: KDF SPEC CHANGE - Log both CUID and KDD -- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.FAILURE, // Outcome -- status, // status -- agentId, // AgentID -- isCryptoValidate ? "true" : "false", // IsCryptoValidate -- serversideKeygen ? "true" : "false", // IsServerSideKeygen -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -- errorMsg // Error -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -- logParams); -- -- } -- -- audit(auditMessage); -- } -- -- // This method will return the shared secret name. In new 10.1 subsystems, this -- // name will be stored in tps.X.nickname. -- // -- // Until multiple TKS/TPS connections is fully supported, this method will just -- // return the first shared secret nickname found, on the assumption that only -- // one nickname will be configured. This will have to be changed to return the correct -- // key based on some parameter in the request in future. -- // -- // On legacy systems, this method just returns what was previously returned. -- private String getSharedSecretName(IConfigStore cs) throws EBaseException { -- boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false); -- -- if (useNewNames) { -- String tpsList = cs.getString("tps.list", ""); -- String firstSharedSecretName = null; -- if (!tpsList.isEmpty()) { -- for (String tpsID : tpsList.split(",")) { -- String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); -- -- // This one will be a fall back in case we can't get a specific one -- if (firstSharedSecretName == null) { -- firstSharedSecretName = sharedSecretName; -- } -- -- if (!sharedSecretName.isEmpty()) { -- if (mCurrentUID != null) { -- String csUid = cs.getString("tps." + tpsID + ".userid", ""); -- -- if (mCurrentUID.equalsIgnoreCase(csUid)) { -- CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid); -- return sharedSecretName; -- } -- } -- } -- } -- -- if (firstSharedSecretName != null) { -- //Return the first in the list if we couldn't isolate one -- return firstSharedSecretName; -- } -- } -- CMS.debug("getSharedSecretName: no shared secret has been configured"); -- throw new EBaseException("No shared secret has been configured"); -- } -- -- // legacy system - return as before -- return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME); -- } -- -- //Accepts protocol param and supports scp03. -- private void processDiversifyKey(HttpServletRequest req, -- HttpServletResponse resp) throws EBaseException { -- -- String method = "TokenServlet.processDiversifyKey: "; -- byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD -- -- // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. -- String oldKeyNickName = null; -- String newKeyNickName = null; -- -- // AC: KDF SPEC CHANGE - new config file values (needed for symkey) -- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -- boolean nistSP800_108KdfUseCuidAsKdd = false; -- -- // AC: BUGFIX for key versions higher than 09: We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey. -- byte[] xkeyInfo = null, xnewkeyInfo = null; -- -- // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting -- Exception missingSetting_exception = null; -- -- boolean missingParam = false; -- String errorMsg = ""; -- String badParams = ""; -- byte[] xWrappedDekKey = null; -- -- IConfigStore sconfig = CMS.getConfigStore(); -- String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); -- String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); -- String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- String rKDD = req.getParameter("KDD"); -- if ((rKDD == null) || (rKDD.length() == 0)) { -- // temporarily make it friendly before TPS change -- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -- rKDD = rCUID; -- } -- -- String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); -- String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY); -- -- CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey); -- -- int protocol = 1; -- String auditMessage = ""; -- -- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -- if (keySet == null || keySet.equals("")) { -- keySet = "defKeySet"; -- } -- CMS.debug("keySet selected: " + keySet); -- -- SessionContext sContext = SessionContext.getContext(); -- -- String agentId = ""; -- if (sContext != null) { -- agentId = -- (String) sContext.get(SessionContext.USER_ID); -- } -- -- // AC: KDF SPEC CHANGE: Need to log both KDD and CUID -- auditMessage = CMS.getLogMessage( -- AuditEvent.DIVERSIFY_KEY_REQUEST, -- rCUID, -- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -- ILogger.SUCCESS, -- agentId, -- oldMasterKeyName, -- newMasterKeyName); -- -- audit(auditMessage); -- -- if ((rCUID == null) || (rCUID.equals(""))) { -- badParams += " CUID,"; -- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- if ((rKDD == null) || (rKDD.length() == 0)) { -- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); -- badParams += " KDD,"; -- missingParam = true; -- } -- -- if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { -- badParams += " newKeyInfo,"; -- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); -- missingParam = true; -- } -- if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) { -- badParams += " KeyInfo,"; -- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE -- xCUID = null; // avoid errors about non-initialization -- xKDD = null; // avoid errors about non-initialization -- xkeyInfo = null; // avoid errors about non-initialization -- xnewkeyInfo = null; // avoid errors about non-initialization -- -- if (!missingParam) { -- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); -- if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { -- badParams += " KeyInfo length,"; -- CMS.debug("TokenServlet: Invalid key info length"); -- missingParam = true; -- } -- xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); -- if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) { -- badParams += " NewKeyInfo length,"; -- CMS.debug("TokenServlet: Invalid new key info length"); -- missingParam = true; -- } -- -- if (rProtocol != null) { -- try { -- protocol = Integer.parseInt(rProtocol); -- } catch (NumberFormatException e) { -- protocol = 1; -- } -- } -- CMS.debug("process DiversifyKey: protocol value: " + protocol); -- -- if (protocol == 2) { -- if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) { -- badParams += " WrappedDekKey,"; -- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02."); -- missingParam = true; -- } else { -- -- CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey); -- xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey); -- } -- -- } -- } -- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -- if (!useSoftToken_s.equalsIgnoreCase("true")) -- useSoftToken_s = "false"; -- -- KeySetData = null; -- if (!missingParam) { -- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -- if (xCUID == null || xCUID.length != 10) { -- badParams += " CUID length,"; -- CMS.debug("TokenServlet: Invalid CUID length"); -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -- if (xKDD == null || xKDD.length != 10) { -- badParams += " KDD length,"; -- CMS.debug("TokenServlet: Invalid KDD length"); -- missingParam = true; -- } -- } -- if (!missingParam) { -- // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. -- -- // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) -- -- //ToDo: Refactor this, this same block occurs several times in the file -- try { -- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -- -- // log settings read in to debug log along with xkeyInfo and xnewkeyInfo -- CMS.debug("TokenServlet: processDiversifyKey(): xkeyInfo[0] (old) = 0x" -- + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) -- + ", xkeyInfo[1] (old) = 0x" -- + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) -- + ", xnewkeyInfo[0] = 0x" -- + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF) -- + ", xnewkeyInfo[1] = 0x" -- + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF) -- ); -- CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF will be used for key versions >= 0x" -- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -- ); -- if (nistSP800_108KdfUseCuidAsKdd == true) { -- CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -- } else { -- CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use KDD."); -- } -- // conform to the set-an-error-flag mentality -- } catch (Exception e) { -- missingSetting_exception = e; -- CMS.debug("TokenServlet: processDiversifyKey(): Exception reading Nist SP800-108 KDF config values: " -- + e.toString()); -- } -- -- if (mKeyNickName != null) -- oldMasterKeyName = mKeyNickName; -- if (mNewKeyNickName != null) -- newMasterKeyName = mNewKeyNickName; -- -- String tokKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -- -- // Get the first 6 characters, since scp03 gives us extra characters. -- tokKeyInfo = tokKeyInfo.substring(0,6); -- String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx -- CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap); -- String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); -- String oldSelectedToken = null; -- if (oldMappingValue == null) { -- oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -- oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -- } else { -- StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); -- oldSelectedToken = st.nextToken(); -- oldKeyNickName = st.nextToken(); -- } -- -- -- String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx -- CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap); -- String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); -- String newSelectedToken = null; -- if (newMappingValue == null) { -- newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -- newKeyNickName = rnewKeyInfo; -- } else { -- StringTokenizer st = new StringTokenizer(newMappingValue, ":"); -- newSelectedToken = st.nextToken(); -- newKeyNickName = st.nextToken(); -- } -- -- CMS.debug("process DiversifyKey for oldSelectedToke=" + -- oldSelectedToken + " newSelectedToken=" + newSelectedToken + -- " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + -- newKeyNickName); -- -- byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet); -- byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet); -- byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet); -- -- // com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); -- -- //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset -- // passed down to the SecureChannelProtocol functions that deal with SCP03 -- -- GPParams gp3Params = readGPSettings(keySet); -- -- SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol); -- // AC: KDF SPEC CHANGE - check for error reading settings -- if (missingSetting_exception == null) { -- if (protocol == 1 || protocol == 3) { -- KeySetData = secProtocol.diversifyKey(oldSelectedToken, -- newSelectedToken, oldKeyNickName, -- newKeyNickName, -- xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use -- xnewkeyInfo, // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be byte[] -- nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value -- nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value -- xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' -- xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use -- kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params); -- -- } else if (protocol == 2) { -- KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, -- newKeyNickName, xkeyInfo, -- xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, -- (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol); -- } -- //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: "); -- CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained"); -- -- if (KeySetData == null || KeySetData.length <= 1) { -- CMS.getLogger().log(ILogger.EV_AUDIT, -- ILogger.S_TKS, -- ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot"); -- } -- -- CMS.getLogger().log(ILogger.EV_AUDIT, -- ILogger.S_TKS, -- ILogger.LL_INFO, -- "process DiversifyKey for CUID=" + -- trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE: Log both CUID and KDD -- ", KDD=" + -- trim(pp.toHexString(xKDD)) -- + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName -- + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); -- -- resp.setContentType("text/html"); -- -- } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file -- -- } // ! missingParam -- -- String value = ""; -- String status = "0"; -- -- if (KeySetData != null && KeySetData.length > 1) { -- value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" + -- com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); -- //CMS.debug("TokenServlet:process DiversifyKey.encode " + value); -- CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData"); -- // AC: KDF SPEC CHANGE - check for settings file issue (flag) -- } else if (missingSetting_exception != null) { -- status = "6"; -- errorMsg = "Problem reading required configuration value."; -- value = "status=" + status; -- } else if (missingParam) { -- status = "3"; -- if (badParams.endsWith(",")) { -- badParams = badParams.substring(0, badParams.length() - 1); -- } -- errorMsg = "Missing input parameters: " + badParams; -- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -- } else { -- errorMsg = "Problem diversifying key data."; -- status = "1"; -- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -- } -- -- resp.setContentLength(value.length()); -- CMS.debug("TokenServlet:outputString.length " + value.length()); -- -- try { -- OutputStream ooss = resp.getOutputStream(); -- ooss.write(value.getBytes()); -- ooss.flush(); -- mRenderResult = false; -- } catch (Exception e) { -- CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); -- } -- -- if (status.equals("0")) { -- -- // AC: KDF SPEC CHANGE - Log both CUID and KDD -- // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.SUCCESS, // Outcome -- status, // status -- agentId, // AgentID -- -- // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. -- oldKeyNickName, // oldMasterKeyName -- newKeyNickName, // newMasterKeyName -- -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion -- log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); -- } else { -- // AC: KDF SPEC CHANGE - Log both CUID and KDD -- // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.FAILURE, // Outcome -- status, // status -- agentId, // AgentID -- -- // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. -- oldKeyNickName, // oldMasterKeyName -- newKeyNickName, // newMasterKeyName -- -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion -- log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -- errorMsg // Error -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); -- } -- -- audit(auditMessage); -- } -- -- private void processEncryptData(HttpServletRequest req, -- HttpServletResponse resp) throws EBaseException { -- byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD -- -- // AC: KDF SPEC CHANGE - new config file values (needed for symkey) -- byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -- boolean nistSP800_108KdfUseCuidAsKdd = false; -- -- // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting -- Exception missingSetting_exception = null; -- -- boolean missingParam = false; -- byte[] data = null; -- boolean isRandom = true; // randomly generate the data to be encrypted -- -- String errorMsg = ""; -- String badParams = ""; -- IConfigStore sconfig = CMS.getConfigStore(); -- encryptedData = null; -- String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA); -- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -- -- String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- String rKDD = req.getParameter("KDD"); -- if ((rKDD == null) || (rKDD.length() == 0)) { -- // temporarily make it friendly before TPS change -- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -- rKDD = rCUID; -- } -- -- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -- if (keySet == null || keySet.equals("")) { -- keySet = "defKeySet"; -- } -- -- SessionContext sContext = SessionContext.getContext(); -- -- String agentId = ""; -- if (sContext != null) { -- agentId = -- (String) sContext.get(SessionContext.USER_ID); -- } -- -- CMS.debug("keySet selected: " + keySet); -- -- String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); -- if (s_isRandom.equalsIgnoreCase("false")) { -- CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated"); -- isRandom = false; -- } else { -- CMS.debug("TokenServlet: processEncryptData(): Random number generation required"); -- isRandom = true; -- } -- -- // AC: KDF SPEC CHANGE: Need to log both KDD and CUID -- String auditMessage = CMS.getLogMessage( -- AuditEvent.ENCRYPT_DATA_REQUEST, -- rCUID, -- rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -- ILogger.SUCCESS, -- agentId, -- s_isRandom); -- audit(auditMessage); -- -- GPParams gp3Params = readGPSettings(keySet); -- -- if (isRandom) { -- if ((rdata == null) || (rdata.equals(""))) { -- CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); -- } else { -- CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); -- } -- try { -- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -- data = new byte[16]; -- random.nextBytes(data); -- } catch (Exception e) { -- CMS.debug("TokenServlet: processEncryptData():" + e.toString()); -- badParams += " Random Number,"; -- missingParam = true; -- } -- } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) { -- CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); -- badParams += " data,"; -- missingParam = true; -- } -- -- if ((rCUID == null) || (rCUID.equals(""))) { -- badParams += " CUID,"; -- CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- if ((rKDD == null) || (rKDD.length() == 0)) { -- CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); -- badParams += " KDD,"; -- missingParam = true; -- } -- -- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -- badParams += " KeyInfo,"; -- CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE -- xCUID = null; // avoid errors about non-initialization -- xKDD = null; // avoid errors about non-initialization -- xkeyInfo = null; // avoid errors about non-initialization -- -- if (!missingParam) { -- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -- if (xCUID == null || xCUID.length != 10) { -- badParams += " CUID length,"; -- CMS.debug("TokenServlet: Invalid CUID length"); -- missingParam = true; -- } -- -- // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -- if (xKDD == null || xKDD.length != 10) { -- badParams += " KDD length,"; -- CMS.debug("TokenServlet: Invalid KDD length"); -- missingParam = true; -- } -- -- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -- if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { -- badParams += " KeyInfo length,"; -- CMS.debug("TokenServlet: Invalid key info length"); -- missingParam = true; -- } -- } -- -- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -- if (!useSoftToken_s.equalsIgnoreCase("true")) -- useSoftToken_s = "false"; -- -- String selectedToken = null; -- String keyNickName = null; -- if (!missingParam) { -- -- // AC: KDF SPEC CHANGE - read new config file values (needed for symkey -- try { -- nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -- nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -- -- // log settings read in to debug log along with xkeyInfo -- CMS.debug("TokenServlet: processEncryptData(): xkeyInfo[0] = 0x" -- + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) -- + ", xkeyInfo[1] = 0x" -- + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) -- ); -- CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF will be used for key versions >= 0x" -- + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -- ); -- if (nistSP800_108KdfUseCuidAsKdd == true) { -- CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -- } else { -- CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use KDD."); -- } -- // conform to the set-an-error-flag mentality -- } catch (Exception e) { -- missingSetting_exception = e; -- CMS.debug("TokenServlet: processEncryptData(): Exception reading Nist SP800-108 KDF config values: " -- + e.toString()); -- } -- -- if (!isRandom) -- data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); -- keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -- -- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); -- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -- if (mappingValue == null) { -- selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -- keyNickName = rKeyInfo; -- } else { -- StringTokenizer st = new StringTokenizer(mappingValue, ":"); -- selectedToken = st.nextToken(); -- keyNickName = st.nextToken(); -- } -- -- -- //calculate the protocol -- -- int protocolInt = SecureChannelProtocol.PROTOCOL_ONE; -- try -- { -- protocolInt = Integer.parseInt(protocolValue); -- } -- catch (NumberFormatException nfe) -- { -- protocolInt = SecureChannelProtocol.PROTOCOL_ONE; -- } -- -- CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt); -- -- //Check for reasonable sanity, leave room for future versions -- if(protocolInt <= 0 || protocolInt > 20) { -- CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1."); -- protocolInt = 1; -- -- } -- -- byte kekKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); -- // AC: KDF SPEC CHANGE - check for error reading settings -- if (missingSetting_exception == null) { -- -- -- SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt); -- -- if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) { -- -- encryptedData = protocol.encryptData( -- selectedToken, keyNickName, data, keyInfo, -- nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value -- nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value -- xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' -- xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use -- kekKeyArray, useSoftToken_s, keySet); -- -- } else { -- -- encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo, -- nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray, -- useSoftToken_s, keySet,gp3Params); -- -- } -- -- SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: "); -- -- // AC: KDF SPEC CHANGE - Log both CUID and KDD -- -- CMS.getLogger().log(ILogger.EV_AUDIT, -- ILogger.S_TKS, -- ILogger.LL_INFO, "process EncryptData for CUID=" + -- trim(pp.toHexString(xCUID)) + -- ", KDD=" + -- trim(pp.toHexString(xKDD))); -- -- } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file -- -- } // !missingParam -- -- resp.setContentType("text/html"); -- -- String value = ""; -- String status = "0"; -- if (encryptedData != null && encryptedData.length > 0) { -- // sending both the pre-encrypted and encrypted data back -- value = IRemoteRequest.RESPONSE_STATUS + "=0&" -- + IRemoteRequest.TOKEN_DATA + "=" + -- com.netscape.cmsutil.util.Utils.SpecialEncode(data) + -- "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" + -- com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); -- // AC: KDF SPEC CHANGE - check for settings file issue (flag) -- } else if (missingSetting_exception != null) { -- status = "6"; -- errorMsg = "Problem reading required configuration value."; -- value = "status=" + status; -- } else if (missingParam) { -- if (badParams.endsWith(",")) { -- badParams = badParams.substring(0, badParams.length() - 1); -- } -- errorMsg = "Missing input parameters: " + badParams; -- status = "3"; -- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -- } else { -- errorMsg = "Problem encrypting data."; -- status = "1"; -- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -- } -- -- //CMS.debug("TokenServlet:process EncryptData.encode " + value); -- -- try { -- resp.setContentLength(value.length()); -- CMS.debug("TokenServlet:outputString.lenght " + value.length()); -- -- OutputStream ooss = resp.getOutputStream(); -- ooss.write(value.getBytes()); -- ooss.flush(); -- mRenderResult = false; -- } catch (Exception e) { -- CMS.debug("TokenServlet: " + e.toString()); -- } -- -- if (status.equals("0")) { -- // AC: KDF SPEC CHANGE - Log both CUID and KDD -- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.SUCCESS, // Outcome -- status, // status -- agentId, // AgentID -- s_isRandom, // isRandom -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); -- } else { -- // AC: KDF SPEC CHANGE - Log both CUID and KDD -- // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -- // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.FAILURE, // Outcome -- status, // status -- agentId, // AgentID -- s_isRandom, // isRandom -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -- "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -- Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -- errorMsg // Error -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); -- } -- -- audit(auditMessage); -- } -- -- /* -- * For EncryptData: -- * data=value1 -- * CUID=value2 // missing from RA -- * versionID=value3 // missing from RA -- * -- * For ComputeSession: -- * card_challenge=value1 -- * host_challenge=value2 -- -- * For DiversifyKey: -- * new_master_key_index -- * master_key_index -- */ -- -- private void processComputeRandomData(HttpServletRequest req, -- HttpServletResponse resp) throws EBaseException { -- -- byte[] randomData = null; -- String status = "0"; -- String errorMsg = ""; -- String badParams = ""; -- boolean missingParam = false; -- int dataSize = 0; -- -- CMS.debug("TokenServlet::processComputeRandomData"); -- -- SessionContext sContext = SessionContext.getContext(); -- -- String agentId = ""; -- if (sContext != null) { -- agentId = -- (String) sContext.get(SessionContext.USER_ID); -- } -- -- String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES); -- -- if (sDataSize == null || sDataSize.equals("")) { -- CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes"); -- badParams += " Random Data size, "; -- missingParam = true; -- status = "1"; -- } else { -- try { -- dataSize = Integer.parseInt(sDataSize.trim()); -- } catch (NumberFormatException nfe) { -- CMS.debug("TokenServlet::processComputeRandomData invalid data size input!"); -- badParams += " Random Data size, "; -- missingParam = true; -- status = "1"; -- } -- -- } -- -- CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); -- -- String auditMessage = CMS.getLogMessage( -- AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, -- ILogger.SUCCESS, -- agentId); -- -- audit(auditMessage); -- -- if (!missingParam) { -- try { -- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -- randomData = new byte[dataSize]; -- random.nextBytes(randomData); -- } catch (Exception e) { -- CMS.debug("TokenServlet::processComputeRandomData:" + e.toString()); -- errorMsg = "Can't generate random data!"; -- status = "2"; -- } -- } -- -- String randomDataOut = ""; -- if (status.equals("0")) { -- if (randomData != null && randomData.length == dataSize) { -- randomDataOut = -- com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); -- } else { -- status = "2"; -- errorMsg = "Can't convert random data!"; -- } -- } -- -- if (status.equals("1") && missingParam) { -- -- if (badParams.endsWith(",")) { -- badParams = badParams.substring(0, badParams.length() - 1); -- } -- errorMsg = "Missing input parameters :" + badParams; -- } -- -- resp.setContentType("text/html"); -- String value = ""; -- -- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -- if (status.equals("0")) { -- value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut; -- } -- -- try { -- resp.setContentLength(value.length()); -- CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length()); -- -- OutputStream ooss = resp.getOutputStream(); -- ooss.write(value.getBytes()); -- ooss.flush(); -- mRenderResult = false; -- } catch (Exception e) { -- CMS.debug("TokenServlet::processComputeRandomData " + e.toString()); -- } -- -- if (status.equals("0")) { -- auditMessage = CMS.getLogMessage( -- AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, -- ILogger.SUCCESS, -- status, -- agentId); -- } else { -- auditMessage = CMS.getLogMessage( -- AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, -- ILogger.FAILURE, -- status, -- agentId, -- errorMsg); -- } -- -- audit(auditMessage); -- } -- -- public void process(CMSRequest cmsReq) throws EBaseException { -- HttpServletRequest req = cmsReq.getHttpReq(); -- HttpServletResponse resp = cmsReq.getHttpResp(); -- -- IAuthToken authToken = authenticate(cmsReq); -- AuthzToken authzToken = null; -- -- mCurrentUID = (String) authToken.get(IAuthToken.UID) ; -- -- try { -- authzToken = authorize(mAclMethod, authToken, -- mAuthzResourceName, "execute"); -- } catch (Exception e) { -- } -- -- if (authzToken == null) { -- -- try { -- resp.setContentType("text/html"); -- String value = "unauthorized="; -- CMS.debug("TokenServlet: Unauthorized"); -- -- resp.setContentLength(value.length()); -- OutputStream ooss = resp.getOutputStream(); -- ooss.write(value.getBytes()); -- ooss.flush(); -- mRenderResult = false; -- } catch (Exception e) { -- CMS.debug("TokenServlet: " + e.toString()); -- } -- -- // cmsReq.setStatus(CMSRequest.UNAUTHORIZED); -- return; -- } -- -- String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); -- String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); -- String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); -- //CMS.debug("Protocol: " + protocol + " temp: " + temp); -- -- setDefaultSlotAndKeyName(req); -- if (temp != null && protocol == null) { -- processComputeSessionKey(req, resp); -- } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) { -- processEncryptData(req, resp); -- } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) { -- processDiversifyKey(req, resp); -- } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) { -- processComputeRandomData(req, resp); -- } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) { -- //SCP02 compute one session key. -- processComputeSessionKeySCP02(req, resp); -- -- } else if (protocol != null && protocol.contains("3") ) { -- processComputeSessionKeysSCP03(req,resp); -- } else { -- throw new EBaseException("Process: Can't decide upon function to call!"); -- } -- } -- -- //Create all the session keys for scp03 at once and return. -- //ToDo: calcualte the optional rmac key -- private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { -- String method = "processComputeSessionKeysSCP03:"; -- CMS.debug(method + " entering ..."); -- -- byte[] card_challenge, host_challenge, xCUID, xKDD; -- byte[] card_crypto, host_cryptogram, input_card_crypto; -- byte[] xcard_challenge, xhost_challenge; -- byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key; -- String auditMessage = null; -- String errorMsg = ""; -- String badParams = ""; -- String transportKeyName = ""; -- String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -- -- String rKDD = req.getParameter("KDD"); -- if ((rKDD == null) || (rKDD.length() == 0)) { -- // KDF phase1: default to rCUID if not present -- CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -- rKDD = rCUID; -- } -- -- String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -- if (keySet == null || keySet.equals("")) { -- keySet = "defKeySet"; -- } -- CMS.debug("keySet selected: " + keySet); -- -- GPParams gp3Params = readGPSettings(keySet); -- -- boolean serversideKeygen = false; -- -- IConfigStore sconfig = CMS.getConfigStore(); -- boolean isCryptoValidate = true; -- boolean missingParam = false; -- -- Exception missingSetting_exception = null; -- -- mac_session_key = null; -- kek_session_key = null; -- card_crypto = null; -- host_cryptogram = null; -- enc_session_key = null; -- -- SessionContext sContext = SessionContext.getContext(); -- -- String agentId = ""; -- if (sContext != null) { -- agentId = -- (String) sContext.get(SessionContext.USER_ID); -- } -- -- auditMessage = CMS.getLogMessage( -- AuditEvent.COMPUTE_SESSION_KEY_REQUEST, -- rCUID, -- rKDD, -- ILogger.SUCCESS, -- agentId); -- -- audit(auditMessage); -- -- String kek_wrapped_desKeyString = null; -- String keycheck_s = null; -- -- String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -- if (!useSoftToken_s.equalsIgnoreCase("true")) -- useSoftToken_s = "false"; -- -- CMS.debug(method + " useSoftToken: " + useSoftToken_s); -- -- String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); -- if (rServersideKeygen.equals("true")) { -- -- serversideKeygen = true; -- } -- -- CMS.debug(method + " serversideKeygen: " + serversideKeygen); -- -- try { -- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -- } catch (EBaseException eee) { -- } -- -- CMS.debug(method + " Do crypto validation: " + isCryptoValidate); -- -- transportKeyName = getSharedSecretName(sconfig); -- -- String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); -- String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); -- String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -- String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); -- -- if ((rCUID == null) || (rCUID.equals(""))) { -- CMS.debug(method + " missing request parameter: CUID"); -- badParams += " CUID,"; -- missingParam = true; -- } -- -- if ((rKDD == null) || (rKDD.length() == 0)) { -- CMS.debug(method + " missing request parameter: KDD"); -- badParams += " KDD,"; -- missingParam = true; -- } -- -- if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { -- badParams += " card_challenge,"; -- CMS.debug(method + " missing request parameter: card challenge"); -- missingParam = true; -- } -- -- if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { -- badParams += " host_challenge,"; -- CMS.debug(method + " missing request parameter: host challenge"); -- missingParam = true; -- } -- -- if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) { -- badParams += " card_cryptogram,"; -- CMS.debug(method + " missing request parameter: card_cryptogram"); -- missingParam = true; -- } -- -- if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -- badParams += " KeyInfo,"; -- CMS.debug(method + "missing request parameter: key info"); -- missingParam = true; -- } -- -- String selectedToken = null; -- String keyNickName = null; -- boolean sameCardCrypto = true; -- -- xCUID = null; -- xKDD = null; -- xkeyInfo = null; -- xcard_challenge = null; -- xhost_challenge = null; -- -- if (!missingParam) { -- xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -- if (xCUID == null || xCUID.length != 10) { -- badParams += " CUID length,"; -- CMS.debug("TokenServlet: Invalid CUID length"); -- missingParam = true; -- } -- -- xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -- if (xKDD == null || xKDD.length != 10) { -- badParams += " KDD length,"; -- CMS.debug("TokenServlet: Invalid KDD length"); -- missingParam = true; -- } -- -- xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -- if (xkeyInfo == null || xkeyInfo.length != 3) { -- badParams += " KeyInfo length,"; -- CMS.debug("TokenServlet: Invalid key info length."); -- missingParam = true; -- } -- xcard_challenge = -- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -- if (xcard_challenge == null || xcard_challenge.length != 8) { -- badParams += " card_challenge length,"; -- CMS.debug("TokenServlet: Invalid card challenge length."); -- missingParam = true; -- } -- -- xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -- if (xhost_challenge == null || xhost_challenge.length != 8) { -- badParams += " host_challenge length,"; -- CMS.debug("TokenServlet: Invalid host challenge length"); -- missingParam = true; -- } -- } -- -- ArrayList serverSideValues = null; -- -- if (!missingParam) { -- card_challenge = -- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -- -- host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -- -- String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx -- String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -- -- -- if (mappingValue == null) { -- selectedToken = -- CMS.getConfigStore().getString("tks.defaultSlot", "internal"); -- keyNickName = rKeyInfo; -- } else { -- StringTokenizer st = new StringTokenizer(mappingValue, ":"); -- if (st.hasMoreTokens()) -- selectedToken = st.nextToken(); -- if (st.hasMoreTokens()) -- keyNickName = st.nextToken(); -- } -- -- CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName ); -- -- SymmetricKey macSessionKey = null; -- SymmetricKey encSessionKey = null; -- SymmetricKey kekSessionKey = null; -- -- if (selectedToken != null && keyNickName != null -- && missingSetting_exception == null) { -- -- try { -- -- byte macKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".mac_key")); -- CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" -- + selectedToken + " keyNickName=" + keyNickName); -- -- SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); -- -- macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, -- SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge, -- transportKeyName,gp3Params); -- -- mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null); -- -- if (mac_session_key == null) { -- CMS.debug(method + " Can't get mac session key bytes"); -- throw new Exception(method + " Can't get mac session key bytes"); -- -- } -- -- byte encKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".auth_key")); -- -- encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, -- SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge, -- transportKeyName,gp3Params); -- -- enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null); -- -- if (enc_session_key == null) { -- CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); -- throw new Exception("Can't compute enc session key!"); -- -- } -- -- byte kekKeyArray[] = -- com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + ".kek_key")); -- -- kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo, -- SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge, -- xcard_challenge, -- transportKeyName,gp3Params); -- -- kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null); -- -- -- //Offload some of the tedious params gathering to another method -- //ToDo, create a method that reads all this stuff at once for all major methods -- if (serversideKeygen) { -- try { -- serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken, -- kekSessionKey, protocol); -- } catch (EBaseException e) { -- -- CMS.debug(method + " Can't calcualte server side keygen required values..."); -- -- } -- } -- -- try { -- isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -- } catch (EBaseException eee) { -- } -- -- ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); -- try { -- contextStream.write(host_challenge); -- contextStream.write(card_challenge); -- } catch (IOException e) { -- throw new EBaseException(method + " Error calculating derivation data!"); -- } -- -- host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT); -- SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length); -- -- -- if( isCryptoValidate) { -- if (rcard_cryptogram == null) { -- CMS.debug(method + " missing card cryptogram"); -- throw new Exception(method + "Missing card cryptogram"); -- } -- input_card_crypto = -- com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); -- card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT); -- SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: "); -- SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: "); -- -- if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) { -- throw new Exception(method + "Card cryptogram mismatch!"); -- } -- -- } -- } catch (Exception e) { -- CMS.debug(e); -- CMS.debug("TokenServlet Computing Session Key: " + e.toString()); -- if (isCryptoValidate) -- sameCardCrypto = false; -- } -- } -- } // ! missingParam -- -- String value = ""; -- -- resp.setContentType("text/html"); -- -- String encSessionKeyString = ""; -- String macSessionKeyString = ""; -- String kekSessionKeyString = ""; -- -- String drm_trans_wrapped_desKeyString = ""; -- String cryptogram = ""; -- String status = "0"; -- -- if (enc_session_key != null && enc_session_key.length > 0) { -- encSessionKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); -- } else { -- status = "1"; -- } -- -- if (mac_session_key != null && mac_session_key.length > 0) { -- macSessionKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key); -- } else { -- status = "1"; -- } -- -- if (kek_session_key != null && kek_session_key.length > 0) { -- kekSessionKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key); -- } else { -- status = "1"; -- } -- -- if (serversideKeygen == true) { -- if (serverSideValues.size() == 3) { -- drm_trans_wrapped_desKeyString = serverSideValues.get(2); -- kek_wrapped_desKeyString = serverSideValues.get(0); -- keycheck_s = serverSideValues.get(1); -- } -- else { -- status = "1"; -- } -- } -- -- if (host_cryptogram != null && host_cryptogram.length > 0) { -- cryptogram = -- com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); -- } else { -- if (status.equals("0") == true) { -- status = "2"; -- } -- } -- -- if (selectedToken == null || keyNickName == null) { -- // AC: Bugfix: Don't override status's value if an error was already flagged -- if (status.equals("0") == true) { -- status = "4"; -- } -- } -- -- if (!sameCardCrypto) { -- if (status.equals("0") == true) { -- status = "5"; -- } -- } -- -- if (missingSetting_exception != null) { -- status = "6"; -- } -- -- if (missingParam) { -- status = "3"; -- } -- -- if (!status.equals("0")) { -- -- if (status.equals("1")) { -- errorMsg = "Problem generating session key info."; -- } -- -- if (status.equals("2")) { -- errorMsg = "Problem creating host_cryptogram."; -- } -- -- if (status.equals("5")) { -- errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; -- } -- -- if (status.equals("4")) { -- errorMsg = "Problem obtaining token information."; -- } -- -- if (status.equals("6")) { -- errorMsg = "Problem reading required configuration value."; -- } -- -- if (status.equals("3")) { -- if (badParams.endsWith(",")) { -- badParams = badParams.substring(0, badParams.length() - 1); -- } -- errorMsg = "Missing input parameters :" + badParams; -- } -- -- value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -- } else { -- if (serversideKeygen == true) { -- StringBuffer sb = new StringBuffer(); -- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -- sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); -- sb.append(macSessionKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -- sb.append(cryptogram); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -- sb.append(encSessionKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); -- sb.append(kekSessionKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); -- sb.append(kek_wrapped_desKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); -- sb.append(keycheck_s); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); -- sb.append(drm_trans_wrapped_desKeyString); -- value = sb.toString(); -- } else { -- StringBuffer sb = new StringBuffer(); -- sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -- sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); -- sb.append(macSessionKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -- sb.append(cryptogram); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -- sb.append(encSessionKeyString); -- sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); -- value = sb.toString(); -- } -- -- } -- //CMS.debug(method + "outputString.encode " + value); -- -- try { -- resp.setContentLength(value.length()); -- CMS.debug("TokenServlet:outputString.length " + value.length()); -- OutputStream ooss = resp.getOutputStream(); -- ooss.write(value.getBytes()); -- ooss.flush(); -- mRenderResult = false; -- } catch (IOException e) { -- CMS.debug("TokenServlet: " + e.toString()); -- } -- -- if (status.equals("0")) { -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.SUCCESS, // Outcome -- status, // status -- agentId, // AgentID -- isCryptoValidate ? "true" : "false", // IsCryptoValidate -- serversideKeygen ? "true" : "false", // IsServerSideKeygen -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -- logParams); -- -- } else { -- String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -- log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -- ILogger.FAILURE, // Outcome -- status, // status -- agentId, // AgentID -- isCryptoValidate ? "true" : "false", // IsCryptoValidate -- serversideKeygen ? "true" : "false", // IsServerSideKeygen -- selectedToken, // SelectedToken -- keyNickName, // KeyNickName -- keySet, // TKSKeyset -- log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -- errorMsg // Error -- }; -- auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -- logParams); -- -- } -- -- audit(auditMessage); -- -- } -- -- /** -- * Serves HTTP admin request. -- * -- * @param req HTTP request -- * @param resp HTTP response -- */ -- public void service(HttpServletRequest req, HttpServletResponse resp) -- throws ServletException, IOException { -- super.service(req, resp); -- } -- -- private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException { -- -- IConfigStore configStore = CMS.getConfigStore(); -- String sharedSecretName = null; -- try { -- -- sharedSecretName = getSharedSecretName(configStore); -- -- } catch (EBaseException e) { -- throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: " -- + e); -- -- } -- -- CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); -- -- String symmKeys = null; -- boolean keyPresent = false; -- try { -- symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME); -- CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys); -- } catch (Exception e) { -- // TODO Auto-generated catch block -- CMS.debug(e); -- } -- -- for (String keyName : symmKeys.split(",")) { -- if (sharedSecretName.equals(keyName)) { -- CMS.debug("TokenServlet.getSharedSecret: shared secret key found!"); -- keyPresent = true; -- break; -- } -- -- } -- -- if (!keyPresent) { -- throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!"); -- } -- -- // We know for now that shared secret is on this token -- String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME; -- PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); -- -- CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret); -- -- return sharedSecret; -- -- } -- -- //returns ArrayList of following values -- // 0 : Kek wrapped des key -- // 1 : keycheck value -- // 2 : trans wrapped des key -- private ArrayList calculateServerSideKeygenValues(String useSoftToken, String selectedToken, -- SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException { -- -- SymmetricKey desKey = null; -- String method = "TokenServlet.calculateSErverSideKeygenValues: "; -- ArrayList values = new ArrayList(); -- -- /** -- * 0. generate des key -- * 1. encrypt des key with kek key -- * 2. encrypt des key with DRM transport key -- * These two wrapped items are to be sent back to -- * TPS. 2nd item is to DRM -- **/ -- CMS.debug(method + " entering..."); -- -- // (1) generate DES key -- /* applet does not support DES3 -- org.mozilla.jss.crypto.KeyGenerator kg = -- internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); -- desKey = kg.generate();*/ -- -- /* -- * GenerateSymkey firt generates a 16 byte DES2 key. -- * It then pads it into a 24 byte key with last -- * 8 bytes copied from the 1st 8 bytes. Effectively -- * making it a 24 byte DES2 key. We need this for -- * wrapping private keys on DRM. -- */ -- /*generate it on whichever token the master key is at*/ -- -- if (useSoftToken.equals("true")) { -- CMS.debug(method + " key encryption key generated on internal"); -- desKey = protocol.generateSymKey("internal"); -- //cfu audit here? sym key gen done -- } else { -- CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); -- desKey = protocol.generateSymKey(selectedToken); -- } -- if (desKey == null) { -- throw new EBaseException(method + "can't generate key encryption key"); -- } -- -- /* -- * ECBencrypt actually takes the 24 byte DES2 key -- * and discard the last 8 bytes before it encrypts. -- * This is done so that the applet can digest it -- */ -- -- -- // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey) -- -- byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken); -- -- String kek_wrapped_desKeyString = -- com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); -- -- CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString); -- -- values.add(kek_wrapped_desKeyString); -- -- // get keycheck -- -- byte[] keycheck = null; -- -- keycheck = protocol.computeKeyCheck(desKey, selectedToken); -- -- String keycheck_s = -- com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); -- -- CMS.debug(method + "keycheck_s " + keycheck_s); -- -- values.add(keycheck_s); -- -- //use DRM transport cert to wrap desKey -- String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); -- -- if ((drmTransNickname == null) || (drmTransNickname == "")) { -- CMS.debug(method + " did not find DRM transport certificate nickname"); -- throw new EBaseException(method + "can't find DRM transport certificate nickname"); -- } else { -- CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname); -- } -- -- X509Certificate drmTransCert = null; -- try { -- -- drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); -- // wrap kek session key with DRM transport public key -- CryptoToken token = null; -- if (useSoftToken.equals("true")) { -- //token = CryptoManager.getInstance().getTokenByName(selectedToken); -- token = CryptoManager.getInstance().getInternalCryptoToken(); -- } else { -- token = CryptoManager.getInstance().getTokenByName(selectedToken); -- } -- PublicKey pubKey = drmTransCert.getPublicKey(); -- String pubKeyAlgo = pubKey.getAlgorithm(); -- CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); -- KeyWrapper keyWrapper = null; -- //For wrapping symmetric keys don't need IV, use ECB -- if (pubKeyAlgo.equals("EC")) { -- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); -- keyWrapper.initWrap(pubKey, null); -- } else { -- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); -- keyWrapper.initWrap(pubKey, null); -- } -- CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); -- byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); -- -- String drmWrappedDesStr = -- com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); -- -- CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr); -- values.add(drmWrappedDesStr); -- -- } catch (Exception e) { -- throw new EBaseException(e); -- } -- -- return values; -- } -- -- private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) { -- boolean sameCardCrypto = true; -- -- if (original_cryptogram == null || calculated_cryptogram == null) { -- return false; -- } -- if (original_cryptogram.length == calculated_cryptogram.length) { -- for (int i = 0; i < original_cryptogram.length; i++) { -- if (original_cryptogram[i] != calculated_cryptogram[i]) { -- sameCardCrypto = false; -- break; -- } -- } -- } else { -- // different length; must be different -- sameCardCrypto = false; -- } -- -- return sameCardCrypto; -- } -- -- //For now only used for scp03 -- -- static GPParams readGPSettings(String keySet) { -- GPParams params = new GPParams(); -- -- String method = "TokenServlet.readGPSettings: "; -- String gp3Settings = "tks." + keySet + ".prot3"; -- -- String divers = "emv"; -- try { -- divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv"); -- } catch (EBaseException e) { -- } -- -- params.setDiversificationScheme(divers); -- -- CMS.debug(method + " Divers: " + divers); -- -- String diversVer1Keys = "emv"; -- -- try { -- diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv"); -- } catch (EBaseException e) { -- } -- -- params.setVersion1DiversificationScheme(diversVer1Keys); -- CMS.debug(method + " Version 1 keys Divers: " + divers); -- -- String keyType = null; -- try { -- keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); -- } catch (EBaseException e) { -- } -- -- CMS.debug(method + " devKeyType: " + keyType); -- -- params.setDevKeyType(keyType); -- -- try { -- keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); -- } catch (EBaseException e) { -- } -- -- params.setMasterKeyType(keyType); -- -- CMS.debug(method + " masterKeyType: " + keyType); -- -- -- return params; -- } -- -- private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException { -- byte devKeyArray[] = null; -- try { -- devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -- + keySet + "." + keyType)); -- } catch (Exception e) { -- throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType); -- } -- -- return devKeyArray; -- } -- -- --} -diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml -index 18c85a3..ddbea88 100644 ---- a/base/tks/shared/webapps/tks/WEB-INF/web.xml -+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml -@@ -108,7 +108,7 @@ - - - tksEncryptData -- com.netscape.cms.servlet.tks.TokenServlet -+ org.dogtagpki.server.tks.servlet.TokenServlet - GetClientCert - true - AuthzMgr -@@ -125,7 +125,7 @@ - - - tksCreateKeySetData -- com.netscape.cms.servlet.tks.TokenServlet -+ org.dogtagpki.server.tks.servlet.TokenServlet - GetClientCert - true - AuthzMgr -@@ -142,7 +142,7 @@ - - - tksSessionKey -- com.netscape.cms.servlet.tks.TokenServlet -+ org.dogtagpki.server.tks.servlet.TokenServlet - GetClientCert - true - AuthzMgr -@@ -159,7 +159,7 @@ - - - tksRandomData -- com.netscape.cms.servlet.tks.TokenServlet -+ org.dogtagpki.server.tks.servlet.TokenServlet - GetClientCert - true - AuthzMgr -diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java -new file mode 100644 -index 0000000..c8150a9 ---- /dev/null -+++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java -@@ -0,0 +1,3226 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2007 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package org.dogtagpki.server.tks.servlet; -+ -+import java.io.ByteArrayOutputStream; -+import java.io.IOException; -+import java.io.OutputStream; -+import java.security.PublicKey; -+import java.security.SecureRandom; -+import java.util.ArrayList; -+import java.util.StringTokenizer; -+ -+import javax.servlet.ServletConfig; -+import javax.servlet.ServletException; -+import javax.servlet.http.HttpServletRequest; -+import javax.servlet.http.HttpServletResponse; -+ -+import org.dogtagpki.server.connector.IRemoteRequest; -+import org.mozilla.jss.CryptoManager; -+import org.mozilla.jss.CryptoManager.NotInitializedException; -+import org.mozilla.jss.crypto.CryptoToken; -+import org.mozilla.jss.crypto.KeyWrapAlgorithm; -+import org.mozilla.jss.crypto.KeyWrapper; -+import org.mozilla.jss.crypto.SymmetricKey; -+import org.mozilla.jss.crypto.X509Certificate; -+import org.mozilla.jss.pkcs11.PK11SymKey; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthToken; -+import com.netscape.certsrv.authorization.AuthzToken; -+import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.base.IPrettyPrintFormat; -+import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.cms.servlet.base.CMSServlet; -+import com.netscape.cms.servlet.common.CMSRequest; -+import com.netscape.cms.servlet.tks.GPParams; -+import com.netscape.cms.servlet.tks.NistSP800_108KDF; -+import com.netscape.cms.servlet.tks.SecureChannelProtocol; -+import com.netscape.cmsutil.crypto.CryptoUtil; -+import com.netscape.symkey.SessionKey; -+ -+/** -+ * A class representings an administration servlet for Token Key -+ * Service Authority. This servlet is responsible to serve -+ * tks administrative operation such as configuration -+ * parameter updates. -+ * -+ * @version $Revision$, $Date$ -+ */ -+public class TokenServlet extends CMSServlet { -+ /** -+ * -+ */ -+ private static final long serialVersionUID = 8687436109695172791L; -+ protected static final String PROP_ENABLED = "enabled"; -+ protected static final String TRANSPORT_KEY_NAME = "sharedSecret"; -+ private final static String INFO = "TokenServlet"; -+ public static int ERROR = 1; -+ String mKeyNickName = null; -+ String mNewKeyNickName = null; -+ String mCurrentUID = null; -+ IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); -+ -+ // Derivation Constants for SCP02 -+ public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; -+ public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; -+ public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 }; -+ public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 }; -+ -+ /** -+ * Constructs tks servlet. -+ */ -+ public TokenServlet() { -+ super(); -+ -+ } -+ -+ public static String trim(String a) { -+ StringBuffer newa = new StringBuffer(); -+ StringTokenizer tokens = new StringTokenizer(a, "\n"); -+ while (tokens.hasMoreTokens()) { -+ newa.append(tokens.nextToken()); -+ } -+ return newa.toString(); -+ } -+ -+ public void init(ServletConfig config) throws ServletException { -+ super.init(config); -+ } -+ -+ /** -+ * Returns serlvet information. -+ * -+ * @return name of this servlet -+ */ -+ public String getServletInfo() { -+ return INFO; -+ } -+ -+ /** -+ * Process the HTTP request. -+ * -+ * @param s The URL to decode. -+ */ -+ protected String URLdecode(String s) { -+ if (s == null) -+ return null; -+ ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); -+ -+ for (int i = 0; i < s.length(); i++) { -+ int c = s.charAt(i); -+ -+ if (c == '+') { -+ out.write(' '); -+ } else if (c == '%') { -+ int c1 = Character.digit(s.charAt(++i), 16); -+ int c2 = Character.digit(s.charAt(++i), 16); -+ -+ out.write((char) (c1 * 16 + c2)); -+ } else { -+ out.write(c); -+ } -+ } // end for -+ return out.toString(); -+ } -+ -+ private void setDefaultSlotAndKeyName(HttpServletRequest req) { -+ try { -+ -+ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -+ if (keySet == null || keySet.equals("")) { -+ keySet = "defKeySet"; -+ } -+ CMS.debug("keySet selected: " + keySet); -+ -+ String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); -+ String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx -+ String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; -+ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -+ if (mappingValue != null) { -+ StringTokenizer st = new StringTokenizer(mappingValue, ":"); -+ int tokenNumber = 0; -+ while (st.hasMoreTokens()) { -+ -+ String currentToken = st.nextToken(); -+ if (tokenNumber == 1) -+ mKeyNickName = currentToken; -+ tokenNumber++; -+ -+ } -+ } -+ if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification -+ { -+ temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx -+ String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; -+ String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); -+ if (newMappingValue != null) { -+ StringTokenizer st = new StringTokenizer(newMappingValue, ":"); -+ int tokenNumber = 0; -+ while (st.hasMoreTokens()) { -+ String currentToken = st.nextToken(); -+ if (tokenNumber == 1) -+ mNewKeyNickName = currentToken; -+ tokenNumber++; -+ -+ } -+ } -+ } -+ -+ CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix); -+ -+ SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix); -+ /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/ -+ -+ } catch (Exception e) { -+ e.printStackTrace(); -+ CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName"); -+ } -+ -+ } -+ -+ // AC: KDF SPEC CHANGE - read new setting value from config file -+ // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility) -+ // CAREFUL: Result returned may be negative due to java's lack of unsigned types. -+ // Negative values need to be treated as higher key numbers than positive key numbers. -+ private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception { -+ String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion"; -+ // KDF phase1: default to 00 -+ String nistSP800_108KdfOnKeyVersion_value = -+ CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/); -+ short nistSP800_108KdfOnKeyVersion_short = 0; -+ // if value does not exist in file -+ if (nistSP800_108KdfOnKeyVersion_value == null) { -+ // throw -+ // (we want admins to pay attention to this configuration item rather than guessing for them) -+ throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map -+ + "\" missing from configuration file."); -+ } -+ // convert setting value (in ASCII-hex) to short -+ try { -+ nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16); -+ if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) { -+ throw new Exception("Out of range."); -+ } -+ } catch (Throwable t) { -+ throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map -+ + "\" is in incorrect format. " + -+ "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map -+ + "=xx\" where xx is key version specified in ASCII-HEX format.", t); -+ } -+ // convert to byte (anything higher than 0x7F is represented as a negative) -+ byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short; -+ return nistSP800_108KdfOnKeyVersion_byte; -+ } -+ -+ // AC: KDF SPEC CHANGE - read new setting value from config file -+ // (This value allows configuration of the NIST SP800-108 KDF: -+ // If "true" we use the CUID parameter within the NIST SP800-108 KDF. -+ // If "false" we use the KDD parameter within the NIST SP800-108 KDF. -+ private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception { -+ String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd"; -+ // KDF phase1: default to "false" -+ String setting_str = -+ CMS.getConfigStore().getString(setting_map, "false" /*null*/); -+ boolean setting_boolean = false; -+ // if value does not exist in file -+ if (setting_str == null) { -+ // throw -+ // (we want admins to pay attention to this configuration item rather than guessing for them) -+ throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file."); -+ } -+ // convert setting value to boolean -+ try { -+ setting_boolean = Boolean.parseBoolean(setting_str); -+ } catch (Throwable t) { -+ throw new Exception("Configuration value \"" + setting_map -+ + "\" is in incorrect format. Should be either \"true\" or \"false\".", t); -+ } -+ return setting_boolean; -+ } -+ -+ // AC: KDF SPEC CHANGE - Audit logging helper functions. -+ // Converts a byte array to an ASCII-hex string. -+ // We implemented this ourselves rather than using this.pp.toHexArray() because -+ // the team preferred CUID and KDD strings to be without ":" separators every byte. -+ final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray(); -+ -+ private String bytesToHex(byte[] bytes) { -+ char[] hexChars = new char[bytes.length * 2]; -+ for (int i = 0; i < bytes.length; i++) { -+ int thisChar = bytes[i] & 0x000000FF; -+ hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16 -+ hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F]; -+ } -+ return new String(hexChars); -+ } -+ -+ // AC: KDF SPEC CHANGE - Audit logging helper functions. -+ // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa -+ // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0]. -+ // Returns "null" if parameter is null. -+ // Returns "invalid" if parameter.length < 1 -+ private String log_string_from_keyInfo(byte[] xkeyInfo) { -+ return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x" -+ + Integer.toHexString((xkeyInfo[0]) & 0x000000FF)); -+ } -+ -+ // AC: KDF SPEC CHANGE - Audit logging helper functions. -+ // Safely converts a byte array containing specialDecoded information to an ASCII-hex string. -+ // Parameters: -+ // specialDecoded - byte array containing data. May be null. -+ // Returns: -+ // if specialDecoded is blank, returns "null" -+ // if specialDecoded != null, returns -+ private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) { -+ if (specialDecoded == null) { -+ return "null"; -+ } else { -+ return bytesToHex(specialDecoded); -+ } -+ } -+ -+ /* Compute Session Key for SCP02 -+ * For simplicity compute just one session key,unless it is the DEK key case. -+ */ -+ -+ private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { -+ -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering.."); -+ String auditMessage = null; -+ String errorMsg = ""; -+ String badParams = ""; -+ String transportKeyName = ""; -+ boolean missingParam = false; -+ String selectedToken = null; -+ String keyNickName = null; -+ byte[] drm_trans_wrapped_desKey = null; -+ -+ byte[] xKDD = null; -+ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -+ boolean nistSP800_108KdfUseCuidAsKdd = false; -+ -+ IConfigStore sconfig = CMS.getConfigStore(); -+ -+ boolean isCryptoValidate = false; -+ byte[] keyInfo, xCUID = null, session_key = null; -+ -+ Exception missingSettingException = null; -+ -+ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -+ -+ String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD); -+ -+ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -+ -+ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -+ badParams += " KeyInfo,"; -+ CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info"); -+ missingParam = true; -+ } -+ -+ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -+ -+ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -+ -+ if (keySet == null || keySet.equals("")) { -+ keySet = "defKeySet"; -+ } -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo); -+ -+ boolean serversideKeygen = false; -+ -+ String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); -+ String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER); -+ -+ if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) { -+ badParams += " derivation_constant,"; -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant."); -+ missingParam = true; -+ } -+ -+ if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) { -+ badParams += " sequence_counter,"; -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter."); -+ missingParam = true; -+ } -+ -+ SessionContext sContext = SessionContext.getContext(); -+ -+ String agentId = ""; -+ if (sContext != null) { -+ agentId = -+ (String) sContext.get(SessionContext.USER_ID); -+ } -+ -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, -+ rCUID, -+ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -+ ILogger.SUCCESS, -+ agentId); -+ -+ audit(auditMessage); -+ -+ if (!missingParam) { -+ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -+ -+ if (xCUID == null || xCUID.length != 10) { -+ badParams += " CUID length,"; -+ CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length"); -+ missingParam = true; -+ } -+ -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD"); -+ badParams += " KDD,"; -+ missingParam = true; -+ } -+ -+ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -+ if (xKDD == null || xKDD.length != 10) { -+ badParams += " KDD length,"; -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length"); -+ missingParam = true; -+ } -+ -+ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -+ if (keyInfo == null || keyInfo.length != 2) { -+ badParams += " KeyInfo length,"; -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length."); -+ missingParam = true; -+ } -+ -+ try { -+ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -+ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -+ -+ // log settings read in to debug log along with xkeyInfo -+ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): keyInfo[0] = 0x" -+ + Integer.toHexString((keyInfo[0]) & 0x0000000FF) -+ + ", xkeyInfo[1] = 0x" -+ + Integer.toHexString((keyInfo[1]) & 0x0000000FF) -+ ); -+ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF will be used for key versions >= 0x" -+ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -+ ); -+ if (nistSP800_108KdfUseCuidAsKdd == true) { -+ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -+ } else { -+ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use KDD."); -+ } -+ // conform to the set-an-error-flag mentality -+ } catch (Exception e) { -+ missingSettingException = e; -+ CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Exception reading Nist SP800-108 KDF config values: " -+ + e.toString()); -+ } -+ -+ } -+ -+ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx -+ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -+ if (mappingValue == null) { -+ selectedToken = -+ CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -+ keyNickName = rKeyInfo; -+ } else { -+ StringTokenizer st = new StringTokenizer(mappingValue, ":"); -+ if (st.hasMoreTokens()) -+ selectedToken = st.nextToken(); -+ if (st.hasMoreTokens()) -+ keyNickName = st.nextToken(); -+ } -+ -+ keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx -+ try { -+ mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -+ } catch (EBaseException e1) { -+ -+ e1.printStackTrace(); -+ } -+ if (mappingValue == null) { -+ try { -+ selectedToken = -+ CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -+ } catch (EBaseException e) { -+ -+ e.printStackTrace(); -+ } -+ keyNickName = rKeyInfo; -+ } else { -+ StringTokenizer st = new StringTokenizer(mappingValue, ":"); -+ if (st.hasMoreTokens()) -+ selectedToken = st.nextToken(); -+ if (st.hasMoreTokens()) -+ keyNickName = st.nextToken(); -+ } -+ -+ CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName); -+ String useSoftToken_s = null; -+ try { -+ useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -+ } catch (EBaseException e1) { -+ // TODO Auto-generated catch block -+ e1.printStackTrace(); -+ } -+ if (!useSoftToken_s.equalsIgnoreCase("true")) -+ useSoftToken_s = "false"; -+ -+ String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); -+ if (rServersideKeygen.equals("true")) { -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested"); -+ serversideKeygen = true; -+ } else { -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested"); -+ } -+ -+ transportKeyName = null; -+ try { -+ transportKeyName = getSharedSecretName(sconfig); -+ } catch (EBaseException e1) { -+ // TODO Auto-generated catch block -+ e1.printStackTrace(); -+ CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!"); -+ -+ } -+ -+ CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); -+ -+ try { -+ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -+ } catch (EBaseException eee) { -+ } -+ -+ byte macKeyArray[] = null; -+ byte sequenceCounter[] = null; -+ byte derivationConstant[] = null; -+ -+ boolean errorFound = false; -+ -+ String dek_wrapped_desKeyString = null; -+ String keycheck_s = null; -+ -+ if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) { -+ try { -+ macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".mac_key")); -+ -+ sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter); -+ derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant); -+ -+ //Use old style for the moment. -+ //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey -+ //Perform in next ticket to fully implement nistXP800 -+ -+ session_key = SessionKey.ComputeSessionKeySCP02( -+ selectedToken, keyNickName, -+ keyInfo, -+ nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value -+ nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant, -+ useSoftToken_s, keySet, -+ transportKeyName); -+ -+ if (session_key == null) { -+ CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL "); -+ throw new EBaseException("Can't compute session key for SCP02!"); -+ -+ } -+ -+ //Only do this for the dekSessionKey and if we are in the server side keygen case. -+ if (derivationConstant[0] == DEKDerivationConstant[0] -+ && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) { -+ -+ CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token."); -+ -+ /** -+ * 0. generate des key -+ * 1. encrypt des key with dek key -+ * 2. encrypt des key with DRM transport key -+ * These two wrapped items are to be sent back to -+ * TPS. 2nd item is to DRM -+ **/ -+ -+ PK11SymKey desKey = null; -+ PK11SymKey dekKey = null; -+ -+ /*generate it on whichever token the master key is at*/ -+ if (useSoftToken_s.equals("true")) { -+ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal"); -+ -+ desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME); -+ -+ } else { -+ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on " -+ + selectedToken); -+ desKey = SessionKey.GenerateSymkey(selectedToken); -+ } -+ if (desKey != null) -+ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID); -+ else { -+ CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for " -+ + rCUID); -+ throw new EBaseException( -+ "TokenServlet.computeSessionKeySCP02: can't generate key encryption key"); -+ } -+ -+ CryptoToken token = null; -+ if (useSoftToken_s.equals("true")) { -+ token = CryptoUtil.getCryptoToken(null); -+ } else { -+ token = CryptoUtil.getCryptoToken(selectedToken); -+ } -+ -+ //Now we have to create a sym key object for the wrapped session_key (dekKey) -+ // session_key wrapped by the shared Secret -+ -+ PK11SymKey sharedSecret = getSharedSecretKey(); -+ -+ if (sharedSecret == null) { -+ throw new EBaseException( -+ "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!"); -+ } -+ -+ dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret, -+ session_key); -+ -+ if (dekKey == null) { -+ throw new EBaseException( -+ "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!"); -+ } -+ -+ /* -+ * ECBencrypt actually takes the 24 byte DES2 key -+ * and discard the last 8 bytes before it encrypts. -+ * This is done so that the applet can digest it -+ */ -+ byte[] encDesKey = -+ SessionKey.ECBencrypt(dekKey, -+ desKey); -+ -+ if (encDesKey == null) { -+ throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!"); -+ } -+ -+ dek_wrapped_desKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); -+ -+ byte[] keycheck = -+ SessionKey.ComputeKeyCheck(desKey); -+ -+ if (keycheck == null) { -+ throw new EBaseException( -+ "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!"); -+ } -+ -+ keycheck_s = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); -+ -+ //use DRM transport cert to wrap desKey -+ String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); -+ -+ if ((drmTransNickname == null) || (drmTransNickname == "")) { -+ CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname"); -+ throw new EBaseException("can't find DRM transport certificate nickname"); -+ } else { -+ CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname); -+ } -+ -+ X509Certificate drmTransCert = null; -+ drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); -+ // wrap kek session key with DRM transport public key -+ -+ PublicKey pubKey = drmTransCert.getPublicKey(); -+ String pubKeyAlgo = pubKey.getAlgorithm(); -+ -+ KeyWrapper keyWrapper = null; -+ //For wrapping symmetric keys don't need IV, use ECB -+ if (pubKeyAlgo.equals("EC")) { -+ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); -+ keyWrapper.initWrap(pubKey, null); -+ } else { -+ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); -+ keyWrapper.initWrap(pubKey, null); -+ } -+ -+ drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); -+ CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key."); -+ -+ CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out."); -+ -+ } -+ -+ } catch (Exception e) { -+ CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString()); -+ errorFound = true; -+ -+ } -+ -+ } -+ -+ String status = "0"; -+ String value = ""; -+ String outputString = ""; -+ -+ boolean statusDeclared = false; -+ -+ if (session_key != null && session_key.length > 0 && errorFound == false) { -+ outputString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); -+ } else { -+ -+ status = "1"; -+ statusDeclared = true; -+ } -+ -+ if (selectedToken == null || keyNickName == null) { -+ if (!statusDeclared) { -+ status = "4"; -+ statusDeclared = true; -+ } -+ } -+ -+ if (missingSettingException != null) { -+ if (!statusDeclared) { -+ status = "6"; -+ statusDeclared = true; -+ } -+ } -+ -+ if (missingParam) { -+ status = "3"; -+ } -+ -+ String drm_trans_wrapped_desKeyString = null; -+ -+ if (!status.equals("0")) { -+ if (status.equals("1")) { -+ errorMsg = "Problem generating session key info."; -+ } -+ -+ if (status.equals("4")) { -+ errorMsg = "Problem obtaining token information."; -+ } -+ -+ if (status.equals("3")) { -+ if (badParams.endsWith(",")) { -+ badParams = badParams.substring(0, badParams.length() - 1); -+ } -+ errorMsg = "Missing input parameters :" + badParams; -+ } -+ -+ if (status.equals("6")) { -+ errorMsg = "Problem reading required configuration value."; -+ } -+ -+ } else { -+ -+ if (serversideKeygen == true) { -+ -+ if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) { -+ drm_trans_wrapped_desKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); -+ } -+ -+ StringBuffer sb = new StringBuffer(); -+ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -+ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -+ sb.append(outputString); -+ -+ //Now add the trans wrapped des key -+ -+ if (drm_trans_wrapped_desKeyString != null) { -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); -+ sb.append(drm_trans_wrapped_desKeyString); -+ } -+ -+ if (dek_wrapped_desKeyString != null) { -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); -+ sb.append(dek_wrapped_desKeyString); -+ } -+ -+ if (keycheck_s != null) { -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); -+ sb.append(keycheck_s); -+ } -+ -+ value = sb.toString(); -+ } else { -+ StringBuffer sb = new StringBuffer(); -+ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -+ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -+ sb.append(outputString); -+ value = sb.toString(); -+ } -+ -+ } -+ -+ //CMS.debug("TokenServlet:outputString.encode " + value); -+ -+ try { -+ resp.setContentLength(value.length()); -+ CMS.debug("TokenServlet:outputString.length " + value.length()); -+ OutputStream ooss = resp.getOutputStream(); -+ ooss.write(value.getBytes()); -+ ooss.flush(); -+ mRenderResult = false; -+ } catch (IOException e) { -+ CMS.debug("TokenServlet: " + e.toString()); -+ } -+ -+ if (status.equals("0")) { -+ -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.SUCCESS, // Outcome -+ status, // status -+ agentId, // AgentID -+ isCryptoValidate ? "true" : "false", // IsCryptoValidate -+ serversideKeygen ? "true" : "false", // IsServerSideKeygen -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -+ logParams); -+ -+ } else { -+ -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.FAILURE, // Outcome -+ status, // status -+ agentId, // AgentID -+ isCryptoValidate ? "true" : "false", // IsCryptoValidate -+ serversideKeygen ? "true" : "false", // IsServerSideKeygen -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -+ errorMsg // Error -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -+ logParams); -+ } -+ -+ audit(auditMessage); -+ -+ } -+ -+ private void processComputeSessionKey(HttpServletRequest req, -+ HttpServletResponse resp) throws EBaseException { -+ byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD -+ -+ // AC: KDF SPEC CHANGE - new config file values (needed for symkey) -+ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -+ boolean nistSP800_108KdfUseCuidAsKdd = false; -+ -+ byte[] card_crypto, host_cryptogram, input_card_crypto; -+ byte[] xcard_challenge, xhost_challenge; -+ byte[] enc_session_key, xkeyInfo; -+ String auditMessage = null; -+ String errorMsg = ""; -+ String badParams = ""; -+ String transportKeyName = ""; -+ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ String rKDD = req.getParameter("KDD"); -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ // KDF phase1: default to rCUID if not present -+ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -+ rKDD = rCUID; -+ } -+ -+ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -+ if (keySet == null || keySet.equals("")) { -+ keySet = "defKeySet"; -+ } -+ CMS.debug("keySet selected: " + keySet); -+ -+ boolean serversideKeygen = false; -+ byte[] drm_trans_wrapped_desKey = null; -+ SymmetricKey desKey = null; -+ // PK11SymKey kek_session_key; -+ SymmetricKey kek_key; -+ -+ IConfigStore sconfig = CMS.getConfigStore(); -+ boolean isCryptoValidate = true; -+ boolean missingParam = false; -+ -+ // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting -+ Exception missingSetting_exception = null; -+ -+ session_key = null; -+ card_crypto = null; -+ host_cryptogram = null; -+ enc_session_key = null; -+ // kek_session_key = null; -+ -+ SessionContext sContext = SessionContext.getContext(); -+ -+ String agentId = ""; -+ if (sContext != null) { -+ agentId = -+ (String) sContext.get(SessionContext.USER_ID); -+ } -+ -+ // AC: KDF SPEC CHANGE: Need to log both KDD and CUID -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, -+ rCUID, -+ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -+ ILogger.SUCCESS, -+ agentId); -+ -+ audit(auditMessage); -+ -+ String kek_wrapped_desKeyString = null; -+ String keycheck_s = null; -+ -+ CMS.debug("processComputeSessionKey:"); -+ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -+ if (!useSoftToken_s.equalsIgnoreCase("true")) -+ useSoftToken_s = "false"; -+ -+ String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); -+ if (rServersideKeygen.equals("true")) { -+ CMS.debug("TokenServlet: serversideKeygen requested"); -+ serversideKeygen = true; -+ } else { -+ CMS.debug("TokenServlet: serversideKeygen not requested"); -+ } -+ -+ try { -+ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -+ } catch (EBaseException eee) { -+ } -+ -+ transportKeyName = getSharedSecretName(sconfig); -+ -+ String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); -+ String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); -+ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -+ String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); -+ if ((rCUID == null) || (rCUID.equals(""))) { -+ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID"); -+ badParams += " CUID,"; -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD"); -+ badParams += " KDD,"; -+ missingParam = true; -+ } -+ -+ if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { -+ badParams += " card_challenge,"; -+ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); -+ missingParam = true; -+ } -+ -+ if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { -+ badParams += " host_challenge,"; -+ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge"); -+ missingParam = true; -+ } -+ -+ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -+ badParams += " KeyInfo,"; -+ CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info"); -+ missingParam = true; -+ } -+ -+ String selectedToken = null; -+ String keyNickName = null; -+ boolean sameCardCrypto = true; -+ -+ // AC: KDF SPEC CHANGE -+ xCUID = null; // avoid errors about non-initialization -+ xKDD = null; // avoid errors about non-initialization -+ xkeyInfo = null; // avoid errors about non-initialization -+ -+ if (!missingParam) { -+ -+ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -+ if (xCUID == null || xCUID.length != 10) { -+ badParams += " CUID length,"; -+ CMS.debug("TokenServlet: Invalid CUID length"); -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -+ if (xKDD == null || xKDD.length != 10) { -+ badParams += " KDD length,"; -+ CMS.debug("TokenServlet: Invalid KDD length"); -+ missingParam = true; -+ } -+ -+ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -+ if (xkeyInfo == null || xkeyInfo.length != 2) { -+ badParams += " KeyInfo length,"; -+ CMS.debug("TokenServlet: Invalid key info length."); -+ missingParam = true; -+ } -+ xcard_challenge = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -+ if (xcard_challenge == null || xcard_challenge.length != 8) { -+ badParams += " card_challenge length,"; -+ CMS.debug("TokenServlet: Invalid card challenge length."); -+ missingParam = true; -+ } -+ -+ xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -+ if (xhost_challenge == null || xhost_challenge.length != 8) { -+ badParams += " host_challenge length,"; -+ CMS.debug("TokenServlet: Invalid host challenge length"); -+ missingParam = true; -+ } -+ -+ } -+ -+ if (!missingParam) { -+ card_challenge = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -+ -+ host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -+ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -+ -+ // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) -+ //ToDo: Will use these values after completing next ticket -+ try { -+ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -+ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -+ -+ // log settings read in to debug log along with xkeyInfo -+ CMS.debug("TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x" -+ + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) -+ + ", xkeyInfo[1] = 0x" -+ + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) -+ ); -+ CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x" -+ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -+ ); -+ if (nistSP800_108KdfUseCuidAsKdd == true) { -+ CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -+ } else { -+ CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD."); -+ } -+ // conform to the set-an-error-flag mentality -+ } catch (Exception e) { -+ missingSetting_exception = e; -+ CMS.debug("TokenServlet: ComputeSessionKey(): Exception reading Nist SP800-108 KDF config values: " -+ + e.toString()); -+ } -+ -+ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx -+ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -+ if (mappingValue == null) { -+ selectedToken = -+ CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -+ keyNickName = rKeyInfo; -+ } else { -+ StringTokenizer st = new StringTokenizer(mappingValue, ":"); -+ if (st.hasMoreTokens()) -+ selectedToken = st.nextToken(); -+ if (st.hasMoreTokens()) -+ keyNickName = st.nextToken(); -+ } -+ -+ if (selectedToken != null && keyNickName != null -+ // AC: KDF SPEC CHANGE - check for error flag -+ && missingSetting_exception == null) { -+ -+ try { -+ -+ byte macKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".mac_key")); -+ CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" -+ + selectedToken + " keyNickName=" + keyNickName); -+ -+ SecureChannelProtocol protocol = new SecureChannelProtocol(); -+ SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType, -+ selectedToken, -+ keyNickName, card_challenge, -+ host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, -+ xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName); -+ -+ session_key = protocol.wrapSessionKey(selectedToken, macKey, null); -+ -+ if (session_key == null) { -+ CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); -+ throw new Exception("Can't compute session key!"); -+ -+ } -+ -+ byte encKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".auth_key")); -+ SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType, -+ selectedToken, -+ keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, -+ nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet, -+ transportKeyName); -+ -+ enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null); -+ -+ if (enc_session_key == null) { -+ CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); -+ throw new Exception("Can't compute enc session key!"); -+ -+ } -+ -+ if (serversideKeygen == true) { -+ -+ /** -+ * 0. generate des key -+ * 1. encrypt des key with kek key -+ * 2. encrypt des key with DRM transport key -+ * These two wrapped items are to be sent back to -+ * TPS. 2nd item is to DRM -+ **/ -+ CMS.debug("TokenServlet: calling ComputeKekKey"); -+ -+ byte kekKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".kek_key")); -+ -+ kek_key = protocol.computeKEKKey_SCP01(selectedToken, -+ keyNickName, -+ keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, -+ xCUID, -+ xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName); -+ -+ CMS.debug("TokenServlet: called ComputeKekKey"); -+ -+ if (kek_key == null) { -+ CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL "); -+ throw new Exception("Can't compute kek key!"); -+ -+ } -+ // now use kek key to wrap kek session key.. -+ CMS.debug("computeSessionKey:kek key len =" + -+ kek_key.getLength()); -+ -+ // (1) generate DES key -+ /* applet does not support DES3 -+ org.mozilla.jss.crypto.KeyGenerator kg = -+ internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); -+ desKey = kg.generate();*/ -+ -+ /* -+ * GenerateSymkey firt generates a 16 byte DES2 key. -+ * It then pads it into a 24 byte key with last -+ * 8 bytes copied from the 1st 8 bytes. Effectively -+ * making it a 24 byte DES2 key. We need this for -+ * wrapping private keys on DRM. -+ */ -+ /*generate it on whichever token the master key is at*/ -+ if (useSoftToken_s.equals("true")) { -+ CMS.debug("TokenServlet: key encryption key generated on internal"); -+ //cfu audit here? sym key gen -+ -+ desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME); -+ //cfu audit here? sym key gen done -+ } else { -+ CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); -+ desKey = protocol.generateSymKey(selectedToken); -+ } -+ if (desKey != null) { -+ // AC: KDF SPEC CHANGE - Output using CUID and KDD -+ CMS.debug("TokenServlet: key encryption key generated for CUID=" + -+ trim(pp.toHexString(xCUID)) + -+ ", KDD=" + -+ trim(pp.toHexString(xKDD))); -+ } else { -+ // AC: KDF SPEC CHANGE - Output using CUID and KDD -+ CMS.debug("TokenServlet: key encryption key generation failed for CUID=" + -+ trim(pp.toHexString(xCUID)) + -+ ", KDD=" + -+ trim(pp.toHexString(xKDD))); -+ -+ throw new Exception("can't generate key encryption key"); -+ } -+ -+ /* -+ * ECBencrypt actually takes the 24 byte DES2 key -+ * and discard the last 8 bytes before it encrypts. -+ * This is done so that the applet can digest it -+ */ -+ -+ byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken); -+ -+ /* -+ CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); -+ CMS.debug(encDesKey); -+ */ -+ -+ kek_wrapped_desKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); -+ -+ // get keycheck -+ -+ byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken); -+ /* -+ CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); -+ CMS.debug(keycheck); -+ */ -+ keycheck_s = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); -+ -+ //use DRM transport cert to wrap desKey -+ String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); -+ -+ if ((drmTransNickname == null) || (drmTransNickname == "")) { -+ CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); -+ throw new Exception("can't find DRM transport certificate nickname"); -+ } else { -+ CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname); -+ } -+ -+ X509Certificate drmTransCert = null; -+ drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); -+ // wrap kek session key with DRM transport public key -+ CryptoToken token = null; -+ if (useSoftToken_s.equals("true")) { -+ token = CryptoUtil.getCryptoToken(null); -+ } else { -+ token = CryptoUtil.getCryptoToken(selectedToken); -+ } -+ PublicKey pubKey = drmTransCert.getPublicKey(); -+ String pubKeyAlgo = pubKey.getAlgorithm(); -+ CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); -+ KeyWrapper keyWrapper = null; -+ //For wrapping symmetric keys don't need IV, use ECB -+ if (pubKeyAlgo.equals("EC")) { -+ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); -+ keyWrapper.initWrap(pubKey, null); -+ } else { -+ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); -+ keyWrapper.initWrap(pubKey, null); -+ } -+ CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); -+ drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); -+ CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); -+ -+ } // if (serversideKeygen == true) -+ -+ byte authKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".auth_key")); -+ -+ host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, -+ host_challenge, -+ xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM, -+ authKeyArray, useSoftToken_s, keySet, transportKeyName); -+ -+ if (host_cryptogram == null) { -+ CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); -+ throw new Exception("Can't compute host cryptogram!"); -+ -+ } -+ -+ card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, -+ host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, -+ xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName); -+ -+ if (card_crypto == null) { -+ CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); -+ throw new Exception("Can't compute card cryptogram!"); -+ -+ } -+ -+ if (isCryptoValidate) { -+ if (rcard_cryptogram == null) { -+ CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram"); -+ throw new Exception("Missing card cryptogram"); -+ } -+ input_card_crypto = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); -+ -+ //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto"); -+ //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto"); -+ -+ if (card_crypto.length == input_card_crypto.length) { -+ for (int i = 0; i < card_crypto.length; i++) { -+ if (card_crypto[i] != input_card_crypto[i]) { -+ sameCardCrypto = false; -+ break; -+ } -+ } -+ } else { -+ // different length; must be different -+ sameCardCrypto = false; -+ } -+ } -+ -+ // AC: KDF SPEC CHANGE - print both KDD and CUID -+ CMS.getLogger().log(ILogger.EV_AUDIT, -+ ILogger.S_TKS, -+ ILogger.LL_INFO, "processComputeSessionKey for CUID=" + -+ trim(pp.toHexString(xCUID)) + -+ ", KDD=" + -+ trim(pp.toHexString(xKDD))); -+ } catch (Exception e) { -+ CMS.debug(e); -+ CMS.debug("TokenServlet Computing Session Key: " + e.toString()); -+ if (isCryptoValidate) -+ sameCardCrypto = false; -+ } -+ } -+ } // ! missingParam -+ -+ String value = ""; -+ -+ resp.setContentType("text/html"); -+ -+ String outputString = ""; -+ String encSessionKeyString = ""; -+ String drm_trans_wrapped_desKeyString = ""; -+ String cryptogram = ""; -+ String status = "0"; -+ if (session_key != null && session_key.length > 0) { -+ outputString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); -+ } else { -+ -+ status = "1"; -+ } -+ -+ if (enc_session_key != null && enc_session_key.length > 0) { -+ encSessionKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); -+ } else { -+ status = "1"; -+ } -+ -+ if (serversideKeygen == true) { -+ if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) -+ drm_trans_wrapped_desKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); -+ else { -+ status = "1"; -+ } -+ } -+ -+ if (host_cryptogram != null && host_cryptogram.length > 0) { -+ cryptogram = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); -+ } else { -+ // AC: Bugfix: Don't override status's value if an error was already flagged -+ if (status.equals("0") == true) { -+ status = "2"; -+ } -+ } -+ -+ if (selectedToken == null || keyNickName == null) { -+ // AC: Bugfix: Don't override status's value if an error was already flagged -+ if (status.equals("0") == true) { -+ status = "4"; -+ } -+ } -+ -+ if (!sameCardCrypto) { -+ // AC: Bugfix: Don't override status's value if an error was already flagged -+ if (status.equals("0") == true) { -+ // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues -+ status = "5"; -+ } -+ } -+ -+ // AC: KDF SPEC CHANGE - check for settings file issue (flag) -+ if (missingSetting_exception != null) { -+ // AC: Intentionally override previous errors if config file settings were missing. -+ status = "6"; -+ } -+ -+ if (missingParam) { -+ // AC: Intentionally override previous errors if parameters were missing. -+ status = "3"; -+ } -+ -+ if (!status.equals("0")) { -+ -+ if (status.equals("1")) { -+ errorMsg = "Problem generating session key info."; -+ } -+ -+ if (status.equals("2")) { -+ errorMsg = "Problem creating host_cryptogram."; -+ } -+ -+ // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues -+ if (status.equals("5")) { -+ errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; -+ } -+ -+ if (status.equals("4")) { -+ errorMsg = "Problem obtaining token information."; -+ } -+ -+ // AC: KDF SPEC CHANGE - handle missing configuration item -+ if (status.equals("6")) { -+ errorMsg = "Problem reading required configuration value."; -+ } -+ -+ if (status.equals("3")) { -+ if (badParams.endsWith(",")) { -+ badParams = badParams.substring(0, badParams.length() - 1); -+ } -+ errorMsg = "Missing input parameters :" + badParams; -+ } -+ -+ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -+ } else { -+ if (serversideKeygen == true) { -+ StringBuffer sb = new StringBuffer(); -+ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -+ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -+ sb.append(outputString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -+ sb.append(cryptogram); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -+ sb.append(encSessionKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); -+ sb.append(kek_wrapped_desKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); -+ sb.append(keycheck_s); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); -+ sb.append(drm_trans_wrapped_desKeyString); -+ value = sb.toString(); -+ } else { -+ -+ StringBuffer sb = new StringBuffer(); -+ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -+ sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); -+ sb.append(outputString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -+ sb.append(cryptogram); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -+ sb.append(encSessionKeyString); -+ value = sb.toString(); -+ } -+ -+ } -+ //CMS.debug("TokenServlet:outputString.encode " + value); -+ -+ try { -+ resp.setContentLength(value.length()); -+ CMS.debug("TokenServlet:outputString.length " + value.length()); -+ OutputStream ooss = resp.getOutputStream(); -+ ooss.write(value.getBytes()); -+ ooss.flush(); -+ mRenderResult = false; -+ } catch (IOException e) { -+ CMS.debug("TokenServlet: " + e.toString()); -+ } -+ -+ if (status.equals("0")) { -+ // AC: KDF SPEC CHANGE - Log both CUID and KDD. -+ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -+ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.SUCCESS, // Outcome -+ status, // status -+ agentId, // AgentID -+ isCryptoValidate ? "true" : "false", // IsCryptoValidate -+ serversideKeygen ? "true" : "false", // IsServerSideKeygen -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -+ logParams); -+ -+ } else { -+ // AC: KDF SPEC CHANGE - Log both CUID and KDD -+ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -+ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.FAILURE, // Outcome -+ status, // status -+ agentId, // AgentID -+ isCryptoValidate ? "true" : "false", // IsCryptoValidate -+ serversideKeygen ? "true" : "false", // IsServerSideKeygen -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -+ errorMsg // Error -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -+ logParams); -+ -+ } -+ -+ audit(auditMessage); -+ } -+ -+ // This method will return the shared secret name. In new 10.1 subsystems, this -+ // name will be stored in tps.X.nickname. -+ // -+ // Until multiple TKS/TPS connections is fully supported, this method will just -+ // return the first shared secret nickname found, on the assumption that only -+ // one nickname will be configured. This will have to be changed to return the correct -+ // key based on some parameter in the request in future. -+ // -+ // On legacy systems, this method just returns what was previously returned. -+ private String getSharedSecretName(IConfigStore cs) throws EBaseException { -+ boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false); -+ -+ if (useNewNames) { -+ String tpsList = cs.getString("tps.list", ""); -+ String firstSharedSecretName = null; -+ if (!tpsList.isEmpty()) { -+ for (String tpsID : tpsList.split(",")) { -+ String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); -+ -+ // This one will be a fall back in case we can't get a specific one -+ if (firstSharedSecretName == null) { -+ firstSharedSecretName = sharedSecretName; -+ } -+ -+ if (!sharedSecretName.isEmpty()) { -+ if (mCurrentUID != null) { -+ String csUid = cs.getString("tps." + tpsID + ".userid", ""); -+ -+ if (mCurrentUID.equalsIgnoreCase(csUid)) { -+ CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid); -+ return sharedSecretName; -+ } -+ } -+ } -+ } -+ -+ if (firstSharedSecretName != null) { -+ //Return the first in the list if we couldn't isolate one -+ return firstSharedSecretName; -+ } -+ } -+ CMS.debug("getSharedSecretName: no shared secret has been configured"); -+ throw new EBaseException("No shared secret has been configured"); -+ } -+ -+ // legacy system - return as before -+ return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME); -+ } -+ -+ //Accepts protocol param and supports scp03. -+ private void processDiversifyKey(HttpServletRequest req, -+ HttpServletResponse resp) throws EBaseException { -+ -+ String method = "TokenServlet.processDiversifyKey: "; -+ byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD -+ -+ // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. -+ String oldKeyNickName = null; -+ String newKeyNickName = null; -+ -+ // AC: KDF SPEC CHANGE - new config file values (needed for symkey) -+ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -+ boolean nistSP800_108KdfUseCuidAsKdd = false; -+ -+ // AC: BUGFIX for key versions higher than 09: We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey. -+ byte[] xkeyInfo = null, xnewkeyInfo = null; -+ -+ // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting -+ Exception missingSetting_exception = null; -+ -+ boolean missingParam = false; -+ String errorMsg = ""; -+ String badParams = ""; -+ byte[] xWrappedDekKey = null; -+ -+ IConfigStore sconfig = CMS.getConfigStore(); -+ String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); -+ String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); -+ String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -+ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ String rKDD = req.getParameter("KDD"); -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ // temporarily make it friendly before TPS change -+ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -+ rKDD = rCUID; -+ } -+ -+ String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); -+ String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY); -+ -+ CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey); -+ -+ int protocol = 1; -+ String auditMessage = ""; -+ -+ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -+ if (keySet == null || keySet.equals("")) { -+ keySet = "defKeySet"; -+ } -+ CMS.debug("keySet selected: " + keySet); -+ -+ SessionContext sContext = SessionContext.getContext(); -+ -+ String agentId = ""; -+ if (sContext != null) { -+ agentId = -+ (String) sContext.get(SessionContext.USER_ID); -+ } -+ -+ // AC: KDF SPEC CHANGE: Need to log both KDD and CUID -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.DIVERSIFY_KEY_REQUEST, -+ rCUID, -+ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -+ ILogger.SUCCESS, -+ agentId, -+ oldMasterKeyName, -+ newMasterKeyName); -+ -+ audit(auditMessage); -+ -+ if ((rCUID == null) || (rCUID.equals(""))) { -+ badParams += " CUID,"; -+ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); -+ badParams += " KDD,"; -+ missingParam = true; -+ } -+ -+ if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { -+ badParams += " newKeyInfo,"; -+ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); -+ missingParam = true; -+ } -+ if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) { -+ badParams += " KeyInfo,"; -+ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE -+ xCUID = null; // avoid errors about non-initialization -+ xKDD = null; // avoid errors about non-initialization -+ xkeyInfo = null; // avoid errors about non-initialization -+ xnewkeyInfo = null; // avoid errors about non-initialization -+ -+ if (!missingParam) { -+ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); -+ if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { -+ badParams += " KeyInfo length,"; -+ CMS.debug("TokenServlet: Invalid key info length"); -+ missingParam = true; -+ } -+ xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); -+ if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) { -+ badParams += " NewKeyInfo length,"; -+ CMS.debug("TokenServlet: Invalid new key info length"); -+ missingParam = true; -+ } -+ -+ if (rProtocol != null) { -+ try { -+ protocol = Integer.parseInt(rProtocol); -+ } catch (NumberFormatException e) { -+ protocol = 1; -+ } -+ } -+ CMS.debug("process DiversifyKey: protocol value: " + protocol); -+ -+ if (protocol == 2) { -+ if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) { -+ badParams += " WrappedDekKey,"; -+ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02."); -+ missingParam = true; -+ } else { -+ -+ CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey); -+ xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey); -+ } -+ -+ } -+ } -+ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -+ if (!useSoftToken_s.equalsIgnoreCase("true")) -+ useSoftToken_s = "false"; -+ -+ KeySetData = null; -+ if (!missingParam) { -+ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -+ if (xCUID == null || xCUID.length != 10) { -+ badParams += " CUID length,"; -+ CMS.debug("TokenServlet: Invalid CUID length"); -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -+ if (xKDD == null || xKDD.length != 10) { -+ badParams += " KDD length,"; -+ CMS.debug("TokenServlet: Invalid KDD length"); -+ missingParam = true; -+ } -+ } -+ if (!missingParam) { -+ // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. -+ -+ // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) -+ -+ //ToDo: Refactor this, this same block occurs several times in the file -+ try { -+ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -+ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -+ -+ // log settings read in to debug log along with xkeyInfo and xnewkeyInfo -+ CMS.debug("TokenServlet: processDiversifyKey(): xkeyInfo[0] (old) = 0x" -+ + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) -+ + ", xkeyInfo[1] (old) = 0x" -+ + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) -+ + ", xnewkeyInfo[0] = 0x" -+ + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF) -+ + ", xnewkeyInfo[1] = 0x" -+ + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF) -+ ); -+ CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF will be used for key versions >= 0x" -+ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -+ ); -+ if (nistSP800_108KdfUseCuidAsKdd == true) { -+ CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -+ } else { -+ CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use KDD."); -+ } -+ // conform to the set-an-error-flag mentality -+ } catch (Exception e) { -+ missingSetting_exception = e; -+ CMS.debug("TokenServlet: processDiversifyKey(): Exception reading Nist SP800-108 KDF config values: " -+ + e.toString()); -+ } -+ -+ if (mKeyNickName != null) -+ oldMasterKeyName = mKeyNickName; -+ if (mNewKeyNickName != null) -+ newMasterKeyName = mNewKeyNickName; -+ -+ String tokKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -+ -+ // Get the first 6 characters, since scp03 gives us extra characters. -+ tokKeyInfo = tokKeyInfo.substring(0,6); -+ String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx -+ CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap); -+ String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); -+ String oldSelectedToken = null; -+ if (oldMappingValue == null) { -+ oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -+ oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -+ } else { -+ StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); -+ oldSelectedToken = st.nextToken(); -+ oldKeyNickName = st.nextToken(); -+ } -+ -+ -+ String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx -+ CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap); -+ String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); -+ String newSelectedToken = null; -+ if (newMappingValue == null) { -+ newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -+ newKeyNickName = rnewKeyInfo; -+ } else { -+ StringTokenizer st = new StringTokenizer(newMappingValue, ":"); -+ newSelectedToken = st.nextToken(); -+ newKeyNickName = st.nextToken(); -+ } -+ -+ CMS.debug("process DiversifyKey for oldSelectedToke=" + -+ oldSelectedToken + " newSelectedToken=" + newSelectedToken + -+ " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + -+ newKeyNickName); -+ -+ byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet); -+ byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet); -+ byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet); -+ -+ // com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); -+ -+ //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset -+ // passed down to the SecureChannelProtocol functions that deal with SCP03 -+ -+ GPParams gp3Params = readGPSettings(keySet); -+ -+ SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol); -+ // AC: KDF SPEC CHANGE - check for error reading settings -+ if (missingSetting_exception == null) { -+ if (protocol == 1 || protocol == 3) { -+ KeySetData = secProtocol.diversifyKey(oldSelectedToken, -+ newSelectedToken, oldKeyNickName, -+ newKeyNickName, -+ xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use -+ xnewkeyInfo, // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be byte[] -+ nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value -+ nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value -+ xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' -+ xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use -+ kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params); -+ -+ } else if (protocol == 2) { -+ KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, -+ newKeyNickName, xkeyInfo, -+ xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, -+ (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol); -+ } -+ //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: "); -+ CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained"); -+ -+ if (KeySetData == null || KeySetData.length <= 1) { -+ CMS.getLogger().log(ILogger.EV_AUDIT, -+ ILogger.S_TKS, -+ ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot"); -+ } -+ -+ CMS.getLogger().log(ILogger.EV_AUDIT, -+ ILogger.S_TKS, -+ ILogger.LL_INFO, -+ "process DiversifyKey for CUID=" + -+ trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE: Log both CUID and KDD -+ ", KDD=" + -+ trim(pp.toHexString(xKDD)) -+ + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName -+ + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); -+ -+ resp.setContentType("text/html"); -+ -+ } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file -+ -+ } // ! missingParam -+ -+ String value = ""; -+ String status = "0"; -+ -+ if (KeySetData != null && KeySetData.length > 1) { -+ value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" + -+ com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); -+ //CMS.debug("TokenServlet:process DiversifyKey.encode " + value); -+ CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData"); -+ // AC: KDF SPEC CHANGE - check for settings file issue (flag) -+ } else if (missingSetting_exception != null) { -+ status = "6"; -+ errorMsg = "Problem reading required configuration value."; -+ value = "status=" + status; -+ } else if (missingParam) { -+ status = "3"; -+ if (badParams.endsWith(",")) { -+ badParams = badParams.substring(0, badParams.length() - 1); -+ } -+ errorMsg = "Missing input parameters: " + badParams; -+ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -+ } else { -+ errorMsg = "Problem diversifying key data."; -+ status = "1"; -+ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -+ } -+ -+ resp.setContentLength(value.length()); -+ CMS.debug("TokenServlet:outputString.length " + value.length()); -+ -+ try { -+ OutputStream ooss = resp.getOutputStream(); -+ ooss.write(value.getBytes()); -+ ooss.flush(); -+ mRenderResult = false; -+ } catch (Exception e) { -+ CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); -+ } -+ -+ if (status.equals("0")) { -+ -+ // AC: KDF SPEC CHANGE - Log both CUID and KDD -+ // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -+ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.SUCCESS, // Outcome -+ status, // status -+ agentId, // AgentID -+ -+ // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. -+ oldKeyNickName, // oldMasterKeyName -+ newKeyNickName, // newMasterKeyName -+ -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion -+ log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); -+ } else { -+ // AC: KDF SPEC CHANGE - Log both CUID and KDD -+ // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -+ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.FAILURE, // Outcome -+ status, // status -+ agentId, // AgentID -+ -+ // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. -+ oldKeyNickName, // oldMasterKeyName -+ newKeyNickName, // newMasterKeyName -+ -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion -+ log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -+ errorMsg // Error -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); -+ } -+ -+ audit(auditMessage); -+ } -+ -+ private void processEncryptData(HttpServletRequest req, -+ HttpServletResponse resp) throws EBaseException { -+ byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD -+ -+ // AC: KDF SPEC CHANGE - new config file values (needed for symkey) -+ byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; -+ boolean nistSP800_108KdfUseCuidAsKdd = false; -+ -+ // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting -+ Exception missingSetting_exception = null; -+ -+ boolean missingParam = false; -+ byte[] data = null; -+ boolean isRandom = true; // randomly generate the data to be encrypted -+ -+ String errorMsg = ""; -+ String badParams = ""; -+ IConfigStore sconfig = CMS.getConfigStore(); -+ encryptedData = null; -+ String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA); -+ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -+ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -+ -+ String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ String rKDD = req.getParameter("KDD"); -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ // temporarily make it friendly before TPS change -+ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -+ rKDD = rCUID; -+ } -+ -+ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -+ if (keySet == null || keySet.equals("")) { -+ keySet = "defKeySet"; -+ } -+ -+ SessionContext sContext = SessionContext.getContext(); -+ -+ String agentId = ""; -+ if (sContext != null) { -+ agentId = -+ (String) sContext.get(SessionContext.USER_ID); -+ } -+ -+ CMS.debug("keySet selected: " + keySet); -+ -+ String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); -+ if (s_isRandom.equalsIgnoreCase("false")) { -+ CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated"); -+ isRandom = false; -+ } else { -+ CMS.debug("TokenServlet: processEncryptData(): Random number generation required"); -+ isRandom = true; -+ } -+ -+ // AC: KDF SPEC CHANGE: Need to log both KDD and CUID -+ String auditMessage = CMS.getLogMessage( -+ AuditEvent.ENCRYPT_DATA_REQUEST, -+ rCUID, -+ rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. -+ ILogger.SUCCESS, -+ agentId, -+ s_isRandom); -+ audit(auditMessage); -+ -+ GPParams gp3Params = readGPSettings(keySet); -+ -+ if (isRandom) { -+ if ((rdata == null) || (rdata.equals(""))) { -+ CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); -+ } else { -+ CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); -+ } -+ try { -+ SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -+ data = new byte[16]; -+ random.nextBytes(data); -+ } catch (Exception e) { -+ CMS.debug("TokenServlet: processEncryptData():" + e.toString()); -+ badParams += " Random Number,"; -+ missingParam = true; -+ } -+ } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) { -+ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); -+ badParams += " data,"; -+ missingParam = true; -+ } -+ -+ if ((rCUID == null) || (rCUID.equals(""))) { -+ badParams += " CUID,"; -+ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); -+ badParams += " KDD,"; -+ missingParam = true; -+ } -+ -+ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -+ badParams += " KeyInfo,"; -+ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE -+ xCUID = null; // avoid errors about non-initialization -+ xKDD = null; // avoid errors about non-initialization -+ xkeyInfo = null; // avoid errors about non-initialization -+ -+ if (!missingParam) { -+ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -+ if (xCUID == null || xCUID.length != 10) { -+ badParams += " CUID length,"; -+ CMS.debug("TokenServlet: Invalid CUID length"); -+ missingParam = true; -+ } -+ -+ // AC: KDF SPEC CHANGE - read new KDD parameter from TPS -+ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -+ if (xKDD == null || xKDD.length != 10) { -+ badParams += " KDD length,"; -+ CMS.debug("TokenServlet: Invalid KDD length"); -+ missingParam = true; -+ } -+ -+ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -+ if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { -+ badParams += " KeyInfo length,"; -+ CMS.debug("TokenServlet: Invalid key info length"); -+ missingParam = true; -+ } -+ } -+ -+ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -+ if (!useSoftToken_s.equalsIgnoreCase("true")) -+ useSoftToken_s = "false"; -+ -+ String selectedToken = null; -+ String keyNickName = null; -+ if (!missingParam) { -+ -+ // AC: KDF SPEC CHANGE - read new config file values (needed for symkey -+ try { -+ nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); -+ nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); -+ -+ // log settings read in to debug log along with xkeyInfo -+ CMS.debug("TokenServlet: processEncryptData(): xkeyInfo[0] = 0x" -+ + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) -+ + ", xkeyInfo[1] = 0x" -+ + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) -+ ); -+ CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF will be used for key versions >= 0x" -+ + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) -+ ); -+ if (nistSP800_108KdfUseCuidAsKdd == true) { -+ CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); -+ } else { -+ CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use KDD."); -+ } -+ // conform to the set-an-error-flag mentality -+ } catch (Exception e) { -+ missingSetting_exception = e; -+ CMS.debug("TokenServlet: processEncryptData(): Exception reading Nist SP800-108 KDF config values: " -+ + e.toString()); -+ } -+ -+ if (!isRandom) -+ data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); -+ keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -+ -+ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); -+ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -+ if (mappingValue == null) { -+ selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); -+ keyNickName = rKeyInfo; -+ } else { -+ StringTokenizer st = new StringTokenizer(mappingValue, ":"); -+ selectedToken = st.nextToken(); -+ keyNickName = st.nextToken(); -+ } -+ -+ -+ //calculate the protocol -+ -+ int protocolInt = SecureChannelProtocol.PROTOCOL_ONE; -+ try -+ { -+ protocolInt = Integer.parseInt(protocolValue); -+ } -+ catch (NumberFormatException nfe) -+ { -+ protocolInt = SecureChannelProtocol.PROTOCOL_ONE; -+ } -+ -+ CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt); -+ -+ //Check for reasonable sanity, leave room for future versions -+ if(protocolInt <= 0 || protocolInt > 20) { -+ CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1."); -+ protocolInt = 1; -+ -+ } -+ -+ byte kekKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); -+ // AC: KDF SPEC CHANGE - check for error reading settings -+ if (missingSetting_exception == null) { -+ -+ -+ SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt); -+ -+ if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) { -+ -+ encryptedData = protocol.encryptData( -+ selectedToken, keyNickName, data, keyInfo, -+ nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value -+ nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value -+ xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' -+ xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use -+ kekKeyArray, useSoftToken_s, keySet); -+ -+ } else { -+ -+ encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo, -+ nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray, -+ useSoftToken_s, keySet,gp3Params); -+ -+ } -+ -+ SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: "); -+ -+ // AC: KDF SPEC CHANGE - Log both CUID and KDD -+ -+ CMS.getLogger().log(ILogger.EV_AUDIT, -+ ILogger.S_TKS, -+ ILogger.LL_INFO, "process EncryptData for CUID=" + -+ trim(pp.toHexString(xCUID)) + -+ ", KDD=" + -+ trim(pp.toHexString(xKDD))); -+ -+ } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file -+ -+ } // !missingParam -+ -+ resp.setContentType("text/html"); -+ -+ String value = ""; -+ String status = "0"; -+ if (encryptedData != null && encryptedData.length > 0) { -+ // sending both the pre-encrypted and encrypted data back -+ value = IRemoteRequest.RESPONSE_STATUS + "=0&" -+ + IRemoteRequest.TOKEN_DATA + "=" + -+ com.netscape.cmsutil.util.Utils.SpecialEncode(data) + -+ "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" + -+ com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); -+ // AC: KDF SPEC CHANGE - check for settings file issue (flag) -+ } else if (missingSetting_exception != null) { -+ status = "6"; -+ errorMsg = "Problem reading required configuration value."; -+ value = "status=" + status; -+ } else if (missingParam) { -+ if (badParams.endsWith(",")) { -+ badParams = badParams.substring(0, badParams.length() - 1); -+ } -+ errorMsg = "Missing input parameters: " + badParams; -+ status = "3"; -+ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -+ } else { -+ errorMsg = "Problem encrypting data."; -+ status = "1"; -+ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -+ } -+ -+ //CMS.debug("TokenServlet:process EncryptData.encode " + value); -+ -+ try { -+ resp.setContentLength(value.length()); -+ CMS.debug("TokenServlet:outputString.lenght " + value.length()); -+ -+ OutputStream ooss = resp.getOutputStream(); -+ ooss.write(value.getBytes()); -+ ooss.flush(); -+ mRenderResult = false; -+ } catch (Exception e) { -+ CMS.debug("TokenServlet: " + e.toString()); -+ } -+ -+ if (status.equals("0")) { -+ // AC: KDF SPEC CHANGE - Log both CUID and KDD -+ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -+ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.SUCCESS, // Outcome -+ status, // status -+ agentId, // AgentID -+ s_isRandom, // isRandom -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); -+ } else { -+ // AC: KDF SPEC CHANGE - Log both CUID and KDD -+ // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd -+ // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.FAILURE, // Outcome -+ status, // status -+ agentId, // AgentID -+ s_isRandom, // isRandom -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -+ "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion -+ Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd -+ errorMsg // Error -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); -+ } -+ -+ audit(auditMessage); -+ } -+ -+ /* -+ * For EncryptData: -+ * data=value1 -+ * CUID=value2 // missing from RA -+ * versionID=value3 // missing from RA -+ * -+ * For ComputeSession: -+ * card_challenge=value1 -+ * host_challenge=value2 -+ -+ * For DiversifyKey: -+ * new_master_key_index -+ * master_key_index -+ */ -+ -+ private void processComputeRandomData(HttpServletRequest req, -+ HttpServletResponse resp) throws EBaseException { -+ -+ byte[] randomData = null; -+ String status = "0"; -+ String errorMsg = ""; -+ String badParams = ""; -+ boolean missingParam = false; -+ int dataSize = 0; -+ -+ CMS.debug("TokenServlet::processComputeRandomData"); -+ -+ SessionContext sContext = SessionContext.getContext(); -+ -+ String agentId = ""; -+ if (sContext != null) { -+ agentId = -+ (String) sContext.get(SessionContext.USER_ID); -+ } -+ -+ String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES); -+ -+ if (sDataSize == null || sDataSize.equals("")) { -+ CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes"); -+ badParams += " Random Data size, "; -+ missingParam = true; -+ status = "1"; -+ } else { -+ try { -+ dataSize = Integer.parseInt(sDataSize.trim()); -+ } catch (NumberFormatException nfe) { -+ CMS.debug("TokenServlet::processComputeRandomData invalid data size input!"); -+ badParams += " Random Data size, "; -+ missingParam = true; -+ status = "1"; -+ } -+ -+ } -+ -+ CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); -+ -+ String auditMessage = CMS.getLogMessage( -+ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, -+ ILogger.SUCCESS, -+ agentId); -+ -+ audit(auditMessage); -+ -+ if (!missingParam) { -+ try { -+ SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -+ randomData = new byte[dataSize]; -+ random.nextBytes(randomData); -+ } catch (Exception e) { -+ CMS.debug("TokenServlet::processComputeRandomData:" + e.toString()); -+ errorMsg = "Can't generate random data!"; -+ status = "2"; -+ } -+ } -+ -+ String randomDataOut = ""; -+ if (status.equals("0")) { -+ if (randomData != null && randomData.length == dataSize) { -+ randomDataOut = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); -+ } else { -+ status = "2"; -+ errorMsg = "Can't convert random data!"; -+ } -+ } -+ -+ if (status.equals("1") && missingParam) { -+ -+ if (badParams.endsWith(",")) { -+ badParams = badParams.substring(0, badParams.length() - 1); -+ } -+ errorMsg = "Missing input parameters :" + badParams; -+ } -+ -+ resp.setContentType("text/html"); -+ String value = ""; -+ -+ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -+ if (status.equals("0")) { -+ value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut; -+ } -+ -+ try { -+ resp.setContentLength(value.length()); -+ CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length()); -+ -+ OutputStream ooss = resp.getOutputStream(); -+ ooss.write(value.getBytes()); -+ ooss.flush(); -+ mRenderResult = false; -+ } catch (Exception e) { -+ CMS.debug("TokenServlet::processComputeRandomData " + e.toString()); -+ } -+ -+ if (status.equals("0")) { -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, -+ ILogger.SUCCESS, -+ status, -+ agentId); -+ } else { -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, -+ ILogger.FAILURE, -+ status, -+ agentId, -+ errorMsg); -+ } -+ -+ audit(auditMessage); -+ } -+ -+ public void process(CMSRequest cmsReq) throws EBaseException { -+ HttpServletRequest req = cmsReq.getHttpReq(); -+ HttpServletResponse resp = cmsReq.getHttpResp(); -+ -+ IAuthToken authToken = authenticate(cmsReq); -+ AuthzToken authzToken = null; -+ -+ mCurrentUID = (String) authToken.get(IAuthToken.UID) ; -+ -+ try { -+ authzToken = authorize(mAclMethod, authToken, -+ mAuthzResourceName, "execute"); -+ } catch (Exception e) { -+ } -+ -+ if (authzToken == null) { -+ -+ try { -+ resp.setContentType("text/html"); -+ String value = "unauthorized="; -+ CMS.debug("TokenServlet: Unauthorized"); -+ -+ resp.setContentLength(value.length()); -+ OutputStream ooss = resp.getOutputStream(); -+ ooss.write(value.getBytes()); -+ ooss.flush(); -+ mRenderResult = false; -+ } catch (Exception e) { -+ CMS.debug("TokenServlet: " + e.toString()); -+ } -+ -+ // cmsReq.setStatus(CMSRequest.UNAUTHORIZED); -+ return; -+ } -+ -+ String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); -+ String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); -+ String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); -+ //CMS.debug("Protocol: " + protocol + " temp: " + temp); -+ -+ setDefaultSlotAndKeyName(req); -+ if (temp != null && protocol == null) { -+ processComputeSessionKey(req, resp); -+ } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) { -+ processEncryptData(req, resp); -+ } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) { -+ processDiversifyKey(req, resp); -+ } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) { -+ processComputeRandomData(req, resp); -+ } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) { -+ //SCP02 compute one session key. -+ processComputeSessionKeySCP02(req, resp); -+ -+ } else if (protocol != null && protocol.contains("3") ) { -+ processComputeSessionKeysSCP03(req,resp); -+ } else { -+ throw new EBaseException("Process: Can't decide upon function to call!"); -+ } -+ } -+ -+ //Create all the session keys for scp03 at once and return. -+ //ToDo: calcualte the optional rmac key -+ private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { -+ String method = "processComputeSessionKeysSCP03:"; -+ CMS.debug(method + " entering ..."); -+ -+ byte[] card_challenge, host_challenge, xCUID, xKDD; -+ byte[] card_crypto, host_cryptogram, input_card_crypto; -+ byte[] xcard_challenge, xhost_challenge; -+ byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key; -+ String auditMessage = null; -+ String errorMsg = ""; -+ String badParams = ""; -+ String transportKeyName = ""; -+ String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); -+ -+ String rKDD = req.getParameter("KDD"); -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ // KDF phase1: default to rCUID if not present -+ CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); -+ rKDD = rCUID; -+ } -+ -+ String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); -+ if (keySet == null || keySet.equals("")) { -+ keySet = "defKeySet"; -+ } -+ CMS.debug("keySet selected: " + keySet); -+ -+ GPParams gp3Params = readGPSettings(keySet); -+ -+ boolean serversideKeygen = false; -+ -+ IConfigStore sconfig = CMS.getConfigStore(); -+ boolean isCryptoValidate = true; -+ boolean missingParam = false; -+ -+ Exception missingSetting_exception = null; -+ -+ mac_session_key = null; -+ kek_session_key = null; -+ card_crypto = null; -+ host_cryptogram = null; -+ enc_session_key = null; -+ -+ SessionContext sContext = SessionContext.getContext(); -+ -+ String agentId = ""; -+ if (sContext != null) { -+ agentId = -+ (String) sContext.get(SessionContext.USER_ID); -+ } -+ -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.COMPUTE_SESSION_KEY_REQUEST, -+ rCUID, -+ rKDD, -+ ILogger.SUCCESS, -+ agentId); -+ -+ audit(auditMessage); -+ -+ String kek_wrapped_desKeyString = null; -+ String keycheck_s = null; -+ -+ String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); -+ if (!useSoftToken_s.equalsIgnoreCase("true")) -+ useSoftToken_s = "false"; -+ -+ CMS.debug(method + " useSoftToken: " + useSoftToken_s); -+ -+ String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); -+ if (rServersideKeygen.equals("true")) { -+ -+ serversideKeygen = true; -+ } -+ -+ CMS.debug(method + " serversideKeygen: " + serversideKeygen); -+ -+ try { -+ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -+ } catch (EBaseException eee) { -+ } -+ -+ CMS.debug(method + " Do crypto validation: " + isCryptoValidate); -+ -+ transportKeyName = getSharedSecretName(sconfig); -+ -+ String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); -+ String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); -+ String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); -+ String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); -+ -+ if ((rCUID == null) || (rCUID.equals(""))) { -+ CMS.debug(method + " missing request parameter: CUID"); -+ badParams += " CUID,"; -+ missingParam = true; -+ } -+ -+ if ((rKDD == null) || (rKDD.length() == 0)) { -+ CMS.debug(method + " missing request parameter: KDD"); -+ badParams += " KDD,"; -+ missingParam = true; -+ } -+ -+ if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { -+ badParams += " card_challenge,"; -+ CMS.debug(method + " missing request parameter: card challenge"); -+ missingParam = true; -+ } -+ -+ if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { -+ badParams += " host_challenge,"; -+ CMS.debug(method + " missing request parameter: host challenge"); -+ missingParam = true; -+ } -+ -+ if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) { -+ badParams += " card_cryptogram,"; -+ CMS.debug(method + " missing request parameter: card_cryptogram"); -+ missingParam = true; -+ } -+ -+ if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { -+ badParams += " KeyInfo,"; -+ CMS.debug(method + "missing request parameter: key info"); -+ missingParam = true; -+ } -+ -+ String selectedToken = null; -+ String keyNickName = null; -+ boolean sameCardCrypto = true; -+ -+ xCUID = null; -+ xKDD = null; -+ xkeyInfo = null; -+ xcard_challenge = null; -+ xhost_challenge = null; -+ -+ if (!missingParam) { -+ xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); -+ if (xCUID == null || xCUID.length != 10) { -+ badParams += " CUID length,"; -+ CMS.debug("TokenServlet: Invalid CUID length"); -+ missingParam = true; -+ } -+ -+ xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); -+ if (xKDD == null || xKDD.length != 10) { -+ badParams += " KDD length,"; -+ CMS.debug("TokenServlet: Invalid KDD length"); -+ missingParam = true; -+ } -+ -+ xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); -+ if (xkeyInfo == null || xkeyInfo.length != 3) { -+ badParams += " KeyInfo length,"; -+ CMS.debug("TokenServlet: Invalid key info length."); -+ missingParam = true; -+ } -+ xcard_challenge = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -+ if (xcard_challenge == null || xcard_challenge.length != 8) { -+ badParams += " card_challenge length,"; -+ CMS.debug("TokenServlet: Invalid card challenge length."); -+ missingParam = true; -+ } -+ -+ xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -+ if (xhost_challenge == null || xhost_challenge.length != 8) { -+ badParams += " host_challenge length,"; -+ CMS.debug("TokenServlet: Invalid host challenge length"); -+ missingParam = true; -+ } -+ } -+ -+ ArrayList serverSideValues = null; -+ -+ if (!missingParam) { -+ card_challenge = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); -+ -+ host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); -+ -+ String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx -+ String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); -+ -+ -+ if (mappingValue == null) { -+ selectedToken = -+ CMS.getConfigStore().getString("tks.defaultSlot", "internal"); -+ keyNickName = rKeyInfo; -+ } else { -+ StringTokenizer st = new StringTokenizer(mappingValue, ":"); -+ if (st.hasMoreTokens()) -+ selectedToken = st.nextToken(); -+ if (st.hasMoreTokens()) -+ keyNickName = st.nextToken(); -+ } -+ -+ CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName ); -+ -+ SymmetricKey macSessionKey = null; -+ SymmetricKey encSessionKey = null; -+ SymmetricKey kekSessionKey = null; -+ -+ if (selectedToken != null && keyNickName != null -+ && missingSetting_exception == null) { -+ -+ try { -+ -+ byte macKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".mac_key")); -+ CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" -+ + selectedToken + " keyNickName=" + keyNickName); -+ -+ SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); -+ -+ macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, -+ SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge, -+ transportKeyName,gp3Params); -+ -+ mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null); -+ -+ if (mac_session_key == null) { -+ CMS.debug(method + " Can't get mac session key bytes"); -+ throw new Exception(method + " Can't get mac session key bytes"); -+ -+ } -+ -+ byte encKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".auth_key")); -+ -+ encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, -+ SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge, -+ transportKeyName,gp3Params); -+ -+ enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null); -+ -+ if (enc_session_key == null) { -+ CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); -+ throw new Exception("Can't compute enc session key!"); -+ -+ } -+ -+ byte kekKeyArray[] = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + ".kek_key")); -+ -+ kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo, -+ SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge, -+ xcard_challenge, -+ transportKeyName,gp3Params); -+ -+ kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null); -+ -+ -+ //Offload some of the tedious params gathering to another method -+ //ToDo, create a method that reads all this stuff at once for all major methods -+ if (serversideKeygen) { -+ try { -+ serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken, -+ kekSessionKey, protocol); -+ } catch (EBaseException e) { -+ -+ CMS.debug(method + " Can't calcualte server side keygen required values..."); -+ -+ } -+ } -+ -+ try { -+ isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); -+ } catch (EBaseException eee) { -+ } -+ -+ ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); -+ try { -+ contextStream.write(host_challenge); -+ contextStream.write(card_challenge); -+ } catch (IOException e) { -+ throw new EBaseException(method + " Error calculating derivation data!"); -+ } -+ -+ host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT); -+ SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length); -+ -+ -+ if( isCryptoValidate) { -+ if (rcard_cryptogram == null) { -+ CMS.debug(method + " missing card cryptogram"); -+ throw new Exception(method + "Missing card cryptogram"); -+ } -+ input_card_crypto = -+ com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); -+ card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT); -+ SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: "); -+ SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: "); -+ -+ if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) { -+ throw new Exception(method + "Card cryptogram mismatch!"); -+ } -+ -+ } -+ } catch (Exception e) { -+ CMS.debug(e); -+ CMS.debug("TokenServlet Computing Session Key: " + e.toString()); -+ if (isCryptoValidate) -+ sameCardCrypto = false; -+ } -+ } -+ } // ! missingParam -+ -+ String value = ""; -+ -+ resp.setContentType("text/html"); -+ -+ String encSessionKeyString = ""; -+ String macSessionKeyString = ""; -+ String kekSessionKeyString = ""; -+ -+ String drm_trans_wrapped_desKeyString = ""; -+ String cryptogram = ""; -+ String status = "0"; -+ -+ if (enc_session_key != null && enc_session_key.length > 0) { -+ encSessionKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); -+ } else { -+ status = "1"; -+ } -+ -+ if (mac_session_key != null && mac_session_key.length > 0) { -+ macSessionKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key); -+ } else { -+ status = "1"; -+ } -+ -+ if (kek_session_key != null && kek_session_key.length > 0) { -+ kekSessionKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key); -+ } else { -+ status = "1"; -+ } -+ -+ if (serversideKeygen == true) { -+ if (serverSideValues.size() == 3) { -+ drm_trans_wrapped_desKeyString = serverSideValues.get(2); -+ kek_wrapped_desKeyString = serverSideValues.get(0); -+ keycheck_s = serverSideValues.get(1); -+ } -+ else { -+ status = "1"; -+ } -+ } -+ -+ if (host_cryptogram != null && host_cryptogram.length > 0) { -+ cryptogram = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); -+ } else { -+ if (status.equals("0") == true) { -+ status = "2"; -+ } -+ } -+ -+ if (selectedToken == null || keyNickName == null) { -+ // AC: Bugfix: Don't override status's value if an error was already flagged -+ if (status.equals("0") == true) { -+ status = "4"; -+ } -+ } -+ -+ if (!sameCardCrypto) { -+ if (status.equals("0") == true) { -+ status = "5"; -+ } -+ } -+ -+ if (missingSetting_exception != null) { -+ status = "6"; -+ } -+ -+ if (missingParam) { -+ status = "3"; -+ } -+ -+ if (!status.equals("0")) { -+ -+ if (status.equals("1")) { -+ errorMsg = "Problem generating session key info."; -+ } -+ -+ if (status.equals("2")) { -+ errorMsg = "Problem creating host_cryptogram."; -+ } -+ -+ if (status.equals("5")) { -+ errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; -+ } -+ -+ if (status.equals("4")) { -+ errorMsg = "Problem obtaining token information."; -+ } -+ -+ if (status.equals("6")) { -+ errorMsg = "Problem reading required configuration value."; -+ } -+ -+ if (status.equals("3")) { -+ if (badParams.endsWith(",")) { -+ badParams = badParams.substring(0, badParams.length() - 1); -+ } -+ errorMsg = "Missing input parameters :" + badParams; -+ } -+ -+ value = IRemoteRequest.RESPONSE_STATUS + "=" + status; -+ } else { -+ if (serversideKeygen == true) { -+ StringBuffer sb = new StringBuffer(); -+ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -+ sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); -+ sb.append(macSessionKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -+ sb.append(cryptogram); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -+ sb.append(encSessionKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); -+ sb.append(kekSessionKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); -+ sb.append(kek_wrapped_desKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); -+ sb.append(keycheck_s); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); -+ sb.append(drm_trans_wrapped_desKeyString); -+ value = sb.toString(); -+ } else { -+ StringBuffer sb = new StringBuffer(); -+ sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); -+ sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); -+ sb.append(macSessionKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); -+ sb.append(cryptogram); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); -+ sb.append(encSessionKeyString); -+ sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); -+ value = sb.toString(); -+ } -+ -+ } -+ //CMS.debug(method + "outputString.encode " + value); -+ -+ try { -+ resp.setContentLength(value.length()); -+ CMS.debug("TokenServlet:outputString.length " + value.length()); -+ OutputStream ooss = resp.getOutputStream(); -+ ooss.write(value.getBytes()); -+ ooss.flush(); -+ mRenderResult = false; -+ } catch (IOException e) { -+ CMS.debug("TokenServlet: " + e.toString()); -+ } -+ -+ if (status.equals("0")) { -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.SUCCESS, // Outcome -+ status, // status -+ agentId, // AgentID -+ isCryptoValidate ? "true" : "false", // IsCryptoValidate -+ serversideKeygen ? "true" : "false", // IsServerSideKeygen -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, -+ logParams); -+ -+ } else { -+ String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded -+ log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded -+ ILogger.FAILURE, // Outcome -+ status, // status -+ agentId, // AgentID -+ isCryptoValidate ? "true" : "false", // IsCryptoValidate -+ serversideKeygen ? "true" : "false", // IsServerSideKeygen -+ selectedToken, // SelectedToken -+ keyNickName, // KeyNickName -+ keySet, // TKSKeyset -+ log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion -+ errorMsg // Error -+ }; -+ auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, -+ logParams); -+ -+ } -+ -+ audit(auditMessage); -+ -+ } -+ -+ /** -+ * Serves HTTP admin request. -+ * -+ * @param req HTTP request -+ * @param resp HTTP response -+ */ -+ public void service(HttpServletRequest req, HttpServletResponse resp) -+ throws ServletException, IOException { -+ super.service(req, resp); -+ } -+ -+ private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException { -+ -+ IConfigStore configStore = CMS.getConfigStore(); -+ String sharedSecretName = null; -+ try { -+ -+ sharedSecretName = getSharedSecretName(configStore); -+ -+ } catch (EBaseException e) { -+ throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: " -+ + e); -+ -+ } -+ -+ CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); -+ -+ String symmKeys = null; -+ boolean keyPresent = false; -+ try { -+ symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME); -+ CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys); -+ } catch (Exception e) { -+ // TODO Auto-generated catch block -+ CMS.debug(e); -+ } -+ -+ for (String keyName : symmKeys.split(",")) { -+ if (sharedSecretName.equals(keyName)) { -+ CMS.debug("TokenServlet.getSharedSecret: shared secret key found!"); -+ keyPresent = true; -+ break; -+ } -+ -+ } -+ -+ if (!keyPresent) { -+ throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!"); -+ } -+ -+ // We know for now that shared secret is on this token -+ String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME; -+ PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); -+ -+ CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret); -+ -+ return sharedSecret; -+ -+ } -+ -+ //returns ArrayList of following values -+ // 0 : Kek wrapped des key -+ // 1 : keycheck value -+ // 2 : trans wrapped des key -+ private ArrayList calculateServerSideKeygenValues(String useSoftToken, String selectedToken, -+ SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException { -+ -+ SymmetricKey desKey = null; -+ String method = "TokenServlet.calculateSErverSideKeygenValues: "; -+ ArrayList values = new ArrayList(); -+ -+ /** -+ * 0. generate des key -+ * 1. encrypt des key with kek key -+ * 2. encrypt des key with DRM transport key -+ * These two wrapped items are to be sent back to -+ * TPS. 2nd item is to DRM -+ **/ -+ CMS.debug(method + " entering..."); -+ -+ // (1) generate DES key -+ /* applet does not support DES3 -+ org.mozilla.jss.crypto.KeyGenerator kg = -+ internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); -+ desKey = kg.generate();*/ -+ -+ /* -+ * GenerateSymkey firt generates a 16 byte DES2 key. -+ * It then pads it into a 24 byte key with last -+ * 8 bytes copied from the 1st 8 bytes. Effectively -+ * making it a 24 byte DES2 key. We need this for -+ * wrapping private keys on DRM. -+ */ -+ /*generate it on whichever token the master key is at*/ -+ -+ if (useSoftToken.equals("true")) { -+ CMS.debug(method + " key encryption key generated on internal"); -+ desKey = protocol.generateSymKey("internal"); -+ //cfu audit here? sym key gen done -+ } else { -+ CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); -+ desKey = protocol.generateSymKey(selectedToken); -+ } -+ if (desKey == null) { -+ throw new EBaseException(method + "can't generate key encryption key"); -+ } -+ -+ /* -+ * ECBencrypt actually takes the 24 byte DES2 key -+ * and discard the last 8 bytes before it encrypts. -+ * This is done so that the applet can digest it -+ */ -+ -+ -+ // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey) -+ -+ byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken); -+ -+ String kek_wrapped_desKeyString = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); -+ -+ CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString); -+ -+ values.add(kek_wrapped_desKeyString); -+ -+ // get keycheck -+ -+ byte[] keycheck = null; -+ -+ keycheck = protocol.computeKeyCheck(desKey, selectedToken); -+ -+ String keycheck_s = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); -+ -+ CMS.debug(method + "keycheck_s " + keycheck_s); -+ -+ values.add(keycheck_s); -+ -+ //use DRM transport cert to wrap desKey -+ String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); -+ -+ if ((drmTransNickname == null) || (drmTransNickname == "")) { -+ CMS.debug(method + " did not find DRM transport certificate nickname"); -+ throw new EBaseException(method + "can't find DRM transport certificate nickname"); -+ } else { -+ CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname); -+ } -+ -+ X509Certificate drmTransCert = null; -+ try { -+ -+ drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); -+ // wrap kek session key with DRM transport public key -+ CryptoToken token = null; -+ if (useSoftToken.equals("true")) { -+ //token = CryptoManager.getInstance().getTokenByName(selectedToken); -+ token = CryptoManager.getInstance().getInternalCryptoToken(); -+ } else { -+ token = CryptoManager.getInstance().getTokenByName(selectedToken); -+ } -+ PublicKey pubKey = drmTransCert.getPublicKey(); -+ String pubKeyAlgo = pubKey.getAlgorithm(); -+ CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); -+ KeyWrapper keyWrapper = null; -+ //For wrapping symmetric keys don't need IV, use ECB -+ if (pubKeyAlgo.equals("EC")) { -+ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); -+ keyWrapper.initWrap(pubKey, null); -+ } else { -+ keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); -+ keyWrapper.initWrap(pubKey, null); -+ } -+ CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); -+ byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); -+ -+ String drmWrappedDesStr = -+ com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); -+ -+ CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr); -+ values.add(drmWrappedDesStr); -+ -+ } catch (Exception e) { -+ throw new EBaseException(e); -+ } -+ -+ return values; -+ } -+ -+ private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) { -+ boolean sameCardCrypto = true; -+ -+ if (original_cryptogram == null || calculated_cryptogram == null) { -+ return false; -+ } -+ if (original_cryptogram.length == calculated_cryptogram.length) { -+ for (int i = 0; i < original_cryptogram.length; i++) { -+ if (original_cryptogram[i] != calculated_cryptogram[i]) { -+ sameCardCrypto = false; -+ break; -+ } -+ } -+ } else { -+ // different length; must be different -+ sameCardCrypto = false; -+ } -+ -+ return sameCardCrypto; -+ } -+ -+ //For now only used for scp03 -+ -+ static GPParams readGPSettings(String keySet) { -+ GPParams params = new GPParams(); -+ -+ String method = "TokenServlet.readGPSettings: "; -+ String gp3Settings = "tks." + keySet + ".prot3"; -+ -+ String divers = "emv"; -+ try { -+ divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv"); -+ } catch (EBaseException e) { -+ } -+ -+ params.setDiversificationScheme(divers); -+ -+ CMS.debug(method + " Divers: " + divers); -+ -+ String diversVer1Keys = "emv"; -+ -+ try { -+ diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv"); -+ } catch (EBaseException e) { -+ } -+ -+ params.setVersion1DiversificationScheme(diversVer1Keys); -+ CMS.debug(method + " Version 1 keys Divers: " + divers); -+ -+ String keyType = null; -+ try { -+ keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); -+ } catch (EBaseException e) { -+ } -+ -+ CMS.debug(method + " devKeyType: " + keyType); -+ -+ params.setDevKeyType(keyType); -+ -+ try { -+ keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); -+ } catch (EBaseException e) { -+ } -+ -+ params.setMasterKeyType(keyType); -+ -+ CMS.debug(method + " masterKeyType: " + keyType); -+ -+ -+ return params; -+ } -+ -+ private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException { -+ byte devKeyArray[] = null; -+ try { -+ devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." -+ + keySet + "." + keyType)); -+ } catch (Exception e) { -+ throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType); -+ } -+ -+ return devKeyArray; -+ } -+ -+ -+} --- -1.8.3.1 - - -From fd149624a7ace41c75c5034345503c0d412f7aa3 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 23 May 2017 22:25:32 +0200 -Subject: [PATCH 11/38] Updated log messages in OCSPProcessor. - -The OCSPProcessor has been modified to log the OCSP response to -help troubleshooting. - -https://pagure.io/dogtagpki/issue/2695 - -Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f ---- - base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java -index 3b72130..c7a40f7 100644 ---- a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java -+++ b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java -@@ -134,8 +134,8 @@ public class OCSPProcessor { - byte[] requestData = os.toByteArray(); - - if (verbose) { -- System.out.println("Data Length: " + requestData.length); -- System.out.println("Data: " + Utils.base64encode(requestData)); -+ System.out.println("Request Length: " + requestData.length); -+ System.out.println("Request: " + Utils.base64encode(requestData)); - } - - ByteArrayEntity requestEntity = new ByteArrayEntity(requestData); -@@ -156,8 +156,16 @@ public class OCSPProcessor { - } - - // construct OCSP response -+ -+ byte[] responseData = buffer.toByteArray(); -+ -+ if (verbose) { -+ System.out.println("Response Length: " + responseData.length); -+ System.out.println("Response: " + Utils.base64encode(responseData)); -+ } -+ - return (OCSPResponse)OCSPResponse.getTemplate().decode( -- new ByteArrayInputStream(buffer.toByteArray())); -+ new ByteArrayInputStream(responseData)); - - } finally { - EntityUtils.consume(responseEntity); --- -1.8.3.1 - - -From b9f906eb1f26cf3d82262bc9894785742f451cd9 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 23 May 2017 11:12:06 -0400 -Subject: [PATCH 12/38] Fix failing audit log - -As currently written, the audit log for completing the cert -processing on the KRA will always fail because the cert is not -yet issued. The cert is only issued after the key is archived. - -Basically, though, this particular log is only suppposed to be -written to the CA audit log. Rather than adding a subsystem check, -the simplest solution is to not expose this event on the KRA. - -Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643 ---- - base/kra/shared/conf/CS.cfg | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 4b6ff74..69d9382 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 --- -1.8.3.1 - - -From de9f890133e3acc660b985e8ef5950507d341a03 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 23 May 2017 12:14:06 -0400 -Subject: [PATCH 13/38] Make sure archivalID is passed through archival - -There was some confusion in the previous commit for archival -logging. The archivalID is the id provided by the CA for the archival -and is its requestID. This allows the cert request operation -to be tracked through the archival. - -Made sure therefore, that we have two fields - one for the archivalID -and one for the requestId (which is the KRA archival request ID) - -In addition, some of the archival events occur in the CA component -just before the request id sent to the KRA. These events will not -be displayed unless the audit event is added to the CA CS.cfg. - -Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08 ---- - base/ca/shared/conf/CS.cfg | 4 +- - base/ca/src/com/netscape/ca/CAService.java | 22 +++++++-- - .../logging/event/SecurityDataArchivalEvent.java | 16 +------ - .../event/SecurityDataArchivalProcessedEvent.java | 2 + - .../src/com/netscape/kra/EnrollmentService.java | 53 ++++++++++++++++------ - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 11 +++-- - .../src/com/netscape/kra/NetkeyKeygenService.java | 5 +- - .../com/netscape/kra/SecurityDataProcessor.java | 1 + - .../server/kra/rest/KeyRequestService.java | 1 + - .../cms/profile/common/CAEnrollProfile.java | 23 +++++++--- - base/server/cmsbundle/src/LogMessages.properties | 16 +++++-- - 11 files changed, 104 insertions(+), 50 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 8f9af5c..4e881dc 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java -index 45fae66..c9eacfe 100644 ---- a/base/ca/src/com/netscape/ca/CAService.java -+++ b/base/ca/src/com/netscape/ca/CAService.java -@@ -58,6 +58,7 @@ import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileSubsystem; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.cmscore.base.SubsystemRegistry; - import com.netscape.cmscore.connector.HttpConnector; - import com.netscape.cmscore.connector.LocalConnector; -@@ -371,6 +372,7 @@ public class CAService implements ICAService, IService { - public boolean serviceRequest(IRequest request) { - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(); -+ RequestId requestId = request.getRequestId(); - - boolean completed = false; - -@@ -422,7 +424,9 @@ public class CAService implements ICAService, IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - boolean sendStatus = mKRAConnector.send(request); - -@@ -437,7 +441,9 @@ public class CAService implements ICAService, IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - return true; - } else { -@@ -451,7 +457,9 @@ public class CAService implements ICAService, IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - return true; - } -@@ -474,7 +482,9 @@ public class CAService implements ICAService, IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - } - - return true; -@@ -490,7 +500,9 @@ public class CAService implements ICAService, IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - } - - return completed; -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java -index 43f7525..adc8d5b 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java -@@ -30,6 +30,7 @@ public class SecurityDataArchivalEvent extends AuditEvent { - public SecurityDataArchivalEvent( - String subjectID, - String outcome, -+ String archivalID, - RequestId requestID, - String clientKeyID) { - -@@ -38,22 +39,9 @@ public class SecurityDataArchivalEvent extends AuditEvent { - setParameters(new Object[] { - subjectID, - outcome, -+ archivalID, - requestID, - clientKeyID - }); - } -- -- public SecurityDataArchivalEvent( -- String subjectID, -- String outcome, -- String requestID) { -- super(LOGGING_PROPERTY); -- -- setParameters(new Object[] { -- subjectID, -- outcome, -- requestID, -- null -- }); -- } - } -\ No newline at end of file -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -index eb4f6b3..0ec21ae 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -@@ -30,6 +30,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { - public SecurityDataArchivalProcessedEvent( - String subjectID, - String outcome, -+ String archivalRequestId, - RequestId requestID, - String clientKeyID, - KeyId keyID, -@@ -41,6 +42,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { - setParameters(new Object[] { - subjectID, - outcome, -+ archivalRequestId, - requestID, - clientKeyID, - keyID, -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index b28fbc6..4cf36d1 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.security.IStorageKeyUnit; - import com.netscape.certsrv.security.ITransportKeyUnit; - import com.netscape.certsrv.util.IStatsSubsystem; -@@ -158,6 +159,7 @@ public class EnrollmentService implements IService { - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(); - String auditPublicKey = ILogger.UNIDENTIFIED; -+ RequestId requestId = request.getRequestId(); - - if (CMS.debugOn()) - CMS.debug("EnrollmentServlet: KRA services enrollment request"); -@@ -198,7 +200,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); -@@ -243,7 +247,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); -@@ -276,7 +282,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); -@@ -315,7 +323,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e); - } -@@ -333,7 +343,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); -@@ -355,7 +367,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); - } -@@ -387,7 +401,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); - } -@@ -411,7 +427,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); - } -@@ -458,7 +476,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } -@@ -477,7 +497,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } -@@ -492,7 +514,9 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } -@@ -546,14 +570,17 @@ public class EnrollmentService implements IService { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - // store a message in the signed audit log file - auditPublicKey = auditPublicKey(rec); - audit(new SecurityDataArchivalProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, -- request.getRequestId(), -+ auditRequesterID, -+ requestId, - null, - new KeyId(rec.getSerialNumber()), - null, -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index 3c29bbf..ed20394 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -766,18 +766,21 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - - r = queue.newRequest(KRAService.ENROLLMENT); - -- // store a message in the signed audit log file - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID)); -+ auditRequesterID, -+ r.getRequestId(), -+ null)); - - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ null /* requestId */, -+ null /*clientKeyId */)); - throw eAudit1; - } - -@@ -792,6 +795,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - audit(new SecurityDataArchivalProcessedEvent( - auditSubjectID, - ILogger.SUCCESS, -+ auditRequesterID, - r.getRequestId(), - null, - new KeyId(rec.getSerialNumber()), -@@ -801,6 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - audit(new SecurityDataArchivalProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -+ auditRequesterID, - r.getRequestId(), - null, - new KeyId(rec.getSerialNumber()), -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index df42a4f..947377a 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -397,7 +397,9 @@ public class NetkeyKeygenService implements IService { - audit( new SecurityDataArchivalEvent( - agentId, - ILogger.SUCCESS, -- auditSubjectID)); -+ auditSubjectID, -+ request.getRequestId(), -+ null)); - - CMS.debug("KRA encrypts private key to put on internal ldap db"); - byte privateKeyData[] = null; -@@ -487,6 +489,7 @@ public class NetkeyKeygenService implements IService { - audit(new SecurityDataArchivalProcessedEvent( - agentId, - ILogger.SUCCESS, -+ auditSubjectID, - request.getRequestId(), - null, - new KeyId(serialNo), -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index a44eb2f..326630c 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -873,6 +873,7 @@ public class SecurityDataProcessor { - audit(new SecurityDataArchivalProcessedEvent( - subjectID, - status, -+ null, - requestID, - clientKeyID, - keyID, -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -index 12040e0..8ec69a7 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -@@ -357,6 +357,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - audit(new SecurityDataArchivalEvent( - getRequestor(), - status, -+ null, - requestId, - clientKeyID)); - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -index 85db2cb..ec9f86b 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java -@@ -36,6 +36,7 @@ import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.ERejectException; - import com.netscape.certsrv.profile.IProfileUpdater; - import com.netscape.certsrv.request.IRequest; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestStatus; - - import netscape.security.x509.X500Name; -@@ -82,10 +83,10 @@ public class CAEnrollProfile extends EnrollProfile { - - String auditSubjectID = auditSubjectID(); - String auditRequesterID = auditRequesterID(request); -- String id = request.getRequestId().toString(); -+ RequestId requestId = request.getRequestId(); - - -- CMS.debug("CAEnrollProfile: execute request ID " + id); -+ CMS.debug("CAEnrollProfile: execute request ID " + requestId.toString()); - - ICertificateAuthority ca = (ICertificateAuthority) getAuthority(); - -@@ -115,7 +116,9 @@ public class CAEnrollProfile extends EnrollProfile { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - } else { - CMS.debug("CAEnrollProfile: execute send request"); - kraConnector.send(request); -@@ -125,7 +128,9 @@ public class CAEnrollProfile extends EnrollProfile { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - if (request.getError(getLocale(request)) != null && - (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) { -@@ -140,7 +145,9 @@ public class CAEnrollProfile extends EnrollProfile { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.SUCCESS, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - } - } catch (Exception e) { - -@@ -153,7 +160,9 @@ public class CAEnrollProfile extends EnrollProfile { - audit(new SecurityDataArchivalEvent( - auditSubjectID, - ILogger.FAILURE, -- auditRequesterID)); -+ auditRequesterID, -+ requestId, -+ null)); - - throw new EProfileException(e); - } -@@ -179,7 +188,7 @@ public class CAEnrollProfile extends EnrollProfile { - X509CertImpl theCert; - try { - theCert = caService.issueX509Cert( -- aid, info, getId() /* profileId */, id /* requestId */); -+ aid, info, getId() /* profileId */, requestId.toString()); - } catch (EBaseException e) { - CMS.debug(e); - throw new EProfileException(e); -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 44eec23..66a7fd0 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2414,17 +2414,23 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEv - # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED - # - used when user security data archive request is processed - # this is when DRM receives and processed the request --# Client ID must be the user supplied client ID associated with -+# ArchivalRequestID is the requestID provided by the CA through the connector -+# It is used to track the request through from CA to KRA. -+# RequestId is the KRA archival request ID -+# ClientKeyID must be the user supplied client ID associated with - # the security data to be archived - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}][KeyID={5}][FailureReason={6}][PubKey={7}] security data archival request processed - # - # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST - # - used when security data recovery request is made --# RecoveryID must be the recovery request ID --# CientID is the ID of the security data to be archived -+# ArchivalRequestID is the requestID provided by the CA through the connector -+# It is used to track the request through from CA to KRA. -+# RequestId is the KRA archival request ID -+# ClientKeyID must be the user supplied client ID associated with -+# the security data to be archived - # --LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made -+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}] security data archival request made - # - # - # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED --- -1.8.3.1 - - -From 1d6860b20970dae43b81e9f943fb49575f377099 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 24 May 2017 11:15:03 -0400 -Subject: [PATCH 14/38] Simplify recovery audit logging - -Currently, when we use the retrieveKey() REST interface, there are -two logs generated for the processing of a recovery request. To -rectify this, logging has been removed from the lower level in the -SecurityDataProcessor and is delegated to the higher level. - -This necessitated adding audit logging to the SecurityDataRecoveryService, -which processes recovery events asynchronously. - -In addition, the logging in retrieveKey() has been pushed down to -the retrieveKeyImpl, because there is at least one success exit point in -retrieveKeyImpl where a recovery request is created, but no key is exported. -Hence in this case, a KeyRetrieve success event is not warranted. - -Change-Id: I0725e6fe82046ae666bf6c81d6a6ba58261dfc87 ---- - .../com/netscape/kra/SecurityDataProcessor.java | 32 ----------- - .../netscape/kra/SecurityDataRecoveryService.java | 67 +++++++++++++++++++++- - .../org/dogtagpki/server/kra/rest/KeyService.java | 11 ++-- - 3 files changed, 72 insertions(+), 38 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 326630c..2899f32 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -42,7 +42,6 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; --import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.RequestId; -@@ -322,20 +321,13 @@ public class SecurityDataProcessor { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } - -- String requestor = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); -- String auditSubjectID = requestor; -- - Hashtable params = kra.getVolatileRequest( - request.getRequestId()); - KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO)); - request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger()); -- RequestId requestID = request.getRequestId(); -- String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); - - if (params == null) { - CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params."); -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -- "cannot get volatile params", approvers); - throw new EBaseException("Can't obtain volatile params!"); - } - -@@ -457,8 +449,6 @@ public class SecurityDataProcessor { - iv != null? new IVParameterSpec(iv): null, - iv_wrap != null? new IVParameterSpec(iv_wrap): null); - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -- "Cannot generate wrapping params", approvers); - throw new EBaseException("Cannot generate wrapping params: " + e, e); - } - } -@@ -514,8 +504,6 @@ public class SecurityDataProcessor { - params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); - - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -- "Cannot unwrap passphrase", approvers); - throw new EBaseException("Cannot unwrap passphrase: " + e, e); - - } finally { -@@ -556,8 +544,6 @@ public class SecurityDataProcessor { - } - - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -- "Cannot wrap symmetric key", approvers); - throw new EBaseException("Cannot wrap symmetric key: " + e, e); - } - -@@ -574,8 +560,6 @@ public class SecurityDataProcessor { - wrapParams.getPayloadEncryptionAlgorithm(), - wrapParams.getPayloadEncryptionIV()); - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, -- keyId, "Cannot encrypt passphrase", approvers); - throw new EBaseException("Cannot encrypt passphrase: " + e, e); - } - -@@ -606,8 +590,6 @@ public class SecurityDataProcessor { - } - - } catch (Exception e) { -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, -- "Cannot wrap private key", approvers); - throw new EBaseException("Cannot wrap private key: " + e, e); - } - } -@@ -640,9 +622,6 @@ public class SecurityDataProcessor { - } - - params.put(IRequest.SECURITY_DATA_TYPE, dataType); -- -- auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId, -- null, approvers); - request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); - - return false; //return true ? TODO -@@ -857,17 +836,6 @@ public class SecurityDataProcessor { - audit(message); - } - -- private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, -- KeyId keyID, String reason, String recoveryAgents) { -- audit(new SecurityDataRecoveryProcessedEvent( -- subjectID, -- status, -- requestID, -- keyID, -- reason, -- recoveryAgents)); -- } -- - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - KeyId keyID, String reason) { - audit(new SecurityDataArchivalProcessedEvent( -diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java -index 0c7b4b7..da82e97 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java -@@ -19,9 +19,14 @@ package com.netscape.kra; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -+import com.netscape.certsrv.request.RequestId; - - import netscape.security.util.DerValue; - import netscape.security.x509.X509Key; - - /** - * This implementation services SecurityData Recovery requests. -@@ -33,6 +38,7 @@ public class SecurityDataRecoveryService implements IService { - - private IKeyRecoveryAuthority kra = null; - private SecurityDataProcessor processor = null; -+ private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); - - public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) { - this.kra = kra; -@@ -57,8 +63,65 @@ public class SecurityDataRecoveryService implements IService { - throws EBaseException { - - CMS.debug("SecurityDataRecoveryService.serviceRequest()"); -- processor.recover(request); -- kra.getRequestQueue().updateRequest(request); -+ -+ // parameters for auditing -+ String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); -+ KeyId keyId = new KeyId(request.getExtDataInBigInteger("serialNumber")); -+ RequestId requestID = request.getRequestId(); -+ String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); -+ -+ try { -+ processor.recover(request); -+ kra.getRequestQueue().updateRequest(request); -+ auditRecoveryRequestProcessed( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ requestID, -+ keyId, -+ null, -+ approvers); -+ } catch (EBaseException e) { -+ auditRecoveryRequestProcessed( -+ auditSubjectID, -+ ILogger.FAILURE, -+ requestID, -+ keyId, -+ e.getMessage(), -+ approvers); -+ throw e; -+ } - return false; //TODO: return true? - } -+ -+ private void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ -+ private void audit(String msg) { -+ if (signedAuditLogger == null) -+ return; -+ -+ signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, -+ null, -+ ILogger.S_SIGNED_AUDIT, -+ ILogger.LL_SECURITY, -+ msg); -+ } -+ -+ private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, -+ KeyId keyID, String reason, String recoveryAgents) { -+ audit(new SecurityDataRecoveryProcessedEvent( -+ subjectID, -+ status, -+ requestID, -+ keyID, -+ reason, -+ recoveryAgents)); -+ } - } -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -index 52799e6..8edb928 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -@@ -117,13 +117,10 @@ public class KeyService extends SubsystemService implements KeyResource { - public Response retrieveKey(KeyRecoveryRequest data) { - try { - Response response = retrieveKeyImpl(data); -- auditRetrieveKey(ILogger.SUCCESS); - return response; - } catch(RuntimeException e) { -- auditRetrieveKeyError(e.getMessage()); - throw e; - } catch (Exception e) { -- auditRetrieveKeyError(e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - } -@@ -137,6 +134,7 @@ public class KeyService extends SubsystemService implements KeyResource { - CMS.debug(auditInfo); - - if (data == null) { -+ auditRetrieveKeyError("Bad Request: Missing key Recovery Request"); - throw new BadRequestException("Missing key Recovery Request"); - } - -@@ -152,10 +150,12 @@ public class KeyService extends SubsystemService implements KeyResource { - try { - request = queue.findRequest(requestId); - } catch (EBaseException e) { -+ auditRetrieveKeyError(e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - - if (request == null) { -+ auditRetrieveKeyError("Bad Request: No request found"); - throw new BadRequestException("No request found"); - } - -@@ -166,7 +166,8 @@ public class KeyService extends SubsystemService implements KeyResource { - } else { - keyId = data.getKeyId(); - if (keyId == null) { -- throw new BadRequestException("Missing key Recovery Request"); -+ auditRetrieveKeyError("Bad Request: Missing key recovery request and key_id"); -+ throw new BadRequestException("Missing recovery request and key id"); - } - - auditInfo += ";keyID=" + keyId.toString(); -@@ -186,6 +187,7 @@ public class KeyService extends SubsystemService implements KeyResource { - request = reqDAO.createRecoveryRequest(data, uriInfo, getRequestor(), - getAuthToken(), ephemeral); - } catch (EBaseException e) { -+ auditRetrieveKeyError("Unable to create recovery request: " + e.getMessage()); - throw new PKIException(e.getMessage(), e); - } - -@@ -248,6 +250,7 @@ public class KeyService extends SubsystemService implements KeyResource { - auditRecoveryRequestProcessed(ILogger.SUCCESS, null); - - CMS.debug("KeyService: key retrieved"); -+ auditRetrieveKey(ILogger.SUCCESS); - return createOKResponse(keyData); - } - --- -1.8.3.1 - - -From f6cc8db2fbd9ab509c4285e944306b31cf068a5f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 24 May 2017 06:38:50 +0200 -Subject: [PATCH 15/38] Cleaned up DefStore.processRequest() (part 1). - -An if-statement in DefStore.processRequest() has been modified -to return early for clarity. The code indentation has been adjusted -accordingly. - -https://pagure.io/dogtagpki/issue/2652 - -Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0 ---- - .../cms/src/com/netscape/cms/ocsp/DefStore.java | 121 +++++++++++---------- - 1 file changed, 62 insertions(+), 59 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -index 217c568..9882acd 100644 ---- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -+++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -@@ -27,11 +27,6 @@ import java.util.Hashtable; - import java.util.Locale; - import java.util.Vector; - --import netscape.security.x509.RevokedCertificate; --import netscape.security.x509.X509CRLImpl; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509Key; -- - import org.mozilla.jss.asn1.ASN1Util; - import org.mozilla.jss.asn1.GeneralizedTime; - import org.mozilla.jss.asn1.INTEGER; -@@ -73,6 +68,11 @@ import com.netscape.cmsutil.ocsp.SingleResponse; - import com.netscape.cmsutil.ocsp.TBSRequest; - import com.netscape.cmsutil.ocsp.UnknownInfo; - -+import netscape.security.x509.RevokedCertificate; -+import netscape.security.x509.X509CRLImpl; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509Key; -+ - /** - * This is the default OCSP store that stores revocation information - * as certificate record (CMS internal data structure). -@@ -481,77 +481,80 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - incReqCount(theRec.getId()); - } - -+ if (theCert == null) { -+ return null; -+ } -+ - // check the serial number -- if (theCert != null) { -- INTEGER serialNo = cid.getSerialNumber(); -+ INTEGER serialNo = cid.getSerialNumber(); - -- log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); -- CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); -- CertStatus certStatus = null; -- GeneralizedTime thisUpdate = null; -+ log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); -+ CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); -+ CertStatus certStatus = null; -+ GeneralizedTime thisUpdate = null; - -+ if (theRec == null) { -+ thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); -+ } else { -+ thisUpdate = new GeneralizedTime( -+ theRec.getThisUpdate()); -+ } -+ GeneralizedTime nextUpdate = null; -+ -+ if (includeNextUpdate()) { -+ // this is an optional field - if (theRec == null) { -- thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); -+ nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); - } else { -- thisUpdate = new GeneralizedTime( -- theRec.getThisUpdate()); -- } -- GeneralizedTime nextUpdate = null; -- -- if (includeNextUpdate()) { -- // this is an optional field -- if (theRec == null) { -- nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); -- } else { -- nextUpdate = new GeneralizedTime( -- theRec.getNextUpdate()); -- } -+ nextUpdate = new GeneralizedTime( -+ theRec.getNextUpdate()); - } -+ } - -- if (theCRL == null) { -- certStatus = new UnknownInfo(); -- -- // if crl is not available, we can try crl cache -- if (theRec != null) { -- CMS.debug("DefStore: evaluating crl cache"); -- Hashtable cache = theRec.getCRLCacheNoClone(); -- if (cache != null) { -- RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString())); -- if (rc == null) { -- if (isNotFoundGood()) { -- certStatus = new GoodInfo(); -- } else { -- certStatus = new UnknownInfo(); -- } -+ if (theCRL == null) { -+ certStatus = new UnknownInfo(); -+ -+ // if crl is not available, we can try crl cache -+ if (theRec != null) { -+ CMS.debug("DefStore: evaluating crl cache"); -+ Hashtable cache = theRec.getCRLCacheNoClone(); -+ if (cache != null) { -+ RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString())); -+ if (rc == null) { -+ if (isNotFoundGood()) { -+ certStatus = new GoodInfo(); - } else { -- -- certStatus = new RevokedInfo( -- new GeneralizedTime( -- rc.getRevocationDate())); -+ certStatus = new UnknownInfo(); - } -+ } else { -+ -+ certStatus = new RevokedInfo( -+ new GeneralizedTime( -+ rc.getRevocationDate())); - } - } -+ } - -- } else { -- CMS.debug("DefStore: evaluating x509 crl impl"); -- X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); -+ } else { -+ CMS.debug("DefStore: evaluating x509 crl impl"); -+ X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); - -- if (crlentry == null) { -- // good or unknown -- if (isNotFoundGood()) { -- certStatus = new GoodInfo(); -- } else { -- certStatus = new UnknownInfo(); -- } -+ if (crlentry == null) { -+ // good or unknown -+ if (isNotFoundGood()) { -+ certStatus = new GoodInfo(); - } else { -- certStatus = new RevokedInfo(new GeneralizedTime( -- crlentry.getRevocationDate())); -- -+ certStatus = new UnknownInfo(); - } -+ } else { -+ certStatus = new RevokedInfo(new GeneralizedTime( -+ crlentry.getRevocationDate())); -+ - } -- return new SingleResponse(cid, certStatus, thisUpdate, -- nextUpdate); - } -+ return new SingleResponse(cid, certStatus, thisUpdate, -+ nextUpdate); -+ - } catch (Exception e) { - // error log - CMS.debug("DefStore: failed processing request e=" + e); --- -1.8.3.1 - - -From 4511646ecec5b99dfb0ab31fc604a8765313941e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 24 May 2017 06:48:58 +0200 -Subject: [PATCH 16/38] Cleaned up DefStore.processRequest() (part 2). - -An if-statement in DefStore.processRequest() has been modified -to return early for clarity. The code indentation has been adjusted -accordingly. - -https://pagure.io/dogtagpki/issue/2652 - -Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3 ---- - .../cms/src/com/netscape/cms/ocsp/DefStore.java | 31 ++++++++++++---------- - 1 file changed, 17 insertions(+), 14 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -index 9882acd..0b29b08 100644 ---- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -+++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -@@ -535,23 +535,26 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - } - } - -- } else { -- CMS.debug("DefStore: evaluating x509 crl impl"); -- X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); -- -- if (crlentry == null) { -- // good or unknown -- if (isNotFoundGood()) { -- certStatus = new GoodInfo(); -- } else { -- certStatus = new UnknownInfo(); -- } -- } else { -- certStatus = new RevokedInfo(new GeneralizedTime( -- crlentry.getRevocationDate())); -+ return new SingleResponse(cid, certStatus, thisUpdate, -+ nextUpdate); -+ } -+ -+ CMS.debug("DefStore: evaluating x509 crl impl"); -+ X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); - -+ if (crlentry == null) { -+ // good or unknown -+ if (isNotFoundGood()) { -+ certStatus = new GoodInfo(); -+ } else { -+ certStatus = new UnknownInfo(); - } -+ } else { -+ certStatus = new RevokedInfo(new GeneralizedTime( -+ crlentry.getRevocationDate())); -+ - } -+ - return new SingleResponse(cid, certStatus, thisUpdate, - nextUpdate); - --- -1.8.3.1 - - -From 7d39f6ecfe4c29c14948e4b5d30fde93d7f0f8e6 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 24 May 2017 18:07:42 +0200 -Subject: [PATCH 17/38] Cleaned up DefStore.processRequest() (part 3). - -Some nested if-statements in DefStore.processRequest() has been -merged for clarity. - -https://pagure.io/dogtagpki/issue/2652 - -Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d ---- - .../cms/src/com/netscape/cms/ocsp/DefStore.java | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -index 0b29b08..676257b 100644 ---- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -+++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -@@ -499,16 +499,18 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - thisUpdate = new GeneralizedTime( - theRec.getThisUpdate()); - } -- GeneralizedTime nextUpdate = null; - -- if (includeNextUpdate()) { -- // this is an optional field -- if (theRec == null) { -- nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); -- } else { -- nextUpdate = new GeneralizedTime( -- theRec.getNextUpdate()); -- } -+ // this is an optional field -+ GeneralizedTime nextUpdate; -+ -+ if (!includeNextUpdate()) { -+ nextUpdate = null; -+ -+ } else if (theRec == null) { -+ nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); -+ -+ } else { -+ nextUpdate = new GeneralizedTime(theRec.getNextUpdate()); - } - - if (theCRL == null) { --- -1.8.3.1 - - -From 9d74c8f2f6291e9bac433c950168d68fa5fc90c8 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 24 May 2017 05:06:31 +0200 -Subject: [PATCH 18/38] Updated OCSP log messages. - -Some log messages in OCSP-related code have been updated for -clarity. - -https://pagure.io/dogtagpki/issue/2652 - -Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39 ---- - base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 10 +++++--- - .../cms/src/com/netscape/cms/ocsp/DefStore.java | 27 ++++++++++++++++------ - .../com/netscape/cms/servlet/ocsp/OCSPServlet.java | 7 ++++-- - 3 files changed, 32 insertions(+), 12 deletions(-) - -diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java -index 09b85b4..14dd338 100644 ---- a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java -+++ b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java -@@ -415,6 +415,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, - */ - public BasicOCSPResponse sign(ResponseData rd) - throws EBaseException { -+ - try (DerOutputStream out = new DerOutputStream()) { - DerOutputStream tmp = new DerOutputStream(); - -@@ -424,9 +425,11 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, - if (rd_data != null) { - mTotalData += rd_data.length; - } -+ - rd.encode(tmp); - AlgorithmId.get(algname).encode(tmp); -- CMS.debug("adding signature"); -+ -+ CMS.debug("OCSPAuthority: adding signature"); - byte[] signature = mSigningUnit.sign(rd_data, algname); - - tmp.putBitString(signature); -@@ -440,6 +443,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, - for (int i = 0; i < chains.length; i++) { - tmpChain.putDerValue(new DerValue(chains[i].getEncoded())); - } -+ - tmp1.write(DerValue.tag_Sequence, tmpChain); - tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), - tmp1); -@@ -449,9 +453,9 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, - BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray()); - - return response; -+ - } catch (Exception e) { -- e.printStackTrace(); -- // error e -+ CMS.debug(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString())); - return null; - } -diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -index 676257b..ea095ba 100644 ---- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -+++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java -@@ -409,8 +409,9 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - long endTime = CMS.getCurrentDate().getTime(); - mOCSPAuthority.incTotalTime(endTime - startTime); - return response; -+ - } catch (Exception e) { -- CMS.debug("DefStore: validation failed " + e.toString()); -+ CMS.debug(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString())); - return null; - } -@@ -449,6 +450,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_DECODE_CERT", e.toString())); - return null; - } -+ - MessageDigest md = MessageDigest.getInstance(cid.getDigestName()); - X509Key key = (X509Key) cert.getPublicKey(); - byte digest[] = md.digest(key.getKey()); -@@ -474,6 +476,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - break; - } - } -+ - } else { - theCert = matched.getX509CertImpl(); - theRec = matched.getCRLIssuingPointRecord(); -@@ -490,16 +493,19 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - - log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); - CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); -- CertStatus certStatus = null; -- GeneralizedTime thisUpdate = null; -+ -+ GeneralizedTime thisUpdate; - - if (theRec == null) { - thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); - } else { -- thisUpdate = new GeneralizedTime( -- theRec.getThisUpdate()); -+ Date d = theRec.getThisUpdate(); -+ CMS.debug("DefStore: CRL record this update: " + d); -+ thisUpdate = new GeneralizedTime(d); - } - -+ CMS.debug("DefStore: this update: " + thisUpdate.toDate()); -+ - // this is an optional field - GeneralizedTime nextUpdate; - -@@ -510,9 +516,15 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); - - } else { -- nextUpdate = new GeneralizedTime(theRec.getNextUpdate()); -+ Date d = theRec.getNextUpdate(); -+ CMS.debug("DefStore: CRL record next update: " + d); -+ nextUpdate = new GeneralizedTime(d); - } - -+ CMS.debug("DefStore: next update: " + (nextUpdate == null ? null : nextUpdate.toDate())); -+ -+ CertStatus certStatus; -+ - if (theCRL == null) { - certStatus = new UnknownInfo(); - -@@ -551,10 +563,10 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - } else { - certStatus = new UnknownInfo(); - } -+ - } else { - certStatus = new RevokedInfo(new GeneralizedTime( - crlentry.getRevocationDate())); -- - } - - return new SingleResponse(cid, certStatus, thisUpdate, -@@ -564,6 +576,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { - // error log - CMS.debug("DefStore: failed processing request e=" + e); - } -+ - return null; - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java -index 940bf65..5fde89d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java -@@ -198,16 +198,19 @@ public class OCSPServlet extends CMSServlet { - throw new Exception("OCSPServlet: OCSP request is " - + "empty or malformed"); - } -+ - ocspReq = (OCSPRequest) reqTemplate.decode(is); -+ - if ((ocspReq == null) || - (ocspReq.toString().equals(""))) { - throw new Exception("OCSPServlet: Decoded OCSP request " - + "is empty or malformed"); - } -+ - response = ((IOCSPService) mAuthority).validate(ocspReq); -+ - } catch (Exception e) { -- ; -- CMS.debug("OCSPServlet: " + e.toString()); -+ CMS.debug(e); - } - - if (response != null) { --- -1.8.3.1 - - -From 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Mon, 10 Apr 2017 11:27:12 -0700 -Subject: [PATCH 19/38] Now the program can create and import shared secret - keys while under FIPS mode. - ---- - base/native-tools/src/tkstool/key.c | 102 ++++++++++++++++++++++++++------ - base/native-tools/src/tkstool/tkstool.c | 4 +- - base/native-tools/src/tkstool/tkstool.h | 3 +- - 3 files changed, 87 insertions(+), 22 deletions(-) - -diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c -index 4fd3796..e63da93 100644 ---- a/base/native-tools/src/tkstool/key.c -+++ b/base/native-tools/src/tkstool/key.c -@@ -19,6 +19,11 @@ - - #include "tkstool.h" - -+secuPWData pwdata = { PW_NONE, -+ 0 }; -+ -+ -+ - /*******************************/ - /** local private functions **/ - /*******************************/ -@@ -534,16 +539,26 @@ TKS_ComputeAndDisplayKCV( PRUint8 *newKey, - goto done; - } - -- key = PK11_ImportSymKeyWithFlags( -- /* slot */ slot, -- /* mechanism type */ CKM_DES3_ECB, -- /* origin */ PK11_OriginGenerated, -- /* operation */ CKA_ENCRYPT, -- /* key */ &keyItem, -- /* flags */ CKF_ENCRYPT, -- /* isPerm */ PR_FALSE, -- /* wincx */ 0 ); -+ key = TKS_ImportSymmetricKey( NULL, -+ slot, -+ CKM_DES3_ECB, -+ CKA_ENCRYPT, -+ &keyItem, -+ &pwdata, PR_FALSE ); -+ -+ - -+ -+ /* key = PK11_ImportSymKeyWithFlags( -+ slot, -+ CKM_DES3_ECB, -+ PK11_OriginGenerated, -+ CKA_ENCRYPT, -+ &keyItem, -+ CKF_ENCRYPT, -+ PR_FALSE, -+ 0 ); -+ */ - if( ! key ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to import %s key!\n\n\n", -@@ -1062,10 +1077,18 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, - CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, - SECItem *sessionKeyShare, -- secuPWData *pwdata ) -+ secuPWData *pwdata, PRBool isPerm ) - { - PK11Origin origin = PK11_OriginGenerated; - PK11SymKey *symKey = NULL; -+ PK11SymKey *sessKey = NULL; -+ PK11Context *context = NULL; -+ static SECItem noParams = { siBuffer, NULL, 0 }; -+ SECItem wrappeditem = { siBuffer, NULL, 0 }; -+ -+ int len = 0; -+ unsigned char wrappedkey[DES_LENGTH * 3]; -+ SECStatus s = SECSuccess; - - if( slot == NULL ) { - return NULL; -@@ -1077,15 +1100,56 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, - "Generating %s symmetric key . . .\n\n", - symmetricKeyName ); - -- symKey = PK11_ImportSymKeyWithFlags( -- /* slot */ slot, -- /* mechanism type */ mechanism, -- /* origin */ origin, -- /* operation */ operation, -- /* key */ sessionKeyShare, -- /* flags */ 0, -- /* isPerm */ PR_FALSE, -- /* wincx */ pwdata ); -+ sessKey = PK11_TokenKeyGenWithFlags(slot, // slot handle -+ CKM_DES3_KEY_GEN, // mechanism type -+ NULL, // pointer to params (SECItem structure) -+ 0, // keySize (per documentation in pk11skey.c, must be 0 for fixed key length algorithms) -+ 0, // pointer to keyid (SECItem structure) -+ CKF_WRAP | CKF_UNWRAP | CKF_ENCRYPT | CKF_DECRYPT, // opFlags -+ PK11_ATTR_PRIVATE | PK11_ATTR_UNEXTRACTABLE | PK11_ATTR_SENSITIVE, // attrFlags (AC: this is my "best guess" as to what flags should be set) -+ NULL); -+ -+ if( sessKey == NULL ) { -+ goto cleanup; -+ } -+ -+ // Import the key onto the token using the temp session key and the key data. -+ // -+ -+ context = PK11_CreateContextBySymKey(CKM_DES3_ECB, CKA_ENCRYPT, -+ sessKey, -+ &noParams); -+ -+ if (context == NULL) { -+ goto cleanup; -+ } -+ -+ len = sessionKeyShare->len; -+ /* encrypt the key with the master key */ -+ s = PK11_CipherOp(context, wrappedkey, &len, DES_LENGTH * 3 , sessionKeyShare->data ,DES_LENGTH * 3 ); -+ if (s != SECSuccess) -+ { -+ goto cleanup; -+ } -+ -+ wrappeditem.data = wrappedkey; -+ wrappeditem.len = len; -+ -+ symKey = PK11_UnwrapSymKeyWithFlagsPerm(sessKey, CKM_DES3_ECB, &noParams, -+ &wrappeditem, CKM_DES3_KEY_GEN, CKA_DECRYPT, DES_LENGTH * 3, -+ (CKA_ENCRYPT | CKA_DECRYPT) & CKF_KEY_OPERATION_FLAGS, isPerm ); -+ -+cleanup: -+ if( sessKey != NULL) { -+ PK11_FreeSymKey( sessKey ); -+ sessKey = NULL; -+ } -+ -+ if( context ) { -+ PK11_DestroyContext( -+ /* context */ context, -+ /* free it */ PR_TRUE ); -+ } - return symKey; - } - -diff --git a/base/native-tools/src/tkstool/tkstool.c b/base/native-tools/src/tkstool/tkstool.c -index 6fd2a97..53781e4 100644 ---- a/base/native-tools/src/tkstool/tkstool.c -+++ b/base/native-tools/src/tkstool/tkstool.c -@@ -1417,14 +1417,14 @@ main( int argc, char **argv ) - CKM_DES3_KEY_GEN, - CKA_ENCRYPT, - &paddedFirstSessionKeyShare, -- &pwdata ); -+ &pwdata, PR_FALSE ); - #else - firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY, - internalSlot, - CKM_DES2_KEY_GEN, - CKA_ENCRYPT, - &firstSessionKeyShare, -- &pwdata ); -+ &pwdata , PR_FALSE ); - #endif - if( firstSymmetricKey == NULL ) { - PR_fprintf( PR_STDERR, -diff --git a/base/native-tools/src/tkstool/tkstool.h b/base/native-tools/src/tkstool/tkstool.h -index 4c276b0..80fdafd 100644 ---- a/base/native-tools/src/tkstool/tkstool.h -+++ b/base/native-tools/src/tkstool/tkstool.h -@@ -124,6 +124,7 @@ - "and press enter to continue " \ - "(or ^C to break): " - -+#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL - - /**************************************/ - /** external function declarations **/ -@@ -222,7 +223,7 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, - CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, - SECItem *sessionKeyShare, -- secuPWData *pwdata ); -+ secuPWData *pwdata, PRBool isPerm ); - - PK11SymKey * - TKS_DeriveSymmetricKey( char *symmetricKeyName, --- -1.8.3.1 - - -From 3ddc916954d712f6fe25497789925fecebef20fc Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 24 May 2017 12:31:45 -0400 -Subject: [PATCH 20/38] Encapsulate symmetric and asymmetric keygen audit - events - -Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 8 ---- - .../logging/event/AsymKeyGenerationEvent.java | 45 +++++++++++++++++++ - .../event/AsymKeyGenerationProcessedEvent.java | 51 ++++++++++++++++++++++ - .../logging/event/SymKeyGenerationEvent.java | 45 +++++++++++++++++++ - .../event/SymKeyGenerationProcessedEvent.java | 50 +++++++++++++++++++++ - .../src/com/netscape/kra/AsymKeyGenService.java | 20 ++++----- - .../kra/src/com/netscape/kra/SymKeyGenService.java | 16 +++---- - .../server/kra/rest/KeyRequestService.java | 19 ++++---- - base/server/cmsbundle/src/LogMessages.properties | 8 ++-- - 9 files changed, 221 insertions(+), 41 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 891398d..beedb9f 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -166,14 +166,6 @@ public class AuditEvent implements IBundleLogEvent { - - public final static String KEY_STATUS_CHANGE = - "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; -- public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6"; -- public static final String SYMKEY_GENERATION_REQUEST = -- "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; -- public static final String ASYMKEY_GENERATION_REQUEST = -- "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4"; -- public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED = -- "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; - - public final static String TOKEN_CERT_ENROLLMENT = - "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; -diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java -new file mode 100644 -index 0000000..f3236d6 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java -@@ -0,0 +1,45 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class AsymKeyGenerationEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST"; -+ -+ public AsymKeyGenerationEvent( -+ String subjectID, -+ String outcome, -+ RequestId requestID, -+ String clientKeyID) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requestID, -+ clientKeyID -+ }); -+ } -+} -diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java -new file mode 100644 -index 0000000..ba242de ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java -@@ -0,0 +1,51 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class AsymKeyGenerationProcessedEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED"; -+ -+ public AsymKeyGenerationProcessedEvent( -+ String subjectID, -+ String outcome, -+ RequestId requestID, -+ String clientKeyID, -+ KeyId keyID, -+ String failureReason) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requestID, -+ clientKeyID, -+ keyID, -+ failureReason -+ }); -+ } -+} -+ -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java -new file mode 100644 -index 0000000..c1b8652 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java -@@ -0,0 +1,45 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class SymKeyGenerationEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST"; -+ -+ public SymKeyGenerationEvent( -+ String subjectID, -+ String outcome, -+ RequestId requestID, -+ String clientKeyID) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requestID, -+ clientKeyID -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java -new file mode 100644 -index 0000000..ad36d44 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java -@@ -0,0 +1,50 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class SymKeyGenerationProcessedEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED"; -+ -+ public SymKeyGenerationProcessedEvent( -+ String subjectID, -+ String outcome, -+ RequestId requestID, -+ String clientKeyID, -+ KeyId keyID, -+ String failureReason) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ requestID, -+ clientKeyID, -+ keyID, -+ failureReason -+ }); -+ } -+} -diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -index cfee504..ea1d0cc 100644 ---- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -@@ -28,11 +28,13 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.key.AsymKeyGenerationRequest; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AsymKeyGenerationProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; - import com.netscape.certsrv.request.RequestId; -@@ -144,8 +146,8 @@ public class AsymKeyGenService implements IService { - } catch (EBaseException e) { - CMS.debugStackTrace(); - auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), -- clientKeyId, null, "Failed to generate Asymmetric key"); -- throw new EBaseException("Errors in generating Asymmetric key: " + e); -+ clientKeyId, null, "Failed to generate asymmetric key: " + e.getMessage()); -+ throw new EBaseException("Errors in generating Asymmetric key: " + e, e); - } - - if (kp == null) { -@@ -205,7 +207,7 @@ public class AsymKeyGenService implements IService { - storage.addKeyRecord(record); - - auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), -- clientKeyId, serialNo.toString(), "None"); -+ clientKeyId, new KeyId(serialNo), "None"); - request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); - kra.getRequestQueue().updateRequest(request); - return true; -@@ -234,15 +236,13 @@ public class AsymKeyGenService implements IService { - - private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, - String clientKeyID, -- String keyID, String reason) { -- String auditMessage = CMS.getLogMessage( -- AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED, -+ KeyId keyID, String reason) { -+ audit(new AsymKeyGenerationProcessedEvent( - subjectID, - status, -- requestID.toString(), -+ requestID, - clientKeyID, -- keyID != null ? keyID : "None", -- reason); -- audit(auditMessage); -+ keyID, -+ reason)); - } - } -diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java -index bf350d5..a4613c2 100644 ---- a/base/kra/src/com/netscape/kra/SymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java -@@ -32,11 +32,13 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.dbs.keydb.IKeyRecord; - import com.netscape.certsrv.dbs.keydb.IKeyRepository; -+import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.key.SymKeyGenerationRequest; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.SymKeyGenerationProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; - import com.netscape.certsrv.request.RequestId; -@@ -232,7 +234,7 @@ public class SymKeyGenService implements IService { - storage.addKeyRecord(rec); - - auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), -- clientKeyId, serialNo.toString(), "None"); -+ clientKeyId, new KeyId(serialNo), "None"); - - request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); - mKRA.getRequestQueue().updateRequest(request); -@@ -262,15 +264,13 @@ public class SymKeyGenService implements IService { - } - - private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, -- String keyID, String reason) { -- String auditMessage = CMS.getLogMessage( -- AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED, -+ KeyId keyID, String reason) { -+ audit(new SymKeyGenerationProcessedEvent( - subjectID, - status, -- requestID.toString(), -+ requestID, - clientKeyID, -- keyID != null ? keyID : "None", -- reason); -- audit(auditMessage); -+ keyID, -+ reason)); - } - } -\ No newline at end of file -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -index 8ec69a7..4e21f12 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java -@@ -48,11 +48,12 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection; - import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.key.KeyRequestResponse; - import com.netscape.certsrv.key.SymKeyGenerationRequest; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.AsymKeyGenerationEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; -+import com.netscape.certsrv.logging.event.SymKeyGenerationEvent; - import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestNotFoundException; - import com.netscape.cms.realm.PKIPrincipal; -@@ -363,23 +364,19 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes - } - - public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { -- String msg = CMS.getLogMessage( -- AuditEvent.SYMKEY_GENERATION_REQUEST, -+ audit(new SymKeyGenerationEvent( - getRequestor(), - status, -- requestId != null ? requestId.toString() : "null", -- clientKeyID); -- auditor.log(msg); -+ requestId, -+ clientKeyID)); - } - - public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { -- String msg = CMS.getLogMessage( -- AuditEvent.ASYMKEY_GENERATION_REQUEST, -+ audit(new AsymKeyGenerationEvent( - getRequestor(), - status, -- requestId != null ? requestId.toString() : "null", -- clientKeyID); -- auditor.log(msg); -+ requestId, -+ clientKeyID)); - } - - @Override -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 66a7fd0..4a44134 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2492,22 +2492,22 @@ LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=:[AuditEvent=KE - # Client ID must be the user supplied client ID associated with - # the symmetric key to be generated and archived - # --LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed -+LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed - # - # LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST - # - used when symmetric key generation request is made - # ClientKeyID is the ID of the symmetirc key to be generated and archived - # --LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4=:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made -+LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made - # - # LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST - # - used when asymmetric key generation request is made --LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4=:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made -+LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made - # - # LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED - # - used when a request to generate asymmetric keys received by the DRM - # is processed. --LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed -+LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed - # - # LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT - # - used for TPS when token certificate enrollment request is made --- -1.8.3.1 - - -From 468cacf6d6ec4f46bd4e60255105da3a585c4f6d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 May 2017 01:28:06 +0200 -Subject: [PATCH 21/38] Replaced random number generator in - SecurityDataProcessor. - -The SecurityDataProcessor has been modified to use the random -number generator provided by JssSubsystem. - -https://pagure.io/dogtagpki/issue/2695 - -Change-Id: Ibca684a2165266456c4b28cba5eae4136940d189 ---- - .../com/netscape/kra/SecurityDataProcessor.java | 25 ++++++++++++++++------ - 1 file changed, 19 insertions(+), 6 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 2899f32..ec848be 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -48,6 +48,7 @@ import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.security.IStorageKeyUnit; - import com.netscape.certsrv.security.ITransportKeyUnit; - import com.netscape.cmscore.dbs.KeyRecord; -+import com.netscape.cmscore.security.JssSubsystem; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Utils; - -@@ -640,7 +641,7 @@ public class SecurityDataProcessor { - * (ie. algorithm is unknown) - */ - private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception { -- int numBytes = 0; -+ - EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)): - defaultAlg; - -@@ -651,8 +652,14 @@ public class SecurityDataProcessor { - if (alg.getParameterClasses() == null) - return null; - -- numBytes = alg.getIVLength(); -- return (new SecureRandom()).generateSeed(numBytes); -+ int numBytes = alg.getIVLength(); -+ byte[] bytes = new byte[numBytes]; -+ -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); -+ random.nextBytes(bytes); -+ -+ return bytes; - } - - /*** -@@ -668,7 +675,7 @@ public class SecurityDataProcessor { - * (ie. algorithm is unknown) - */ - private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception { -- int numBytes = 0; -+ - KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) : - defaultAlg; - -@@ -679,8 +686,14 @@ public class SecurityDataProcessor { - if (alg.getParameterClasses() == null) - return null; - -- numBytes = alg.getBlockSize(); -- return (new SecureRandom()).generateSeed(numBytes); -+ int numBytes = alg.getBlockSize(); -+ byte[] bytes = new byte[numBytes]; -+ -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); -+ random.nextBytes(bytes); -+ -+ return bytes; - } - - public SymmetricKey recoverSymKey(KeyRecord keyRecord) --- -1.8.3.1 - - -From eed550a9a7330d707f35ce8a9946573df68ff01b Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 May 2017 01:40:18 +0200 -Subject: [PATCH 22/38] Replaced random number generator in RequestQueue. - -The RequestQueue has been modified to use the random number -generator provided by JssSubsystem. - -https://pagure.io/dogtagpki/issue/2695 - -Change-Id: Id93f769d1fca154ee385a3dcebee55b13a65d38e ---- - .../cmscore/src/com/netscape/cmscore/request/RequestQueue.java | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java -index d7e7c6e..cd0f890 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java -@@ -42,6 +42,7 @@ import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestStatus; - import com.netscape.certsrv.request.ldap.IRequestMod; - import com.netscape.cmscore.dbs.DBSubsystem; -+import com.netscape.cmscore.security.JssSubsystem; - import com.netscape.cmscore.util.Debug; - - public class RequestQueue -@@ -60,9 +61,11 @@ public class RequestQueue - } - - protected RequestId newEphemeralRequestId() { -- long id = System.currentTimeMillis() * 10000 + new SecureRandom().nextInt(10000); -- RequestId rid = new RequestId(id); -- return rid; -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); -+ -+ long id = System.currentTimeMillis() * 10000 + random.nextInt(10000); -+ return new RequestId(id); - } - - protected IRequest readRequest(RequestId id) { --- -1.8.3.1 - - -From 14e4e7a992c9537b9bf0403e6d94f316009923d0 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 24 May 2017 20:25:54 +0200 -Subject: [PATCH 23/38] Added CRLIssuingPoint.generateCRLExtensions(). - -The code that generates CRLExtensions in updateCRLNow() -in CRLIssuingPoint has been refactored into a separate -generateCRLExtensions() method for clarity. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd ---- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 45 ++++++++++++------------ - 1 file changed, 22 insertions(+), 23 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index 64101d7..de733eb 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -2630,17 +2630,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - - mLastCRLNumber = mCRLNumber; - -- CRLExtensions ext = new CRLExtensions(); -- Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); -+ CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); - -- for (int i = 0; i < extNames.size(); i++) { -- String extName = extNames.elementAt(i); -- -- if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && -- (!extName.equals(FreshestCRLExtension.NAME))) { -- mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); -- } -- } - mSplits[1] += System.currentTimeMillis(); - - X509CRLImpl newX509DeltaCRL = null; -@@ -2791,20 +2782,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - mNextCRLNumber = mNextDeltaCRLNumber; - } - -- CRLExtensions ext = null; -- -+ CRLExtensions ext; - if (mAllowExtensions) { -- ext = new CRLExtensions(); -- Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); -- -- for (int i = 0; i < extNames.size(); i++) { -- String extName = extNames.elementAt(i); -- -- if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && -- (!extName.equals(DeltaCRLIndicatorExtension.NAME))) { -- mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); -- } -- } -+ ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); -+ } else { -+ ext = null; - } - mSplits[6] += System.currentTimeMillis(); - // for audit log -@@ -2965,6 +2947,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - notifyAll(); - } - -+ CRLExtensions generateCRLExtensions(String excludedExtension) { -+ -+ CRLExtensions ext = new CRLExtensions(); -+ Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); -+ -+ for (int i = 0; i < extNames.size(); i++) { -+ String extName = extNames.elementAt(i); -+ -+ if (extName.equals(excludedExtension)) continue; -+ if (!mCMSCRLExtensions.isCRLExtensionEnabled(extName)) continue; -+ -+ mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); -+ } -+ -+ return ext; -+ } -+ - /** - * publish CRL. called from updateCRLNow() and init(). - */ --- -1.8.3.1 - - -From 9af1f0d3b48d6dd358a4c63f938f2c5d0e119d7a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 May 2017 00:36:45 +0200 -Subject: [PATCH 24/38] Added CRLIssuingPoint.generateDeltaCRL(). - -The code that generates delta CRL in updateCRLNow() -in CRLIssuingPoint has been refactored into a separate -generateDeltaCRL() method for clarity. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a ---- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 160 +++++++++++++---------- - 1 file changed, 93 insertions(+), 67 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index de733eb..317294b 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -2634,73 +2634,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - - mSplits[1] += System.currentTimeMillis(); - -- X509CRLImpl newX509DeltaCRL = null; -- -- try { -- mSplits[2] -= System.currentTimeMillis(); -- byte[] newDeltaCRL; -- -- // #56123 - dont generate CRL if no revoked certificates -- if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { -- if (deltaCRLCerts.size() == 0) { -- CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", -- "No Revoked Certificates")); -- } -- } -- X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), -- AlgorithmId.get(signingAlgorithm), -- thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); -- -- newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); -- newDeltaCRL = newX509DeltaCRL.getEncoded(); -- mSplits[2] += System.currentTimeMillis(); -- -- mSplits[3] -= System.currentTimeMillis(); -- mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, -- Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); -- mSplits[3] += System.currentTimeMillis(); -- -- mDeltaCRLSize = deltaCRLCerts.size(); -- -- long totalTime = 0; -- StringBuffer splitTimes = new StringBuffer(" ("); -- for (int i = 1; i < mSplits.length && i < 5; i++) { -- totalTime += mSplits[i]; -- if (i > 1) -- splitTimes.append(","); -- splitTimes.append(String.valueOf(mSplits[i])); -- } -- splitTimes.append(")"); -- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -- AuditFormat.LEVEL, -- CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), -- new Object[] { -- getId(), -- getNextCRLNumber(), -- getCRLNumber(), -- getLastUpdate(), -- getNextDeltaUpdate(), -- Long.toString(mDeltaCRLSize), -- Long.toString(totalTime) + splitTimes.toString() -- } -- ); -- } catch (EBaseException e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- } catch (NoSuchAlgorithmException e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- } catch (CRLException e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- } catch (X509ExtensionException e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- } catch (OutOfMemoryError e) { -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- } -+ X509CRLImpl newX509DeltaCRL = generateDeltaCRL( -+ deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext); - - try { - mSplits[4] -= System.currentTimeMillis(); -@@ -2964,6 +2899,97 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - return ext; - } - -+ X509CRLImpl generateDeltaCRL( -+ Hashtable deltaCRLCerts, -+ String signingAlgorithm, -+ Date thisUpdate, -+ Date nextDeltaUpdate, -+ CRLExtensions ext) { -+ -+ X509CRLImpl newX509DeltaCRL = null; -+ -+ try { -+ mSplits[2] -= System.currentTimeMillis(); -+ -+ // #56123 - dont generate CRL if no revoked certificates -+ if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { -+ if (deltaCRLCerts.size() == 0) { -+ CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); -+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", -+ "No Revoked Certificates")); -+ } -+ } -+ -+ X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), -+ AlgorithmId.get(signingAlgorithm), -+ thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); -+ -+ newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); -+ -+ byte[] newDeltaCRL = newX509DeltaCRL.getEncoded(); -+ -+ mSplits[2] += System.currentTimeMillis(); -+ -+ mSplits[3] -= System.currentTimeMillis(); -+ mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, -+ Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); -+ mSplits[3] += System.currentTimeMillis(); -+ -+ mDeltaCRLSize = deltaCRLCerts.size(); -+ -+ long totalTime = 0; -+ StringBuffer splitTimes = new StringBuffer(" ("); -+ for (int i = 1; i < mSplits.length && i < 5; i++) { -+ totalTime += mSplits[i]; -+ if (i > 1) -+ splitTimes.append(","); -+ splitTimes.append(String.valueOf(mSplits[i])); -+ } -+ splitTimes.append(")"); -+ -+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -+ AuditFormat.LEVEL, -+ CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), -+ new Object[] { -+ getId(), -+ getNextCRLNumber(), -+ getCRLNumber(), -+ getLastUpdate(), -+ getNextDeltaUpdate(), -+ Long.toString(mDeltaCRLSize), -+ Long.toString(totalTime) + splitTimes.toString() -+ } -+ ); -+ -+ } catch (EBaseException e) { -+ CMS.debug(e); -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); -+ mDeltaCRLSize = -1; -+ -+ } catch (NoSuchAlgorithmException e) { -+ CMS.debug(e); -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -+ mDeltaCRLSize = -1; -+ -+ } catch (CRLException e) { -+ CMS.debug(e); -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -+ mDeltaCRLSize = -1; -+ -+ } catch (X509ExtensionException e) { -+ CMS.debug(e); -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -+ mDeltaCRLSize = -1; -+ -+ } catch (OutOfMemoryError e) { -+ CMS.debug(e); -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -+ mDeltaCRLSize = -1; -+ } -+ -+ return newX509DeltaCRL; -+ } -+ - /** - * publish CRL. called from updateCRLNow() and init(). - */ --- -1.8.3.1 - - -From f3cc4462e3fd353a78c6a174c93ef3f81c014ce8 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 May 2017 00:58:03 +0200 -Subject: [PATCH 25/38] Added CRLIssuingPoint.generateFullCRL(). - -The code that generates full CRL in updateCRLNow() -in CRLIssuingPoint has been refactored into a separate -generateFullCRL() method for clarity. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e ---- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 254 ++++++++++++----------- - 1 file changed, 134 insertions(+), 120 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index 317294b..3764adf 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -2726,126 +2726,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - mSplits[6] += System.currentTimeMillis(); - // for audit log - -- X509CRLImpl newX509CRL; -- -- try { -- byte[] newCRL; -- -- CMS.debug("Making CRL with algorithm " + -- signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); -- -- mSplits[7] -= System.currentTimeMillis(); -- -- // #56123 - dont generate CRL if no revoked certificates -- if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { -- if (mCRLCerts.size() == 0) { -- CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", -- "No Revoked Certificates")); -- } -- } -- CMS.debug("before new X509CRLImpl"); -- X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), -- AlgorithmId.get(signingAlgorithm), -- thisUpdate, nextUpdate, mCRLCerts, ext); -- -- CMS.debug("before sign"); -- newX509CRL = mCA.sign(crl, signingAlgorithm); -- -- CMS.debug("before getEncoded()"); -- newCRL = newX509CRL.getEncoded(); -- CMS.debug("after getEncoded()"); -- mSplits[7] += System.currentTimeMillis(); -- -- mSplits[8] -= System.currentTimeMillis(); -- -- Date nextUpdateDate = mNextUpdate; -- if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || -- (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { -- nextUpdateDate = mNextDeltaUpdate; -- } -- if (mSaveMemory) { -- mCRLRepository.updateCRLIssuingPointRecord( -- mId, newCRL, thisUpdate, nextUpdateDate, -- mNextCRLNumber, Long.valueOf(mCRLCerts.size())); -- updateCRLCacheRepository(); -- } else { -- mCRLRepository.updateCRLIssuingPointRecord( -- mId, newCRL, thisUpdate, nextUpdateDate, -- mNextCRLNumber, Long.valueOf(mCRLCerts.size()), -- mRevokedCerts, mUnrevokedCerts, mExpiredCerts); -- mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; -- } -- -- mSplits[8] += System.currentTimeMillis(); -- -- mCRLSize = mCRLCerts.size(); -- mCRLNumber = mNextCRLNumber; -- mDeltaCRLNumber = mCRLNumber; -- mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); -- mNextDeltaCRLNumber = mNextCRLNumber; -- -- CMS.debug("Logging CRL Update to transaction log"); -- long totalTime = 0; -- long crlTime = 0; -- long deltaTime = 0; -- StringBuilder splitTimes = new StringBuilder(" ("); -- for (int i = 0; i < mSplits.length; i++) { -- totalTime += mSplits[i]; -- if (i > 0 && i < 5) { -- deltaTime += mSplits[i]; -- } else { -- crlTime += mSplits[i]; -- } -- if (i > 0) -- splitTimes.append(","); -- splitTimes.append(mSplits[i]); -- } -- splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime)); -- mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -- AuditFormat.LEVEL, -- CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), -- new Object[] { -- getId(), -- getCRLNumber(), -- getLastUpdate(), -- getNextUpdate(), -- Long.toString(mCRLSize), -- Long.toString(totalTime), -- Long.toString(crlTime), -- Long.toString(deltaTime) + splitTimes -- } -- ); -- CMS.debug("Finished Logging CRL Update to transaction log"); -- -- } catch (EBaseException e) { -- newX509CRL = null; -- mUpdatingCRL = CRL_UPDATE_DONE; -- if (Debug.on()) -- Debug.printStackTrace(e); -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- } catch (NoSuchAlgorithmException e) { -- newX509CRL = null; -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- } catch (CRLException e) { -- newX509CRL = null; -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- } catch (X509ExtensionException e) { -- newX509CRL = null; -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- } catch (OutOfMemoryError e) { -- newX509CRL = null; -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- } -+ X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext); - - try { - mSplits[9] -= System.currentTimeMillis(); -@@ -2990,6 +2871,139 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - return newX509DeltaCRL; - } - -+ X509CRLImpl generateFullCRL( -+ String signingAlgorithm, -+ Date thisUpdate, -+ Date nextUpdate, -+ CRLExtensions ext) throws EBaseException { -+ -+ try { -+ CMS.debug("Making CRL with algorithm " + -+ signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); -+ -+ mSplits[7] -= System.currentTimeMillis(); -+ -+ // #56123 - dont generate CRL if no revoked certificates -+ if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { -+ if (mCRLCerts.size() == 0) { -+ CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); -+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", -+ "No Revoked Certificates")); -+ } -+ } -+ -+ CMS.debug("CRLIssuingPoint: creating CRL object"); -+ X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), -+ AlgorithmId.get(signingAlgorithm), -+ thisUpdate, nextUpdate, mCRLCerts, ext); -+ -+ CMS.debug("CRLIssuingPoint: signing CRL"); -+ X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm); -+ -+ CMS.debug("CRLIssuingPoint: encoding CRL"); -+ byte[] newCRL = newX509CRL.getEncoded(); -+ -+ mSplits[7] += System.currentTimeMillis(); -+ -+ mSplits[8] -= System.currentTimeMillis(); -+ -+ Date nextUpdateDate = mNextUpdate; -+ if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || -+ (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { -+ nextUpdateDate = mNextDeltaUpdate; -+ } -+ -+ if (mSaveMemory) { -+ mCRLRepository.updateCRLIssuingPointRecord( -+ mId, newCRL, thisUpdate, nextUpdateDate, -+ mNextCRLNumber, Long.valueOf(mCRLCerts.size())); -+ updateCRLCacheRepository(); -+ -+ } else { -+ mCRLRepository.updateCRLIssuingPointRecord( -+ mId, newCRL, thisUpdate, nextUpdateDate, -+ mNextCRLNumber, Long.valueOf(mCRLCerts.size()), -+ mRevokedCerts, mUnrevokedCerts, mExpiredCerts); -+ mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; -+ } -+ -+ mSplits[8] += System.currentTimeMillis(); -+ -+ mCRLSize = mCRLCerts.size(); -+ mCRLNumber = mNextCRLNumber; -+ mDeltaCRLNumber = mCRLNumber; -+ mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); -+ mNextDeltaCRLNumber = mNextCRLNumber; -+ -+ CMS.debug("CRLIssuingPoint: Logging CRL Update to transaction log"); -+ long totalTime = 0; -+ long crlTime = 0; -+ long deltaTime = 0; -+ StringBuilder splitTimes = new StringBuilder(" ("); -+ for (int i = 0; i < mSplits.length; i++) { -+ totalTime += mSplits[i]; -+ if (i > 0 && i < 5) { -+ deltaTime += mSplits[i]; -+ } else { -+ crlTime += mSplits[i]; -+ } -+ if (i > 0) -+ splitTimes.append(","); -+ splitTimes.append(mSplits[i]); -+ } -+ splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime)); -+ -+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, -+ AuditFormat.LEVEL, -+ CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), -+ new Object[] { -+ getId(), -+ getCRLNumber(), -+ getLastUpdate(), -+ getNextUpdate(), -+ Long.toString(mCRLSize), -+ Long.toString(totalTime), -+ Long.toString(crlTime), -+ Long.toString(deltaTime) + splitTimes -+ } -+ ); -+ -+ CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); -+ -+ return newX509CRL; -+ -+ } catch (EBaseException e) { -+ CMS.debug(e); -+ mUpdatingCRL = CRL_UPDATE_DONE; -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); -+ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -+ -+ } catch (NoSuchAlgorithmException e) { -+ CMS.debug(e); -+ mUpdatingCRL = CRL_UPDATE_DONE; -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -+ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -+ -+ } catch (CRLException e) { -+ CMS.debug(e); -+ mUpdatingCRL = CRL_UPDATE_DONE; -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -+ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -+ -+ } catch (X509ExtensionException e) { -+ CMS.debug(e); -+ mUpdatingCRL = CRL_UPDATE_DONE; -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -+ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -+ -+ } catch (OutOfMemoryError e) { -+ CMS.debug(e); -+ mUpdatingCRL = CRL_UPDATE_DONE; -+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -+ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -+ } -+ } -+ - /** - * publish CRL. called from updateCRLNow() and init(). - */ --- -1.8.3.1 - - -From c88ad697138778c597cf8ce361f8ee1761bee0ab Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 24 May 2017 22:49:24 -0400 -Subject: [PATCH 26/38] Encapsulate key status change audit logs - -Change-Id: I57b30cdff571056d0a95436858308872a8dc007b ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 3 -- - .../event/SecurityDataStatusChangeEvent.java | 49 ++++++++++++++++++++++ - .../org/dogtagpki/server/kra/rest/KeyService.java | 16 ++++--- - base/server/cmsbundle/src/LogMessages.properties | 2 +- - 4 files changed, 57 insertions(+), 13 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index beedb9f..348ea09 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -164,9 +164,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String CONFIG_SERIAL_NUMBER = - "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - -- public final static String KEY_STATUS_CHANGE = -- "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; -- - public final static String TOKEN_CERT_ENROLLMENT = - "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; - public final static String TOKEN_CERT_RENEWAL = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java -new file mode 100644 -index 0000000..082516c ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java -@@ -0,0 +1,49 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.AuditEvent; -+ -+public class SecurityDataStatusChangeEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE"; -+ -+ public SecurityDataStatusChangeEvent( -+ String subjectID, -+ String outcome, -+ KeyId keyID, -+ String oldStatus, -+ String newStatus, -+ String info) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ keyID, -+ oldStatus, -+ newStatus, -+ info -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -index 8edb928..642367c 100644 ---- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java -@@ -60,12 +60,12 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; - import com.netscape.certsrv.key.KeyResource; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.kra.IKeyService; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataExportEvent; - import com.netscape.certsrv.logging.event.SecurityDataInfoEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; -+import com.netscape.certsrv.logging.event.SecurityDataStatusChangeEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; - import com.netscape.certsrv.request.RequestId; -@@ -657,17 +657,15 @@ public class KeyService extends SubsystemService implements KeyResource { - auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message); - } - -- public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, -+ public void auditKeyStatusChange(String status, KeyId keyID, String oldKeyStatus, - String newKeyStatus, String info) { -- String msg = CMS.getLogMessage( -- AuditEvent.KEY_STATUS_CHANGE, -+ audit(new SecurityDataStatusChangeEvent( - servletRequest.getUserPrincipal().getName(), - status, - keyID, - oldKeyStatus, - newKeyStatus, -- info); -- auditor.log(msg); -+ info)); - } - - public void auditRecoveryRequest(String status) { -@@ -809,20 +807,20 @@ public class KeyService extends SubsystemService implements KeyResource { - mods.add(IKeyRecord.ATTR_STATUS, Modification.MOD_REPLACE, - status); - repo.modifyKeyRecord(keyId.toBigInteger(), mods); -- auditKeyStatusChange(ILogger.SUCCESS, keyId.toString(), -+ auditKeyStatusChange(ILogger.SUCCESS, keyId, - (info!=null)?info.getStatus():null, status, auditInfo); - - return createNoContentResponse(); - } catch (EDBRecordNotFoundException e) { - auditInfo = auditInfo + ":" + e.getMessage(); - CMS.debug(auditInfo); -- auditKeyStatusChange(ILogger.FAILURE, keyId.toString(), -+ auditKeyStatusChange(ILogger.FAILURE, keyId, - (info!=null)?info.getStatus():null, status, auditInfo); - throw new KeyNotFoundException(keyId, "key not found to modify", e); - } catch (Exception e) { - auditInfo = auditInfo + ":" + e.getMessage(); - CMS.debug(auditInfo); -- auditKeyStatusChange(ILogger.FAILURE, keyId.toString(), -+ auditKeyStatusChange(ILogger.FAILURE, keyId, - (info!=null)?info.getStatus():null, status, auditInfo); - e.printStackTrace(); - throw new PKIException(e.getMessage(), e); -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 4a44134..3ac23d5 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2484,7 +2484,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SE - # oldStatus is the old status to change from - # newStatus is the new status to change to - # --LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change -+LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change - # - # LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED - # - used when symmetric key generation request is processed --- -1.8.3.1 - - -From 2a947446b81d21758ffadbae905a49e8c4e900ef Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 24 May 2017 23:42:41 -0400 -Subject: [PATCH 27/38] Encapsulate server side keygen audit events - -This encapsulates key gen events for the token servlets. -Consolidated the success and failure cases. Note that this -event can likely later be replaced with security_data_keygen -events. Leaving separate for now. - -Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 6 --- - .../logging/event/ServerSideKeyGenEvent.java | 45 +++++++++++++++++++++ - .../event/ServerSideKeyGenProcessedEvent.java | 47 ++++++++++++++++++++++ - base/kra/shared/conf/CS.cfg | 4 +- - .../src/com/netscape/kra/NetkeyKeygenService.java | 34 +++++++--------- - base/server/cmsbundle/src/LogMessages.properties | 14 ++----- - 6 files changed, 113 insertions(+), 37 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 348ea09..1d94dad 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -72,12 +72,6 @@ public class AuditEvent implements IBundleLogEvent { - public final static String LOG_PATH_CHANGE = - "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - -- public final static String SERVER_SIDE_KEYGEN_REQUEST = -- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; -- public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = -- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; -- public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = -- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; - public final static String KEY_RECOVERY_AGENT_LOGIN = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; - public final static String KEY_GEN_ASYMMETRIC = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java -new file mode 100644 -index 0000000..0894716 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java -@@ -0,0 +1,45 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class ServerSideKeyGenEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST"; -+ -+ public ServerSideKeyGenEvent( -+ String subjectID, -+ String outcome, -+ String entityID, -+ RequestId requestID) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ entityID, -+ requestID -+ }); -+ } -+} -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java -new file mode 100644 -index 0000000..71ed3ed ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java -@@ -0,0 +1,47 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.request.RequestId; -+ -+public class ServerSideKeyGenProcessedEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ private static final String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED"; -+ -+ public ServerSideKeyGenProcessedEvent( -+ String subjectID, -+ String outcome, -+ String entityID, -+ RequestId requestID, -+ String pubKey) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ outcome, -+ entityID, -+ requestID, -+ pubKey -+ }); -+ } -+} -\ No newline at end of file -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 69d9382..c08e56e 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 947377a..e54c58a 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -53,8 +53,11 @@ import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.logging.event.SecurityDataExportEvent; -+import com.netscape.certsrv.logging.event.ServerSideKeyGenEvent; -+import com.netscape.certsrv.logging.event.ServerSideKeyGenProcessedEvent; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -+import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.security.IStorageKeyUnit; - import com.netscape.certsrv.security.ITransportKeyUnit; - import com.netscape.cms.servlet.key.KeyRecordParser; -@@ -144,7 +147,6 @@ public class NetkeyKeygenService implements IService { - */ - public boolean serviceRequest(IRequest request) - throws EBaseException { -- String auditMessage = null; - String auditSubjectID = null; - byte[] wrapped_des_key; - -@@ -180,23 +182,21 @@ public class NetkeyKeygenService implements IService { - String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); - String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); - String rKeytype = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_TYPE); -+ RequestId requestId = request.getRequestId(); - - auditSubjectID = rCUID + ":" + rUserid; - - SessionContext sContext = SessionContext.getContext(); - String agentId = ""; - if (sContext != null) { -- agentId = -- (String) sContext.get(SessionContext.USER_ID); -+ agentId = (String) sContext.get(SessionContext.USER_ID); - } - -- auditMessage = CMS.getLogMessage( -- AuditEvent.SERVER_SIDE_KEYGEN_REQUEST, -+ audit(new ServerSideKeyGenEvent( - agentId, - ILogger.SUCCESS, -- auditSubjectID); -- -- audit(auditMessage); -+ auditSubjectID, -+ requestId)); - - String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - // the request reocrd field delayLDAPCommit == "true" will cause -@@ -262,13 +262,12 @@ public class NetkeyKeygenService implements IService { - CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - -- auditMessage = CMS.getLogMessage( -- AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, -+ audit(new ServerSideKeyGenProcessedEvent( - agentId, - ILogger.FAILURE, -- auditSubjectID); -- -- audit(auditMessage); -+ auditSubjectID, -+ requestId, -+ null)); - - return false; - } -@@ -294,14 +293,12 @@ public class NetkeyKeygenService implements IService { - request.setExtData("public_key", PubKey); - } - -- auditMessage = CMS.getLogMessage( -- AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, -+ audit(new ServerSideKeyGenProcessedEvent( - agentId, - ILogger.SUCCESS, - auditSubjectID, -- PubKey); -- -- audit(auditMessage); -+ requestId, -+ PubKey)); - - //...extract the private key handle (not privatekeydata) - java.security.PrivateKey privKey = -@@ -365,7 +362,6 @@ public class NetkeyKeygenService implements IService { - "NetkeyKeygenService: failed generating wrapped private key", - PubKey)); - -- audit(auditMessage); - return false; - } else { - request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 3ac23d5..fc4e946 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -1947,21 +1947,15 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA - # - used when server-side key generation request is made - # This is for tokenkeys - # EntityID must be the representation of the subject that will be on the certificate when issued --LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed -+LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}] server-side key generation request - # --# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS --# - used when server-side key generation request has been processed with success -+# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED -+# - used when server-side key generation request has been processed. - # This is for tokenkeys - # EntityID must be the representation of the subject that will be on the certificate when issued - # PubKey must be the base-64 encoded public key associated with - # the private key to be archived --LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] server-side key generation request processed with success --# --# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE --# - used when server-side key generation request has been processed with failure --# This is for tokenkeys --# EntityID must be the representation of the subject that will be on the certificate when issued --LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed with failure -+LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}][[PubKey={4}] server-side key generation request processed - # - # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST - # - used when key recovery request is made --- -1.8.3.1 - - -From 8aa94e1ca017e54454f6f6f6ebb4ee254062e822 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 May 2017 01:49:36 +0200 -Subject: [PATCH 28/38] Replaced SHA1-based random number generators. - -The SHA1-based random number generators in some classes have been -replaced with the random number generator provided by JssSubsystem. - -https://pagure.io/dogtagpki/issue/2695 - -Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514 ---- - base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 5 ++++- - base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 5 ++++- - base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java | 7 +++++-- - 3 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index e54c58a..8383e89 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -62,6 +62,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit; - import com.netscape.certsrv.security.ITransportKeyUnit; - import com.netscape.cms.servlet.key.KeyRecordParser; - import com.netscape.cmscore.dbs.KeyRecord; -+import com.netscape.cmscore.security.JssSubsystem; - import com.netscape.cmscore.util.Debug; - import com.netscape.cmsutil.crypto.CryptoUtil; - -@@ -153,10 +154,12 @@ public class NetkeyKeygenService implements IService { - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - String iv_s = ""; - try { -- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); - random.nextBytes(iv); - } catch (Exception e) { - CMS.debug("NetkeyKeygenService.serviceRequest: " + e.toString()); -+ throw new EBaseException(e); - } - - IVParameterSpec algParam = new IVParameterSpec(iv); -diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -index 2519a4d..c0b5cdd 100644 ---- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -@@ -56,6 +56,7 @@ import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.security.IStorageKeyUnit; - import com.netscape.certsrv.security.ITransportKeyUnit; - import com.netscape.cmscore.dbs.KeyRecord; -+import com.netscape.cmscore.security.JssSubsystem; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Cert; - -@@ -203,10 +204,12 @@ public class TokenKeyRecoveryService implements IService { - - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - try { -- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); - random.nextBytes(iv); - } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); -+ throw new EBaseException(e); - } - - RequestId auditRequestID = request.getRequestId(); -diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java -index c8150a9..5b8b1dd 100644 ---- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java -+++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java -@@ -54,6 +54,7 @@ import com.netscape.cms.servlet.common.CMSRequest; - import com.netscape.cms.servlet.tks.GPParams; - import com.netscape.cms.servlet.tks.NistSP800_108KDF; - import com.netscape.cms.servlet.tks.SecureChannelProtocol; -+import com.netscape.cmscore.security.JssSubsystem; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.symkey.SessionKey; - -@@ -1996,7 +1997,8 @@ public class TokenServlet extends CMSServlet { - CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); - } - try { -- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); - data = new byte[16]; - random.nextBytes(data); - } catch (Exception e) { -@@ -2320,7 +2322,8 @@ public class TokenServlet extends CMSServlet { - - if (!missingParam) { - try { -- SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ SecureRandom random = jssSubsystem.getRandomNumberGenerator(); - randomData = new byte[dataSize]; - random.nextBytes(randomData); - } catch (Exception e) { --- -1.8.3.1 - - -From 5ce1212159f8055ab7534887542e1d8cb41eb15d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 May 2017 19:35:36 +0200 -Subject: [PATCH 29/38] Refactored CRLIssuingPoint.generateDeltaCRL(). - -The code related to delta CRL generation has been moved into -generateDeltaCRL(). - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26 ---- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 102 ++++++++++++----------- - 1 file changed, 54 insertions(+), 48 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index 3764adf..feca02a 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -2607,51 +2607,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - mSplits[5] += System.currentTimeMillis(); - } else { - if (isDeltaCRLEnabled()) { -- mSplits[1] -= System.currentTimeMillis(); -- @SuppressWarnings("unchecked") -- Hashtable deltaCRLCerts = -- (Hashtable) clonedRevokedCerts.clone(); - -- deltaCRLCerts.putAll(clonedUnrevokedCerts); -- if (mIncludeExpiredCertsOneExtraTime) { -- if (!clonedExpiredCerts.isEmpty()) { -- for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { -- BigInteger serialNumber = e.nextElement(); -- if ((mLastFullUpdate != null && -- mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) || -- mLastFullUpdate == null) { -- deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); -- } -- } -- } -- } else { -- deltaCRLCerts.putAll(clonedExpiredCerts); -- } -- -- mLastCRLNumber = mCRLNumber; -- -- CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); -- -- mSplits[1] += System.currentTimeMillis(); -+ generateDeltaCRL( -+ clonedRevokedCerts, -+ clonedUnrevokedCerts, -+ clonedExpiredCerts, -+ signingAlgorithm, -+ thisUpdate, -+ nextDeltaUpdate); - -- X509CRLImpl newX509DeltaCRL = generateDeltaCRL( -- deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext); -- -- try { -- mSplits[4] -= System.currentTimeMillis(); -- publishCRL(newX509DeltaCRL, true); -- mSplits[4] += System.currentTimeMillis(); -- } catch (EBaseException e) { -- newX509DeltaCRL = null; -- if (Debug.on()) -- Debug.printStackTrace(e); -- log(ILogger.LL_FAILURE, -- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); -- } catch (OutOfMemoryError e) { -- newX509DeltaCRL = null; -- log(ILogger.LL_FAILURE, -- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); -- } - } else { - mDeltaCRLSize = -1; - } -@@ -2780,12 +2744,41 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - return ext; - } - -- X509CRLImpl generateDeltaCRL( -- Hashtable deltaCRLCerts, -+ void generateDeltaCRL( -+ Hashtable clonedRevokedCerts, -+ Hashtable clonedUnrevokedCerts, -+ Hashtable clonedExpiredCerts, - String signingAlgorithm, - Date thisUpdate, -- Date nextDeltaUpdate, -- CRLExtensions ext) { -+ Date nextDeltaUpdate) { -+ -+ mSplits[1] -= System.currentTimeMillis(); -+ -+ @SuppressWarnings("unchecked") -+ Hashtable deltaCRLCerts = -+ (Hashtable) clonedRevokedCerts.clone(); -+ -+ deltaCRLCerts.putAll(clonedUnrevokedCerts); -+ -+ if (mIncludeExpiredCertsOneExtraTime) { -+ -+ for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { -+ BigInteger serialNumber = e.nextElement(); -+ if (mLastFullUpdate == null || -+ mLastFullUpdate.after(mExpiredCerts.get(serialNumber).getRevocationDate())) { -+ deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); -+ } -+ } -+ -+ } else { -+ deltaCRLCerts.putAll(clonedExpiredCerts); -+ } -+ -+ mLastCRLNumber = mCRLNumber; -+ -+ CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); -+ -+ mSplits[1] += System.currentTimeMillis(); - - X509CRLImpl newX509DeltaCRL = null; - -@@ -2868,7 +2861,20 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - mDeltaCRLSize = -1; - } - -- return newX509DeltaCRL; -+ try { -+ mSplits[4] -= System.currentTimeMillis(); -+ publishCRL(newX509DeltaCRL, true); -+ mSplits[4] += System.currentTimeMillis(); -+ -+ } catch (EBaseException e) { -+ CMS.debug(e); -+ log(ILogger.LL_FAILURE, -+ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); -+ } catch (OutOfMemoryError e) { -+ CMS.debug(e); -+ log(ILogger.LL_FAILURE, -+ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); -+ } - } - - X509CRLImpl generateFullCRL( --- -1.8.3.1 - - -From 5e0cb550236c5bb06baa4b3a94558407a53c92ea Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 May 2017 21:22:50 +0200 -Subject: [PATCH 30/38] Refactored CRLIssuingPoint.generateFullCRL(). - -The code related to full CRL generation has been moved into -generateFullCRL(). - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I6a23c97255ba7095e168e927621f0503923251c2 ---- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 80 ++++++++++++------------ - 1 file changed, 40 insertions(+), 40 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index feca02a..cbcdc69 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -2676,39 +2676,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - clonedExpiredCerts = null; - - if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0) { -- mSplits[6] -= System.currentTimeMillis(); -- if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { -- mNextCRLNumber = mNextDeltaCRLNumber; -- } -- -- CRLExtensions ext; -- if (mAllowExtensions) { -- ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); -- } else { -- ext = null; -- } -- mSplits[6] += System.currentTimeMillis(); -- // for audit log - -- X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext); -- -- try { -- mSplits[9] -= System.currentTimeMillis(); -- mUpdatingCRL = CRL_PUBLISHING_STARTED; -- publishCRL(newX509CRL); -- newX509CRL = null; -- mSplits[9] += System.currentTimeMillis(); -- } catch (EBaseException e) { -- newX509CRL = null; -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, -- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); -- } catch (OutOfMemoryError e) { -- newX509CRL = null; -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, -- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); -- } -+ generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate); - } - - if (isDeltaCRLEnabled() && mDeltaCRLSize > -1 && mSchemaCounter > 0) { -@@ -2877,11 +2846,25 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - } - } - -- X509CRLImpl generateFullCRL( -+ void generateFullCRL( - String signingAlgorithm, - Date thisUpdate, -- Date nextUpdate, -- CRLExtensions ext) throws EBaseException { -+ Date nextUpdate) throws EBaseException { -+ -+ mSplits[6] -= System.currentTimeMillis(); -+ if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { -+ mNextCRLNumber = mNextDeltaCRLNumber; -+ } -+ -+ CRLExtensions ext; -+ if (mAllowExtensions) { -+ ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); -+ } else { -+ ext = null; -+ } -+ mSplits[6] += System.currentTimeMillis(); -+ -+ X509CRLImpl newX509CRL = null; - - try { - CMS.debug("Making CRL with algorithm " + -@@ -2904,7 +2887,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - thisUpdate, nextUpdate, mCRLCerts, ext); - - CMS.debug("CRLIssuingPoint: signing CRL"); -- X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm); -+ newX509CRL = mCA.sign(crl, signingAlgorithm); - - CMS.debug("CRLIssuingPoint: encoding CRL"); - byte[] newCRL = newX509CRL.getEncoded(); -@@ -2914,8 +2897,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - mSplits[8] -= System.currentTimeMillis(); - - Date nextUpdateDate = mNextUpdate; -- if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || -- (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { -+ if (isDeltaCRLEnabled() -+ && (mUpdateSchema > 1 || mEnableDailyUpdates && mExtendedTimeList) -+ && mNextDeltaUpdate != null) { - nextUpdateDate = mNextDeltaUpdate; - } - -@@ -2976,8 +2960,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - - CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); - -- return newX509CRL; -- - } catch (EBaseException e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; -@@ -3008,6 +2990,24 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - } -+ -+ try { -+ mSplits[9] -= System.currentTimeMillis(); -+ mUpdatingCRL = CRL_PUBLISHING_STARTED; -+ publishCRL(newX509CRL); -+ mSplits[9] += System.currentTimeMillis(); -+ -+ } catch (EBaseException e) { -+ CMS.debug(e); -+ mUpdatingCRL = CRL_UPDATE_DONE; -+ log(ILogger.LL_FAILURE, -+ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); -+ } catch (OutOfMemoryError e) { -+ CMS.debug(e); -+ mUpdatingCRL = CRL_UPDATE_DONE; -+ log(ILogger.LL_FAILURE, -+ CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); -+ } - } - - /** --- -1.8.3.1 - - -From 64233b8f26a3f87786fa0e0d641a5a02116ebece Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 26 May 2017 00:13:49 +0200 -Subject: [PATCH 31/38] Updated ECAException constructor. - -The ECAException constructor has been modified to accept a more -generic Throwable instead of Exception. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I2a63fad2f8a3216fe8d33f550d3571d2fec2c4ee ---- - base/common/src/com/netscape/certsrv/ca/ECAException.java | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/ca/ECAException.java b/base/common/src/com/netscape/certsrv/ca/ECAException.java -index 01c601e..814219f 100644 ---- a/base/common/src/com/netscape/certsrv/ca/ECAException.java -+++ b/base/common/src/com/netscape/certsrv/ca/ECAException.java -@@ -51,10 +51,10 @@ public class ECAException extends EBaseException { - *

    - * - * @param msgFormat constant from CAResources. -- * @param e embedded exception. -+ * @param cause cause of this exception. - */ -- public ECAException(String msgFormat, Exception e) { -- super(msgFormat, e); -+ public ECAException(String msgFormat, Throwable cause) { -+ super(msgFormat, cause); - } - - /** --- -1.8.3.1 - - -From 5438e24e022c4c169ff9b5c6325e5ec0023d4caa Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 25 May 2017 16:31:45 -0400 -Subject: [PATCH 32/38] Set encryption flag for generated keys - -The key record for keys generated in the keygen servlets -was not updated to reflect whether or not the server was set up -to do encryption/key wrapping. This patch corrects this -oversight. - -Bugzilla BZ# 1455617 - -Change-Id: I31daece8b93a0ad58cb595e6a23fe8705f338024 ---- - base/kra/src/com/netscape/kra/AsymKeyGenService.java | 2 +- - base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 2 +- - base/kra/src/com/netscape/kra/SymKeyGenService.java | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -index ea1d0cc..1e38b48 100644 ---- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java -@@ -197,7 +197,7 @@ public class AsymKeyGenService implements IService { - } - - try { -- record.setWrappingParams(params, false); -+ record.setWrappingParams(params, allowEncDecrypt_archival); - } catch (Exception e) { - auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), - clientKeyId, null, "Failed to store wrapping params"); -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 8383e89..96d7aae 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -477,7 +477,7 @@ public class NetkeyKeygenService implements IService { - return false; - } - -- rec.setWrappingParams(params, false); -+ rec.setWrappingParams(params, allowEncDecrypt_archival); - - CMS.debug("NetkeyKeygenService: before addKeyRecord"); - rec.set(KeyRecord.ATTR_ID, serialNo); -diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java -index a4613c2..578b1ff 100644 ---- a/base/kra/src/com/netscape/kra/SymKeyGenService.java -+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java -@@ -221,7 +221,7 @@ public class SymKeyGenService implements IService { - } - - try { -- rec.setWrappingParams(params, false); -+ rec.setWrappingParams(params, allowEncDecrypt_archival); - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, - "Failed to store wrapping parameters: " + e); --- -1.8.3.1 - - -From 2866f6195eb49012cf7c42089a9fbf1be819129a Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 26 May 2017 17:47:14 +1000 -Subject: [PATCH 33/38] Fix NPE in lightweight CA creation - -Fixes: https://pagure.io/dogtagpki/issue/2711 ---- - .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java -index 908cbe4..4b0f68c 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java -@@ -148,7 +148,9 @@ public class EnrollmentProcessor extends CertProcessor { - IProfileContext ctx = profile.createContext(); - - // set arbitrary user data into request, if any -- String userData = request.getParameter("user-data"); -+ String userData = null; -+ if (request != null) -+ userData = request.getParameter("user-data"); - if (userData != null) - ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData); - --- -1.8.3.1 - - -From e3f64ea8ca4ec231a954076a7f6b05dfc626ff1b Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 18 May 2017 19:38:20 +0200 -Subject: [PATCH 34/38] Added DELTA_CRL_GENERATION audit event. - -A new DELTA_CRL_GENERATION audit event has been added which will -be generated when delta CRL generation is complete. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f ---- - base/ca/shared/conf/CS.cfg | 4 +- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 69 ++++++++++++----- - .../logging/event/DeltaCRLGenerationEvent.java | 86 ++++++++++++++++++++++ - base/server/cmsbundle/src/LogMessages.properties | 6 ++ - 4 files changed, 145 insertions(+), 20 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 4e881dc..7377561 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index cbcdc69..ff157b5 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -51,8 +51,10 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; - import com.netscape.certsrv.dbs.certdb.IRevocationInfo; - import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; - import com.netscape.certsrv.dbs.crldb.ICRLRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; - import com.netscape.certsrv.publish.ILdapRule; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; -@@ -2758,8 +2760,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { - if (deltaCRLCerts.size() == 0) { - CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", -- "No Revoked Certificates")); -+ mDeltaCRLSize = -1; -+ audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates")); -+ return; - } - } - -@@ -2804,30 +2807,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - } - ); - -+ audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber)); -+ - } catch (EBaseException e) { - CMS.debug(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); - mDeltaCRLSize = -1; -+ audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); -+ return; - -- } catch (NoSuchAlgorithmException e) { -- CMS.debug(e); -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- -- } catch (CRLException e) { -- CMS.debug(e); -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- -- } catch (X509ExtensionException e) { -- CMS.debug(e); -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); -- mDeltaCRLSize = -1; -- -- } catch (OutOfMemoryError e) { -+ } catch (Throwable e) { - CMS.debug(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; -+ audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); -+ return; - } - - try { -@@ -3186,6 +3180,45 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - } - } - } -+ -+ String getAuditSubjectID() { -+ -+ SessionContext context = SessionContext.getExistingContext(); -+ -+ if (context == null) { -+ return ILogger.UNIDENTIFIED; -+ } -+ -+ String subjectID = (String)context.get(SessionContext.USER_ID); -+ -+ if (subjectID == null) { -+ if (Thread.currentThread() == mUpdateThread) { -+ return ILogger.SYSTEM_UID; -+ -+ } else { -+ return ILogger.NONROLEUSER; -+ } -+ } -+ -+ return subjectID.trim(); -+ } -+ -+ void audit(AuditEvent event) { -+ -+ ILogger logger = CMS.getSignedAuditLogger(); -+ if (logger == null) return; -+ -+ String messageID = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(messageID, params); -+ -+ logger.log(ILogger.EV_SIGNED_AUDIT, -+ null, -+ ILogger.S_SIGNED_AUDIT, -+ ILogger.LL_SECURITY, -+ message); -+ } - } - - class CertRecProcessor implements IElementProcessor { -diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java -new file mode 100644 -index 0000000..ba04a33 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java -@@ -0,0 +1,86 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import java.math.BigInteger; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+ -+public class DeltaCRLGenerationEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION"; -+ -+ public DeltaCRLGenerationEvent() { -+ super(LOGGING_PROPERTY); -+ } -+ -+ public static DeltaCRLGenerationEvent createSuccessEvent( -+ String subjectID, -+ BigInteger crlNumber) { -+ -+ DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); -+ -+ event.setAttribute("CRLnum", crlNumber); -+ -+ event.setParameters(new Object[] { -+ subjectID, -+ ILogger.SUCCESS, -+ event.getAttributeList() -+ }); -+ -+ return event; -+ } -+ -+ public static DeltaCRLGenerationEvent createSuccessEvent( -+ String subjectID, -+ String info) { -+ -+ DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); -+ -+ event.setAttribute("Info", info); -+ -+ event.setParameters(new Object[] { -+ subjectID, -+ ILogger.SUCCESS, -+ event.getAttributeList() -+ }); -+ -+ return event; -+ } -+ -+ public static DeltaCRLGenerationEvent createFailureEvent( -+ String subjectID, -+ String reason) { -+ -+ DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); -+ -+ event.setAttribute("FailureReason", reason); -+ -+ event.setParameters(new Object[] { -+ subjectID, -+ ILogger.FAILURE, -+ event.getAttributeList() -+ }); -+ -+ return event; -+ } -+} -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index fc4e946..30b8e2a 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification - # -+# LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION -+# - used when delta CRL generation is complete -+# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise -+# -+LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation -+# - # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL - # - used when CRLs are retrieved by the OCSP Responder - # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise --- -1.8.3.1 - - -From 4d5ecb5dd3e1f4eabbe29ab2ddbfeb825f9f4233 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 May 2017 22:53:03 +0200 -Subject: [PATCH 35/38] Added DELTA_CRL_PUBLISHING audit event. - -A new DELTA_CRL_PUBLISHING audit event has been added which will -be generated when delta CRL publishing is complete. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372 ---- - base/ca/shared/conf/CS.cfg | 4 +- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 10 ++-- - .../logging/event/DeltaCRLPublishingEvent.java | 63 ++++++++++++++++++++++ - base/server/cmsbundle/src/LogMessages.properties | 6 +++ - 4 files changed, 76 insertions(+), 7 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 7377561..867e4cb 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index ff157b5..9fd8c49 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; -+import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; - import com.netscape.certsrv.publish.ILdapRule; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; -@@ -2829,14 +2830,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - publishCRL(newX509DeltaCRL, true); - mSplits[4] += System.currentTimeMillis(); - -- } catch (EBaseException e) { -- CMS.debug(e); -- log(ILogger.LL_FAILURE, -- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); -- } catch (OutOfMemoryError e) { -+ audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber)); -+ -+ } catch (Throwable e) { - CMS.debug(e); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); -+ audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage())); - } - } - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java -new file mode 100644 -index 0000000..d6521d7 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java -@@ -0,0 +1,63 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import java.math.BigInteger; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+ -+public class DeltaCRLPublishingEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING"; -+ -+ public DeltaCRLPublishingEvent( -+ String subjectID, -+ BigInteger crlNumber) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("CRLnum", crlNumber); -+ -+ setParameters(new Object[] { -+ subjectID, -+ ILogger.SUCCESS, -+ getAttributeList() -+ }); -+ } -+ -+ public DeltaCRLPublishingEvent( -+ String subjectID, -+ BigInteger crlNumber, -+ String reason) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("CRLnum", crlNumber); -+ setAttribute("FailureReason", reason); -+ -+ setParameters(new Object[] { -+ subjectID, -+ ILogger.FAILURE, -+ getAttributeList() -+ }); -+ } -+} -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 30b8e2a..c35d605 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2128,6 +2128,12 @@ LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[A - # - LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation - # -+# LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING -+# - used when delta CRL publishing is complete -+# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise -+# -+LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing -+# - # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL - # - used when CRLs are retrieved by the OCSP Responder - # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise --- -1.8.3.1 - - -From 37e6ba6d1fb24694c2744adbc27c78b749d7e35d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 26 May 2017 00:13:10 +0200 -Subject: [PATCH 36/38] Added FULL_CRL_GENERATION audit event. - -A new FULL_CRL_GENERATION audit event has been added which will -be generated when full CRL generation is complete. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I74b083721e477ad72fe5a787935af617e89a6968 ---- - base/ca/shared/conf/CS.cfg | 4 +- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 36 +++------ - .../logging/event/FullCRLGenerationEvent.java | 86 ++++++++++++++++++++++ - base/server/cmsbundle/src/LogMessages.properties | 6 ++ - 4 files changed, 104 insertions(+), 28 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 867e4cb..3daac8b 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index 9fd8c49..9583f50 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -19,8 +19,6 @@ package com.netscape.ca; - - import java.io.IOException; - import java.math.BigInteger; --import java.security.NoSuchAlgorithmException; --import java.security.cert.CRLException; - import java.util.Date; - import java.util.Enumeration; - import java.util.Hashtable; -@@ -56,6 +54,7 @@ import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; - import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; -+import com.netscape.certsrv.logging.event.FullCRLGenerationEvent; - import com.netscape.certsrv.publish.ILdapRule; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; -@@ -84,7 +83,6 @@ import netscape.security.x509.RevokedCertImpl; - import netscape.security.x509.RevokedCertificate; - import netscape.security.x509.X509CRLImpl; - import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509ExtensionException; - - /** - * This class encapsulates CRL issuing mechanism. CertificateAuthority -@@ -2870,8 +2868,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { - if (mCRLCerts.size() == 0) { - CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); -- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", -- "No Revoked Certificates")); -+ audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates")); -+ return; - } - } - -@@ -2954,35 +2952,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - - CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); - -+ audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber)); -+ - } catch (EBaseException e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -+ audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); -+ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e); - -- } catch (NoSuchAlgorithmException e) { -- CMS.debug(e); -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- -- } catch (CRLException e) { -- CMS.debug(e); -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- -- } catch (X509ExtensionException e) { -- CMS.debug(e); -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -- -- } catch (OutOfMemoryError e) { -+ } catch (Throwable e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); -- throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); -+ audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); -+ throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e); - } - - try { -diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java -new file mode 100644 -index 0000000..9dd47dd ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java -@@ -0,0 +1,86 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import java.math.BigInteger; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+ -+public class FullCRLGenerationEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION"; -+ -+ public FullCRLGenerationEvent() { -+ super(LOGGING_PROPERTY); -+ } -+ -+ public static FullCRLGenerationEvent createSuccessEvent( -+ String subjectID, -+ BigInteger crlNumber) { -+ -+ FullCRLGenerationEvent event = new FullCRLGenerationEvent(); -+ -+ event.setAttribute("CRLnum", crlNumber); -+ -+ event.setParameters(new Object[] { -+ subjectID, -+ ILogger.SUCCESS, -+ event.getAttributeList() -+ }); -+ -+ return event; -+ } -+ -+ public static FullCRLGenerationEvent createSuccessEvent( -+ String subjectID, -+ String info) { -+ -+ FullCRLGenerationEvent event = new FullCRLGenerationEvent(); -+ -+ event.setAttribute("Info", info); -+ -+ event.setParameters(new Object[] { -+ subjectID, -+ ILogger.SUCCESS, -+ event.getAttributeList() -+ }); -+ -+ return event; -+ } -+ -+ public static FullCRLGenerationEvent createFailureEvent( -+ String subjectID, -+ String reason) { -+ -+ FullCRLGenerationEvent event = new FullCRLGenerationEvent(); -+ -+ event.setAttribute("FailureReason", reason); -+ -+ event.setParameters(new Object[] { -+ subjectID, -+ ILogger.FAILURE, -+ event.getAttributeList() -+ }); -+ -+ return event; -+ } -+} -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index c35d605..f5ae7bb 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2134,6 +2134,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEven - # - LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing - # -+# LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION -+# - used when full CRL generation is complete -+# Outcome is "success" when full CRL is generated successfully, "failure" otherwise -+# -+LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation -+# - # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL - # - used when CRLs are retrieved by the OCSP Responder - # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise --- -1.8.3.1 - - -From 33838ebaffcdf121c4167379f0c917b5b5b67d0e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 26 May 2017 00:46:53 +0200 -Subject: [PATCH 37/38] Added FULL_CRL_PUBLISHING audit event. - -A new FULL_CRL_PUBLISHING audit event has been added which will -be generated when full CRL publishing is complete. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082 ---- - base/ca/shared/conf/CS.cfg | 4 +- - base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 16 +++--- - .../logging/event/FullCRLPublishingEvent.java | 63 ++++++++++++++++++++++ - base/server/cmsbundle/src/LogMessages.properties | 6 +++ - 4 files changed, 79 insertions(+), 10 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 3daac8b..fc21295 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -index 9583f50..be6ffa8 100644 ---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java -@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; - import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; - import com.netscape.certsrv.logging.event.FullCRLGenerationEvent; -+import com.netscape.certsrv.logging.event.FullCRLPublishingEvent; - import com.netscape.certsrv.publish.ILdapRule; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.request.IRequest; -@@ -2975,16 +2976,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { - publishCRL(newX509CRL); - mSplits[9] += System.currentTimeMillis(); - -- } catch (EBaseException e) { -- CMS.debug(e); -- mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, -- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); -- } catch (OutOfMemoryError e) { -+ audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber)); -+ -+ } catch (Throwable e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; -- log(ILogger.LL_FAILURE, -- CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); -+ String message = CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()); -+ log(ILogger.LL_FAILURE, message); -+ audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage())); -+ throw new ECAException(message, e); - } - } - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java -new file mode 100644 -index 0000000..a3764c0 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java -@@ -0,0 +1,63 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import java.math.BigInteger; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+ -+public class FullCRLPublishingEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING"; -+ -+ public FullCRLPublishingEvent( -+ String subjectID, -+ BigInteger crlNumber) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("CRLnum", crlNumber); -+ -+ setParameters(new Object[] { -+ subjectID, -+ ILogger.SUCCESS, -+ getAttributeList() -+ }); -+ } -+ -+ public FullCRLPublishingEvent( -+ String subjectID, -+ BigInteger crlNumber, -+ String reason) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("CRLnum", crlNumber); -+ setAttribute("FailureReason", reason); -+ -+ setParameters(new Object[] { -+ subjectID, -+ ILogger.FAILURE, -+ getAttributeList() -+ }); -+ } -+} -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index f5ae7bb..689d7bc 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2140,6 +2140,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEven - # - LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation - # -+# LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING -+# - used when full CRL publishing is complete -+# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise -+# -+LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Full CRL publishing -+# - # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL - # - used when CRLs are retrieved by the OCSP Responder - # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise --- -1.8.3.1 - - -From c9a9fe6e31d860c089dd2b2ee584dd0d4a9b2174 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 19 May 2017 00:33:26 +0200 -Subject: [PATCH 38/38] Added SCHEDULE_CRL_GENERATION audit event. - -A new SCHEDULE_CRL_GENERATION audit event has been added which -will be generated when CRL generation is scheduled manually. - -https://pagure.io/dogtagpki/issue/2651 - -Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a ---- - base/ca/shared/conf/CS.cfg | 4 +- - .../logging/event/ScheduleCRLGenerationEvent.java | 56 ++++++++++++++++++++++ - .../com/netscape/cms/servlet/cert/UpdateCRL.java | 16 +++++-- - base/server/cmsbundle/src/LogMessages.properties | 6 +++ - 4 files changed, 77 insertions(+), 5 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index fc21295..d1bf7db 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java -new file mode 100644 -index 0000000..5b2a461 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java -@@ -0,0 +1,56 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2017 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.AuditEvent; -+import com.netscape.certsrv.logging.ILogger; -+ -+public class ScheduleCRLGenerationEvent extends AuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String LOGGING_PROPERTY = -+ "LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION"; -+ -+ public ScheduleCRLGenerationEvent( -+ String subjectID) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setParameters(new Object[] { -+ subjectID, -+ ILogger.SUCCESS, -+ getAttributeList() -+ }); -+ } -+ -+ public ScheduleCRLGenerationEvent( -+ String subjectID, -+ Exception e) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("FailureReason", e.getMessage()); -+ -+ setParameters(new Object[] { -+ subjectID, -+ ILogger.FAILURE, -+ getAttributeList() -+ }); -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -index b4d9d29..a9a2cd2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java -@@ -45,6 +45,7 @@ import com.netscape.certsrv.common.ICMSRequest; - import com.netscape.certsrv.ldap.ELdapException; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.ScheduleCRLGenerationEvent; - import com.netscape.certsrv.publish.ILdapRule; - import com.netscape.certsrv.publish.IPublisherProcessor; - import com.netscape.certsrv.util.IStatsSubsystem; -@@ -375,9 +376,18 @@ public class UpdateCRL extends CMSServlet { - - } else { - -- CMS.debug("UpdateCRL: scheduling CRL update"); -- crlIssuingPoint.setManualUpdate(signatureAlgorithm); -- header.addStringValue("crlUpdate", "Scheduled"); -+ try { -+ CMS.debug("UpdateCRL: scheduling CRL update"); -+ -+ crlIssuingPoint.setManualUpdate(signatureAlgorithm); -+ header.addStringValue("crlUpdate", "Scheduled"); -+ -+ audit(new ScheduleCRLGenerationEvent(auditSubjectID())); -+ -+ } catch (Exception e) { -+ audit(new ScheduleCRLGenerationEvent(auditSubjectID(), e)); -+ throw e; -+ } - } - - return; -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 689d7bc..9490098 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification - # -+# LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION -+# - used when CRL generation is scheduled -+# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise -+# -+LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=:[AuditEvent=SCHEDULE_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} schedule for CRL generation -+# - # LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION - # - used when delta CRL generation is complete - # Outcome is "success" when delta CRL is generated successfully, "failure" otherwise --- -1.8.3.1 - diff --git a/SOURCES/pki-core-snapshot-3.patch b/SOURCES/pki-core-snapshot-3.patch deleted file mode 100644 index ac2099b..0000000 --- a/SOURCES/pki-core-snapshot-3.patch +++ /dev/null @@ -1,2377 +0,0 @@ -From 14e44691ef0b61220d390afb745496b7d62945ee Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 30 May 2017 21:15:44 +0200 -Subject: [PATCH 04/27] Added pkispawn options for two-step installation. - -New --skip-configuration and --skip-installation options have -been added to pkispawn to provide a mechanism to set the -pki_skip_configuration and pki_skip_installation parameters -without changing the deployment configuration file. - -https://pagure.io/dogtagpki/issue/2707 - -Change-Id: I069b51b5be65dee2fe0f4ca75e3693bcd21007de ---- - base/server/sbin/pkispawn | 40 ++++++++++++++++++++++++++++++++++------ - 1 file changed, 34 insertions(+), 6 deletions(-) - -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index 9e2ebc8..742f579 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -91,6 +91,18 @@ def main(argv): - dest='precheck', action='store_true', - help='Execute pre-checks and exit') - -+ parser.optional.add_argument( -+ '--skip-configuration', -+ dest='skip_configuration', -+ action='store_true', -+ help='skip configuration step') -+ -+ parser.optional.add_argument( -+ '--skip-installation', -+ dest='skip_installation', -+ action='store_true', -+ help='skip installation step') -+ - args = parser.process_command_line_arguments() - - config.default_deployment_cfg = \ -@@ -475,6 +487,24 @@ def main(argv): - sys.exit(1) - - start_logging() -+ -+ # Read the specified PKI configuration file. -+ rv = parser.read_pki_configuration_file() -+ if rv != 0: -+ config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, -+ extra=config.PKI_INDENTATION_LEVEL_0) -+ sys.exit(1) -+ -+ # --skip-configuration -+ if args.skip_configuration: -+ parser.set_property(deployer.subsystem_name, -+ 'pki_skip_configuration', 'True') -+ -+ # --skip-installation -+ if args.skip_installation: -+ parser.set_property(deployer.subsystem_name, -+ 'pki_skip_installation', 'True') -+ - create_master_dictionary(parser) - - if not interactive and \ -@@ -635,23 +665,21 @@ def start_logging(): - - - def create_master_dictionary(parser): -- # Read the specified PKI configuration file. -- rv = parser.read_pki_configuration_file() -- if rv != 0: -- config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, -- extra=config.PKI_INDENTATION_LEVEL_0) -- sys.exit(1) - - # Read in the PKI slots configuration file. - parser.compose_pki_slots_dictionary() -+ - config.pki_log.debug(log.PKI_DICTIONARY_SLOTS, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.log_format(parser.slots_dict), - extra=config.PKI_INDENTATION_LEVEL_0) -+ - # Combine the various sectional dictionaries into a PKI master dictionary - parser.compose_pki_master_dictionary() -+ - parser.mdict['pki_spawn_log'] = \ - config.pki_log_dir + "/" + config.pki_log_name -+ - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.log_format(parser.mdict), --- -1.8.3.1 - - -From 9af1746463bec2e62c990279d857635f693cfac7 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 30 May 2017 21:07:59 +0200 -Subject: [PATCH 05/27] Fixed two-step subordinate CA installation. - -The initialization scriptlet has been fixed to verify the subsystem -existence properly when running the second step of the two-step -subordinate CA installation. - -https://pagure.io/dogtagpki/issue/2707 - -Change-Id: I0cc8ca21fda8637b4b34f4c5a1c108d213f638f8 ---- - .../pki/server/deployment/scriptlets/initialization.py | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py -index 4dc4e9a..1ae77e4 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/initialization.py -+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py -@@ -54,13 +54,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - else: - config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) -+ -+ # Verify that the subsystem already exists for the following cases: -+ # - External CA (Step 2) -+ # - Stand-alone PKI (Step 2) -+ # - Two-step installation (Step 2) -+ - if (deployer.mdict['pki_subsystem'] == "CA" or - config.str2bool(deployer.mdict['pki_standalone'])) and \ -- config.str2bool(deployer.mdict['pki_external_step_two']): -- # verify that this External CA (Step 2), or Stand-alone PKI -- # (Step 2) currently EXISTS for this "instance" -+ config.str2bool(deployer.mdict['pki_external_step_two']) or \ -+ config.str2bool(deployer.mdict['pki_skip_installation']): - deployer.instance.verify_subsystem_exists() - deployer.mdict['pki_skip_installation'] = "True" -+ - else: - # verify that this type of "subsystem" does NOT yet - # exist for this "instance" --- -1.8.3.1 - - -From 0984d8a114b326a75b2c32cd9da2b7dee23920bb Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 26 May 2017 22:57:07 -0400 -Subject: [PATCH 07/27] Convert CMC code to use AES - -* Switched out CrytoUtil calls that use DES and replaced them - with AES equivalents. Removed these now unneeded methods. -* Added 16 byte constant IV for AES operations. This must be - replaced by a randomly generated IV. Added TODOs where IVs - should be replaced. -* Corrected misspellings of "enreypted" in both request fields - and variable names -* Removed some code from null checks where the result could - never be null. These cases were flagged in eclipse as dead - code. - -Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb ---- - .../src/com/netscape/cmstools/CMCRequest.java | 18 +++- - .../netscape/cms/profile/common/EnrollProfile.java | 111 ++++++++++++++------- - .../cms/servlet/common/CMCOutputTemplate.java | 40 ++++---- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 84 ++-------------- - 4 files changed, 113 insertions(+), 140 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 9c41403..8d49b20 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -52,6 +52,9 @@ import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.asn1.UTF8String; - import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.DigestAlgorithm; -+import org.mozilla.jss.crypto.EncryptionAlgorithm; -+import org.mozilla.jss.crypto.IVParameterSpec; -+import org.mozilla.jss.crypto.KeyWrapAlgorithm; - import org.mozilla.jss.crypto.ObjectNotFoundException; - import org.mozilla.jss.crypto.PrivateKey; - import org.mozilla.jss.crypto.Signature; -@@ -1718,19 +1721,30 @@ public class CMCRequest { - CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); - SymmetricKey symKey = CryptoUtil.unwrap( - token, -+ SymmetricKey.AES, -+ 128, - SymmetricKey.Usage.DECRYPT, - privKey, -- recipient.getEncryptedKey().toByteArray()); -+ recipient.getEncryptedKey().toByteArray(), -+ KeyWrapAlgorithm.RSA); -+ - if (symKey == null) { - System.out.println(method + "symKey returned null from CryptoUtil.unwrap(). Abort!"); - System.exit(1); - } - System.out.println(method + "symKey unwrapped."); - -+ // TODO(alee) The code below should be replaced by code that generates a random IV -+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -+ IVParameterSpec default_iv = new IVParameterSpec(iv); -+ - byte challenge[] = CryptoUtil.decryptUsingSymmetricKey( - token, -+ default_iv, - encCI.getEncryptedContent().toByteArray(), -- symKey); -+ symKey, -+ EncryptionAlgorithm.AES_128_CBC); -+ - if (challenge == null) { - System.out - .println(method + "challenge returned null from CryptoUtil.decryptUsingSymmetricKey(). Abort!"); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 1443a0a..12fb736 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -45,7 +45,11 @@ import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.asn1.UTF8String; - import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.DigestAlgorithm; -+import org.mozilla.jss.crypto.EncryptionAlgorithm; - import org.mozilla.jss.crypto.HMACAlgorithm; -+import org.mozilla.jss.crypto.IVParameterSpec; -+import org.mozilla.jss.crypto.KeyGenAlgorithm; -+import org.mozilla.jss.crypto.KeyWrapAlgorithm; - import org.mozilla.jss.crypto.PrivateKey; - import org.mozilla.jss.crypto.SymmetricKey; - import org.mozilla.jss.pkcs10.CertificationRequest; -@@ -399,6 +403,10 @@ public abstract class EnrollProfile extends BasicProfile - String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); - token = CryptoUtil.getCryptoToken(tokenName); - -+ // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length -+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -+ IVParameterSpec ivps = new IVParameterSpec(iv); -+ - PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data)); - if (userPubKey == null) { - msg = method + "userPubKey null after X509Key.parsePublicKey"; -@@ -406,37 +414,57 @@ public abstract class EnrollProfile extends BasicProfile - throw new EBaseException(msg); - } - -- SymmetricKey symKey = CryptoUtil.generateKey(token); -- byte[] pop_encreyptedData = CryptoUtil.encryptUsingSymmetricKey( -- token, symKey, challenge); -- if (pop_encreyptedData == null) { -- msg = method + "pop_encreyptedData null"; -+ SymmetricKey symKey = CryptoUtil.generateKey( -+ token, -+ KeyGenAlgorithm.AES, -+ 128, -+ null, -+ true); -+ -+ byte[] pop_encryptedData = CryptoUtil.encryptUsingSymmetricKey( -+ token, -+ symKey, -+ challenge, -+ EncryptionAlgorithm.AES_128_CBC, -+ ivps); -+ -+ if (pop_encryptedData == null) { -+ msg = method + "pop_encryptedData null"; - CMS.debug(msg); - throw new EBaseException(msg); - } - -- byte[] pop_sysPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey( -- token, issuanceProtPubKey, symKey); -- if (pop_sysPubEncreyptedSession == null) { -- msg = method + "pop_sysPubEncreyptedSession null"; -+ byte[] pop_sysPubEncryptedSession = CryptoUtil.wrapUsingPublicKey( -+ token, -+ issuanceProtPubKey, -+ symKey, -+ KeyWrapAlgorithm.RSA); -+ -+ if (pop_sysPubEncryptedSession == null) { -+ msg = method + "pop_sysPubEncryptedSession null"; - CMS.debug(msg); - throw new EBaseException(msg); - } - -- byte[] pop_userPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey( -- token, userPubKey, symKey); -- if (pop_userPubEncreyptedSession == null) { -- msg = method + "pop_userPubEncreyptedSession null"; -+ -+ byte[] pop_userPubEncryptedSession = CryptoUtil.wrapUsingPublicKey( -+ token, -+ userPubKey, -+ symKey, -+ KeyWrapAlgorithm.RSA); -+ -+ if (pop_userPubEncryptedSession == null) { -+ msg = method + "pop_userPubEncryptedSession null"; - CMS.debug(msg); - throw new EBaseException(msg); - } - CMS.debug(method + "POP challenge fields generated successfully...setting request extData"); - -- req.setExtData("pop_encreyptedData", pop_encreyptedData); -+ req.setExtData("pop_encryptedData", pop_encryptedData); - -- req.setExtData("pop_sysPubEncreyptedSession", pop_sysPubEncreyptedSession); -+ req.setExtData("pop_sysPubEncryptedSession", pop_sysPubEncryptedSession); - -- req.setExtData("pop_userPubEncreyptedSession", pop_userPubEncreyptedSession); -+ req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession); - - // now compute and set witness - CMS.debug(method + "now compute and set witness"); -@@ -1038,19 +1066,19 @@ public abstract class EnrollProfile extends BasicProfile - } - - // now verify the POP witness -- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData"); -- if (pop_encreyptedData == null) { -+ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData"); -+ if (pop_encryptedData == null) { - msg = method + -- "pop_encreyptedData not found in request:" + -+ "pop_encryptedData not found in request:" + - reqId.toString(); - CMS.debug(msg); - return null; - } - -- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession"); -- if (pop_sysPubEncreyptedSession == null) { -+ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); -+ if (pop_sysPubEncryptedSession == null) { - msg = method + -- "pop_sysPubEncreyptedSession not found in request:" + -+ "pop_sysPubEncryptedSession not found in request:" + - reqId.toString(); - CMS.debug(msg); - return null; -@@ -1082,17 +1110,31 @@ public abstract class EnrollProfile extends BasicProfile - - SymmetricKey symKey = CryptoUtil.unwrap( - token, -+ SymmetricKey.AES, -+ 128, - SymmetricKey.Usage.DECRYPT, - issuanceProtPrivKey, -- pop_sysPubEncreyptedSession); -+ pop_sysPubEncryptedSession, -+ KeyWrapAlgorithm.RSA); -+ - if (symKey == null) { - msg = "symKey null after CryptoUtil.unwrap returned"; - CMS.debug(msg); - return null; - } - -+ // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request -+ // This IV is supposed to be random -+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -+ IVParameterSpec default_iv = new IVParameterSpec(iv); -+ - byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey( -- token, pop_encreyptedData, symKey); -+ token, -+ default_iv, -+ pop_encryptedData, -+ symKey, -+ EncryptionAlgorithm.AES_128_CBC); -+ - if (challenge_b == null) { - msg = method + "challenge_b null after decryptUsingSymmetricKey returned"; - CMS.debug(msg); -@@ -1596,23 +1638,16 @@ public abstract class EnrollProfile extends BasicProfile - witness_bytes, - hashAlg, macAlg); - -- String authMgrID = -- (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID); - String auditSubjectID = null; - - if (verified) { -- // update auditSubjectID -- if (sessionContext != null) { -- auditSubjectID = (String) -- sessionContext.get(SessionContext.USER_ID); -- CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); -- CMS.debug(method + "identity verified. Updating auditSubjectID"); -- CMS.debug(method + "updated auditSubjectID is:"+ ident_string); -- auditSubjectID = ident_string; -- sessionContext.put(SessionContext.USER_ID, auditSubjectID); -- } else { //very unlikely -- CMS.debug(method + "sessionContext null; cannot update auditSubjectID"); -- } -+ auditSubjectID = (String) -+ sessionContext.get(SessionContext.USER_ID); -+ CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); -+ CMS.debug(method + "identity verified. Updating auditSubjectID"); -+ CMS.debug(method + "updated auditSubjectID is:"+ ident_string); -+ auditSubjectID = ident_string; -+ sessionContext.put(SessionContext.USER_ID, auditSubjectID); - - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_PROOF_OF_IDENTIFICATION, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index c130a1e..8e47298 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -43,6 +43,7 @@ import org.mozilla.jss.asn1.SEQUENCE; - import org.mozilla.jss.asn1.SET; - import org.mozilla.jss.asn1.UTF8String; - import org.mozilla.jss.crypto.DigestAlgorithm; -+import org.mozilla.jss.crypto.EncryptionAlgorithm; - import org.mozilla.jss.crypto.SignatureAlgorithm; - import org.mozilla.jss.pkcs11.PK11PubKey; - import org.mozilla.jss.pkix.cert.Certificate; -@@ -433,10 +434,7 @@ public class CMCOutputTemplate { - - ResponseBody respBody = new ResponseBody(controlSeq, - cmsSeq, otherMsgSeq); -- if (respBody != null) -- CMS.debug(method + " after new ResponseBody, respBody not null"); -- else -- CMS.debug(method + " after new ResponseBody, respBody null"); -+ CMS.debug(method + " after new ResponseBody, respBody not null"); - - ContentInfo contentInfo = getContentInfo(respBody, certs); - ByteArrayOutputStream fos = new ByteArrayOutputStream(); -@@ -489,30 +487,25 @@ public class CMCOutputTemplate { - CMS.debug(method + "popChallengeRequired true"); - - byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST); -- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData"); -+ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData"); - //don't need this for encryptedPOP, but need to check for existence anyway -- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession"); -- byte[] pop_userPubEncreyptedSession = req.getExtDataInByteArray("pop_userPubEncreyptedSession"); -- if ((pop_encreyptedData != null) && -- (pop_sysPubEncreyptedSession != null) && -- (pop_userPubEncreyptedSession != null)) { -+ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); -+ byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession"); -+ if ((pop_encryptedData != null) && -+ (pop_sysPubEncryptedSession != null) && -+ (pop_userPubEncryptedSession != null)) { - // generate encryptedPOP here - // algs are hard-coded for now - - try { - EnvelopedData envData = CryptoUtil.createEnvelopedData( -- pop_encreyptedData, -- pop_userPubEncreyptedSession); -+ pop_encryptedData, -+ pop_userPubEncryptedSession); - if (envData == null) { - msg = "envData null returned by createEnvelopedData"; - throw new EBaseException(method + msg); - } - ContentInfo ci = new ContentInfo(envData); -- if (ci == null) { -- msg = "ci null from new ContentInfo"; -- CMS.debug(msg); -- throw new EBaseException(method + msg); -- } - CMS.debug(method + "now we can compose encryptedPOP"); - - TaggedRequest.Template tReqTemplate = new TaggedRequest.Template(); -@@ -524,17 +517,18 @@ public class CMCOutputTemplate { - throw new EBaseException(method + msg); - } - -+ // TODO(alee) The code below should be replaced by code that generates a random IV -+ byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -+ -+ OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); -+ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); -+ - encPop = new EncryptedPOP( - tReq, - ci, -- CryptoUtil.getDefaultEncAlg(), -+ aid, - CryptoUtil.getDefaultHashAlg(), - new OCTET_STRING(req.getExtDataInByteArray("pop_witness"))); -- if (encPop == null) { -- msg = "encPop null returned by new EncryptedPOP"; -- CMS.debug(msg); -- throw new EBaseException(method + msg); -- } - - } catch (Exception e) { - CMS.debug(method + " excepton:" + e); -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 8b8c443..95b8f81 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -2572,15 +2572,15 @@ public class CryptoUtil { - throw new Exception(method + msg); - } - -+ // TODO(alee) Replace the below with a random IV that is likely passed in -+ byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -+ OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); -+ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); -+ - EncryptedContentInfo encCInfo = new EncryptedContentInfo( - ContentInfo.DATA, -- getDefaultEncAlg(), -+ aid, - new OCTET_STRING(encContent)); -- if (encCInfo == null) { -- msg = method + "encCInfo null from new EncryptedContentInfo"; -- System.out.println(msg); -- throw new Exception(method + msg); -- } - - Name name = new Name(); - name.addCommonName("unUsedIssuerName"); //unused; okay for cmc EncryptedPOP -@@ -2589,11 +2589,6 @@ public class CryptoUtil { - new IssuerAndSerialNumber(name, new INTEGER(0)), //unUsed - new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()), - new OCTET_STRING(encSymKey)); -- if (recipient == null) { -- msg = method + "recipient null from new RecipientInfo"; -- System.out.println(msg); -- throw new Exception(method + msg); -- } - - SET recipients = new SET(); - recipients.addElement(recipient); -@@ -2615,77 +2610,14 @@ public class CryptoUtil { - * the defaults - */ - -- private static byte default_iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- private static IVParameterSpec default_IV = new IVParameterSpec(default_iv); -- -- // this generates a temporary 128 bit AES symkey with defaults -- public static SymmetricKey generateKey(CryptoToken token) throws Exception { -- return generateKey(token, --//TODO: KeyGenAlgorithm.AES, 128, -- KeyGenAlgorithm.DES3, 128 /*unused*/, -- null, true); -- } -- -- // decryptUsingSymmetricKey with default algorithms -- public static byte[] decryptUsingSymmetricKey(CryptoToken token, byte[] encryptedData, SymmetricKey wrappingKey) throws Exception { -- return decryptUsingSymmetricKey(token, default_IV, encryptedData, -- wrappingKey, -- EncryptionAlgorithm.DES3_CBC_PAD); --//TODO: EncryptionAlgorithm.AES_128_CBC); -- } -- -- // encryptUsingSymmetricKey with default algorithms -- public static byte[] encryptUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, byte[] data) throws Exception { -- return encryptUsingSymmetricKey( -- token, -- wrappingKey, -- data, -- EncryptionAlgorithm.DES3_CBC_PAD, --//TODO: EncryptionAlgorithm.AES_128_CBC, -- default_IV); -- } -- -- // wrapUsingPublicKey using default algorithm -- public static byte[] wrapUsingPublicKey(CryptoToken token, PublicKey wrappingKey, SymmetricKey data) throws Exception { -- return wrapUsingPublicKey(token, wrappingKey, data, KeyWrapAlgorithm.RSA); -- } -- -- // unwrap sym key using default algorithms -- public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Usage usage, PrivateKey wrappingKey, byte[] wrappedSymKey) throws Exception { -- return unwrap( -- token, --//TODO: SymmetricKey.AES, -- SymmetricKey.DES3, -- 0, -- usage, -- wrappingKey, -- wrappedSymKey, -- getDefaultKeyWrapAlg()); -- } -- -- public static AlgorithmIdentifier getDefaultEncAlg() -- throws Exception { -- OBJECT_IDENTIFIER oid = -- EncryptionAlgorithm.DES3_CBC.toOID(); --//TODO: EncryptionAlgorithm.AES_128_CBC.toOID(); -- -- AlgorithmIdentifier aid = -- new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); -- return aid; -- } -- - public static String getDefaultHashAlgName() { - return ("SHA-256"); - } - -- public static KeyWrapAlgorithm getDefaultKeyWrapAlg() { -- return KeyWrapAlgorithm.RSA; -- } -- - public static AlgorithmIdentifier getDefaultHashAlg() - throws Exception { - AlgorithmIdentifier hashAlg; -- hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID("SHA-256")); -+ hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID(getDefaultHashAlgName())); - return hashAlg; - } - -@@ -2768,8 +2700,6 @@ public class CryptoUtil { - */ - public static String getNameFromHashAlgorithm(AlgorithmIdentifier ai) - throws NoSuchAlgorithmException { -- OBJECT_IDENTIFIER oid = null; -- - System.out.println("CryptoUtil: getNameFromHashAlgorithm: " + ai.getOID().toString()); - if (ai != null) { - if (ai.getOID().equals((DigestAlgorithm.SHA256).toOID())) { --- -1.8.3.1 - - -From 772e05e746570c13afeb60516c07a3fb95ca3e78 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 1 Jun 2017 23:38:04 +0200 -Subject: [PATCH 10/27] Removed superfluous deployment configuration backup. - -The pkispawn has been modified to generate a temporary backup -file (instead of permanent and timestamped backup files) of the -deployment configuration file before normalizing its content. -The temporary backup will be removed automatically when the -normalization is complete. - -https://pagure.io/dogtagpki/issue/2674 - -Change-Id: Ia541e23314acc120954fa574d1f6f885961c8047 ---- - base/server/sbin/pkispawn | 7 +------ - 1 file changed, 1 insertion(+), 6 deletions(-) - -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index 742f579..1aa7079 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -34,8 +34,6 @@ try: - import ldap - import os - import requests -- import time -- from time import strftime as date - import traceback - import pki - from pki.server.deployment import pkiconfig as config -@@ -610,12 +608,9 @@ def main(argv): - - - def sanitize_user_deployment_cfg(cfg): -- # Generate a timestamp -- ticks = time.time() -- timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) - - # Correct any section headings in the user's configuration file -- for line in fileinput.FileInput(cfg, inplace=1, backup='.' + timestamp): -+ for line in fileinput.FileInput(cfg, inplace=1): - # Remove extraneous leading and trailing whitespace from all lines - line = line.strip() - # Normalize section headings to match '/etc/pki/default.cfg' --- -1.8.3.1 - - -From f7b6305396581f5916498cc4ea8247596bf39aaf Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Fri, 2 Jun 2017 02:10:02 +0200 -Subject: [PATCH 11/27] Fixed pylint issues - -- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues ---- - base/common/python/pki/cli/pkcs12.py | 4 ++-- - base/common/python/pki/encoder.py | 12 ++++++------ - base/server/python/pki/server/cli/audit.py | 8 ++++---- - base/server/python/pki/server/cli/ca.py | 16 ++++++++-------- - base/server/python/pki/server/cli/db.py | 8 ++++---- - base/server/python/pki/server/cli/kra.py | 20 ++++++++++---------- - base/server/python/pki/server/cli/ocsp.py | 4 ++-- - base/server/python/pki/server/cli/subsystem.py | 4 ++-- - base/server/python/pki/server/cli/tks.py | 4 ++-- - base/server/python/pki/server/cli/tps.py | 20 ++++++++++---------- - base/server/python/pki/server/upgrade.py | 3 --- - 11 files changed, 50 insertions(+), 53 deletions(-) - -diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py -index 8934d33..6b99fcf 100644 ---- a/base/common/python/pki/cli/pkcs12.py -+++ b/base/common/python/pki/cli/pkcs12.py -@@ -62,10 +62,10 @@ class PKCS12ImportCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'v', [ - 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite', - 'verbose', 'debug', 'help']) -diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py -index 8485ab8..d3298bc 100644 ---- a/base/common/python/pki/encoder.py -+++ b/base/common/python/pki/encoder.py -@@ -82,14 +82,14 @@ class CustomTypeEncoder(json.JSONEncoder): - """ - # pylint: disable=E0202 - -- def default(self, obj): -+ def default(self, o): - for k, v in iteritems(TYPES): -- if isinstance(obj, v): -- return {k: obj.__dict__} -+ if isinstance(o, v): -+ return {k: o.__dict__} - for t in itervalues(NOTYPES): -- if isinstance(obj, t): -- return self.attr_name_conversion(obj.__dict__, type(obj)) -- return json.JSONEncoder.default(self, obj) -+ if isinstance(o, t): -+ return self.attr_name_conversion(o.__dict__, type(o)) -+ return json.JSONEncoder.default(self, o) - - @staticmethod - def attr_name_conversion(attr_dict, object_class): -diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py -index 0833ca8..a19ca8c 100644 ---- a/base/server/python/pki/server/cli/audit.py -+++ b/base/server/python/pki/server/cli/audit.py -@@ -56,10 +56,10 @@ class AuditFileFindCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', - 'verbose', 'help']) - -@@ -129,10 +129,10 @@ class AuditFileVerifyCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', - 'verbose', 'help']) - -diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py -index 550e511..48c7dba 100644 ---- a/base/server/python/pki/server/cli/ca.py -+++ b/base/server/python/pki/server/cli/ca.py -@@ -78,10 +78,10 @@ class CACertChainExportCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) - -@@ -190,10 +190,10 @@ class CACertRequestFindCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'cert=', 'cert-file=', - 'verbose', 'help']) - -@@ -268,10 +268,10 @@ class CACertRequestShowCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, args = getopt.gnu_getopt(args, 'i:v', [ -+ opts, args = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'output-file=', - 'verbose', 'help']) - -@@ -356,10 +356,10 @@ class CAClonePrepareCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) - -diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py -index 17b1a2f..3df911c 100644 ---- a/base/server/python/pki/server/cli/db.py -+++ b/base/server/python/pki/server/cli/db.py -@@ -58,10 +58,10 @@ class DBSchemaUpgrade(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=', -+ argv, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=', - 'verbose', 'help']) - - except getopt.GetoptError as e: -@@ -150,10 +150,10 @@ class DBUpgrade(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, 'i:v', ['instance=', 'verbose', 'help']) -+ argv, 'i:v', ['instance=', 'verbose', 'help']) - - except getopt.GetoptError as e: - print('ERROR: ' + str(e)) -diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py -index 3724014..6c1ade9 100644 ---- a/base/server/python/pki/server/cli/kra.py -+++ b/base/server/python/pki/server/cli/kra.py -@@ -81,10 +81,10 @@ class KRAClonePrepareCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) - -@@ -203,10 +203,10 @@ class KRADBVLVFindCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -@@ -315,10 +315,10 @@ class KRADBVLVAddCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -@@ -421,10 +421,10 @@ class KRADBVLVDeleteCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -@@ -543,10 +543,10 @@ class KRADBVLVReindexCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py -index 3e9b6aa..b3e4e45 100644 ---- a/base/server/python/pki/server/cli/ocsp.py -+++ b/base/server/python/pki/server/cli/ocsp.py -@@ -67,10 +67,10 @@ class OCSPClonePrepareCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) - -diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py -index 8395bd2..10af8ca 100644 ---- a/base/server/python/pki/server/cli/subsystem.py -+++ b/base/server/python/pki/server/cli/subsystem.py -@@ -66,10 +66,10 @@ class SubsystemFindCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', - 'verbose', 'help']) - -diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py -index 0e6a998..0bfaca1 100644 ---- a/base/server/python/pki/server/cli/tks.py -+++ b/base/server/python/pki/server/cli/tks.py -@@ -67,10 +67,10 @@ class TKSClonePrepareCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) - -diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py -index 03df8de..a34bbd9 100644 ---- a/base/server/python/pki/server/cli/tps.py -+++ b/base/server/python/pki/server/cli/tps.py -@@ -76,10 +76,10 @@ class TPSClonePrepareCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - - try: -- opts, _ = getopt.gnu_getopt(args, 'i:v', [ -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'verbose', 'help']) - -@@ -195,10 +195,10 @@ class TPSDBVLVFindCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -@@ -306,10 +306,10 @@ class TPSDBVLVAddCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -@@ -419,10 +419,10 @@ class TPSDBVLVDeleteCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -@@ -554,10 +554,10 @@ class TPSDBVLVReindexCLI(pki.cli.CLI): - print(' --help Show help message.') - print() - -- def execute(self, args): -+ def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt( -- args, -+ argv, - 'i:D:w:x:g:v', - ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=', - 'verbose', 'help'] -diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py -index 2c72e48..926c683 100644 ---- a/base/server/python/pki/server/upgrade.py -+++ b/base/server/python/pki/server/upgrade.py -@@ -38,9 +38,6 @@ SUBSYSTEM_TRACKER = '%s/CS.cfg' - - class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): - -- def __init__(self): -- super(PKIServerUpgradeScriptlet, self).__init__() -- - def get_backup_dir(self): - return BACKUP_DIR + '/' + str(self.version) + '/' + str(self.index) - --- -1.8.3.1 - - -From b3d851b864dc986a9af8ffcb1962f8e7b4de3114 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 1 Jun 2017 04:54:05 +0200 -Subject: [PATCH 12/27] Added upgrade script for keepAliveTimeout. - -An upgrade script has been added to set the keepAliveTimeout -attribute for the Secure connector in the server.xml. - -https://pagure.io/dogtagpki/issue/2687 - -Change-Id: Ia61ed49d0ffc26d4bb44738c71fc663bde37fb1d ---- - base/common/upgrade/10.4.1/.gitignore | 4 ++ - base/common/upgrade/10.4.2/.gitignore | 4 ++ - base/common/upgrade/10.4.3/.gitignore | 4 ++ - base/common/upgrade/10.4.4/.gitignore | 4 ++ - base/common/upgrade/10.4.5/.gitignore | 4 ++ - base/common/upgrade/10.4.6/.gitignore | 4 ++ - base/server/upgrade/10.4.3/.gitignore | 4 ++ - base/server/upgrade/10.4.4/.gitignore | 4 ++ - base/server/upgrade/10.4.5/.gitignore | 4 ++ - .../upgrade/10.4.6/01-UpdateKeepAliveTimeout | 59 ++++++++++++++++++++++ - 10 files changed, 95 insertions(+) - create mode 100644 base/common/upgrade/10.4.1/.gitignore - create mode 100644 base/common/upgrade/10.4.2/.gitignore - create mode 100644 base/common/upgrade/10.4.3/.gitignore - create mode 100644 base/common/upgrade/10.4.4/.gitignore - create mode 100644 base/common/upgrade/10.4.5/.gitignore - create mode 100644 base/common/upgrade/10.4.6/.gitignore - create mode 100644 base/server/upgrade/10.4.3/.gitignore - create mode 100644 base/server/upgrade/10.4.4/.gitignore - create mode 100644 base/server/upgrade/10.4.5/.gitignore - create mode 100755 base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout - -diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/common/upgrade/10.4.1/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/common/upgrade/10.4.2/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/common/upgrade/10.4.3/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/common/upgrade/10.4.4/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/common/upgrade/10.4.5/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/common/upgrade/10.4.6/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/server/upgrade/10.4.3/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/server/upgrade/10.4.4/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/server/upgrade/10.4.5/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout -new file mode 100755 -index 0000000..31c4d1b ---- /dev/null -+++ b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout -@@ -0,0 +1,59 @@ -+#!/usr/bin/python -+# Authors: -+# Endi S. Dewata -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+# -+ -+from __future__ import absolute_import -+import os -+from lxml import etree -+ -+import pki -+ -+ -+class UpdateKeepAliveTimeout( -+ pki.server.upgrade.PKIServerUpgradeScriptlet): -+ -+ def __init__(self): -+ super(UpdateKeepAliveTimeout, self).__init__() -+ self.message = 'Update keepAliveTimeout parameter' -+ -+ self.parser = etree.XMLParser(remove_blank_text=True) -+ -+ def upgrade_instance(self, instance): -+ -+ server_xml = os.path.join(instance.conf_dir, 'server.xml') -+ self.backup(server_xml) -+ -+ document = etree.parse(server_xml, self.parser) -+ -+ server = document.getroot() -+ connectors = server.findall('.//Connector') -+ -+ for connector in connectors: -+ -+ # find the Secure connector -+ name = connector.get('name') -+ if name != 'Secure': -+ continue -+ -+ # set the keepAliveTimeout parameter to 5 minutes -+ connector.set('keepAliveTimeout', '300000') -+ -+ with open(server_xml, 'wb') as f: -+ document.write(f, pretty_print=True, encoding='utf-8') --- -1.8.3.1 - - -From 03235ab51d102ba722e71adf00d2f721c77cd222 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 1 Jun 2017 21:02:41 +0200 -Subject: [PATCH 15/27] Fixed random password generator. - -The equal sign is no longer used to generate random password -since it's already used as token name and password delimiter in -password.conf. - -https://pagure.io/dogtagpki/issue/2556 - -Change-Id: Id59f9aae4d01958f69c305e7d5cda44ce5c81c84 ---- - base/common/python/pki/__init__.py | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py -index 1fc5385..0478b32 100644 ---- a/base/common/python/pki/__init__.py -+++ b/base/common/python/pki/__init__.py -@@ -45,6 +45,11 @@ PACKAGE_VERSION = SHARE_DIR + '/VERSION' - CERT_HEADER = "-----BEGIN CERTIFICATE-----" - CERT_FOOTER = "-----END CERTIFICATE-----" - -+# Valid punctuation characters for random password. -+# This is identical to string.punctuation minus the equal -+# sign since it's used as delimiter in password.conf. -+PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~' -+ - - def read_text(message, - options=None, default=None, delimiter=':', -@@ -139,7 +144,7 @@ def generate_password(): - * digits (string.digits) - * ASCII lowercase letters (string.ascii_lowercase) - * ASCII uppercase letters (string.ascii_uppercase) -- * ASCII non-alphanumeric characters (string.punctuation) -+ * ASCII non-alphanumeric characters (PUNCTUATIONS) - * non-ASCII characters - - If an ASCII uppercase letter is the first character of the password, -@@ -159,7 +164,7 @@ def generate_password(): - valid_chars = string.digits +\ - string.ascii_lowercase +\ - string.ascii_uppercase +\ -- string.punctuation -+ PUNCTUATIONS - - chars = [] - -@@ -168,7 +173,7 @@ def generate_password(): - chars.append(rnd.choice(string.digits)) - chars.append(rnd.choice(string.ascii_lowercase)) - chars.append(rnd.choice(string.ascii_uppercase)) -- chars.append(rnd.choice(string.punctuation)) -+ chars.append(rnd.choice(PUNCTUATIONS)) - - # add 6 additional random chars - chars.extend(rnd.choice(valid_chars) for i in range(6)) --- -1.8.3.1 - - -From 08bf26f786b8d233382c6fedfad5d33d8c11d78f Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 1 Jun 2017 17:46:27 -0400 -Subject: [PATCH 16/27] Fix NPE in audit log invocation - -Some audit log objects take a RequestId or KeyId, on which we call -toString(). In some cases, we were creating a KeyId or RequestId -with null values, resulting in an NPE. We fix these in this patch. - -Bugzilla BZ# 1458043 - -Change-Id: I38d5a20e9920966c8414d56afd7690dc3c11a1db ---- - base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java | 3 ++- - base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 4 ++-- - 3 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index ed20394..5e3b8a9 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -1128,7 +1128,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - r = queue.findRequest(new RequestId(reqID)); - - auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); -- keyID = new KeyId(r.getExtDataInBigInteger("serialNumber")); -+ BigInteger serialNumber = r.getExtDataInBigInteger("serialNumber"); -+ keyID = serialNumber != null? new KeyId(serialNumber) : null; - - // set transient parameters - params = createVolatileRequest(r.getRequestId()); -diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -index c0b5cdd..891b083 100644 ---- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java -@@ -283,7 +283,7 @@ public class TokenKeyRecoveryService implements IService { - // retrieve based on Certificate - String cert_s = request.getExtDataInString(ATTR_USER_CERT); - String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID); -- KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID)); -+ KeyId keyId = keyid_s != null ? new KeyId(keyid_s): null; - /* have to have at least one */ - if ((cert_s == null) && (keyid_s == null)) { - CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); -@@ -593,7 +593,7 @@ public class TokenKeyRecoveryService implements IService { - return true; - - } catch (Exception e) { -- CMS.debug("TokenKeyRecoveryService: " + e.toString()); -+ CMS.debug(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - } - --- -1.8.3.1 - - -From 29dbed75f1c214a065cd3bcc438d0584fd980d4f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 2 Jun 2017 18:46:01 +0200 -Subject: [PATCH 17/27] Excluded backslash from random password. - -The backslash is no longer used for generating random password -since it's causing SSL hanshake failure. - -https://pagure.io/dogtagpki/issue/2676 - -Change-Id: I2e63769b16fc3fa617b27dccb7b85f139714a411 ---- - base/common/python/pki/__init__.py | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py -index 0478b32..1a6f5c2 100644 ---- a/base/common/python/pki/__init__.py -+++ b/base/common/python/pki/__init__.py -@@ -46,9 +46,10 @@ CERT_HEADER = "-----BEGIN CERTIFICATE-----" - CERT_FOOTER = "-----END CERTIFICATE-----" - - # Valid punctuation characters for random password. --# This is identical to string.punctuation minus the equal --# sign since it's used as delimiter in password.conf. --PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~' -+# This is based on string.punctuation except: -+# - equal sign since it's used as delimiter in password.conf -+# - backslash since it's causing SSL handshake failure -+PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[]^_`{|}~' - - - def read_text(message, --- -1.8.3.1 - - -From a614eb15476adb00df571d3ea05fdd8ea282141d Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Fri, 2 Jun 2017 15:40:52 -0700 -Subject: [PATCH 18/27] Resolve #1663 Add SCP03 support . - -This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03. ---- - base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java | 7 ++++--- - base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 4 ++++ - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java -index 5e5646b..3b80f27 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java -+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java -@@ -421,10 +421,11 @@ public class SecureChannel { - throw new TPSException(method + "Failed to calculate card cryptogram!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); - } - -- CMS.debug(method + " dumped macSessionKey: " + new TPSBuffer(macSessionKey.getEncoded()).toHexString() ); -+ if(cardCryptogram != null) -+ CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString()); - -- CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString()); -- CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString()); -+ if(calculatedCardCryptogram != null) -+ CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString()); - - ExternalAuthenticateAPDUGP211 externalAuth = new ExternalAuthenticateAPDUGP211(hostCryptogram, - /* secLevel */secLevelGP211); -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index 0f96915..e1a5748 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -957,6 +957,10 @@ public class TPSProcessor { - kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, - kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES); - -+ CMS.debug(" encSessionKeySCP03 " + encSessionKeySCP03); -+ CMS.debug(" macSessionKeySCP03 " + macSessionKeySCP03); -+ CMS.debug(" kekSessionKeySCP03 " + kekSessionKeySCP03); -+ - channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03, - drmDesKeyBuff, kekDesKeyBuff, - keyCheckBuff, keyDiversificationData, cardChallenge, --- -1.8.3.1 - - -From af41896f083e1101b1ba62f6cc8c9be6064c6786 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 3 Jun 2017 02:07:04 +0200 -Subject: [PATCH 19/27] Refactored MainCLI.loadPassword() (part 1). - -The method that loads password from a file in MainCLI has been -renamed into loadPassword() and modified to return early for -clarity. - -https://pagure.io/dogtagpki/issue/2717 - -Change-Id: I9b031c31040c2d00f04d9997abcdae38163bf6d5 ---- - .../src/com/netscape/cmstools/cli/MainCLI.java | 24 ++++++++++++---------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index 1b9c569..2402196 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -229,7 +229,7 @@ public class MainCLI extends CLI { - options.addOption(null, "version", false, "Show version number."); - } - -- public String[] readPlaintextPasswordFromFile(String pwfile) throws Exception { -+ public String[] loadPassword(String pwfile) throws Exception { - String[] tokenPassword = { null, null }; - BufferedReader br = null; - String delimiter = "="; -@@ -238,11 +238,16 @@ public class MainCLI extends CLI { - br = new BufferedReader(new FileReader(pwfile)); - - String line = br.readLine(); -- if (line != null) { -- if (line.isEmpty()) { -- throw new Exception("File '" + pwfile + "' does not define a token or a password!"); - -- } else if (line.contains(delimiter)) { -+ if (line == null) { -+ throw new Exception("File '" + pwfile + "' is empty!"); -+ } -+ -+ if (line.isEmpty()) { -+ throw new Exception("File '" + pwfile + "' does not define a token or a password!"); -+ } -+ -+ if (line.contains(delimiter)) { - // Process 'token=password' format: - // - // Token: tokenPassword[0] -@@ -270,10 +275,7 @@ public class MainCLI extends CLI { - // Set simple 'password' (do not trim leading/trailing whitespace) - tokenPassword[1] = line; - } -- } else { -- // Case of an empty password file -- throw new Exception("File '" + pwfile + "' is empty!"); -- } -+ - } finally { - if (br != null) { - br.close(); -@@ -397,7 +399,7 @@ public class MainCLI extends CLI { - - if (certPasswordFile != null) { - // read client security database password from specified file -- tokenPasswordPair = readPlaintextPasswordFromFile(certPasswordFile); -+ tokenPasswordPair = loadPassword(certPasswordFile); - // XXX TBD set client security database token - - certPassword = tokenPasswordPair[1]; -@@ -411,7 +413,7 @@ public class MainCLI extends CLI { - - if (passwordFile != null) { - // read user password from specified file -- tokenPasswordPair = readPlaintextPasswordFromFile(passwordFile); -+ tokenPasswordPair = loadPassword(passwordFile); - // XXX TBD set user token - - password = tokenPasswordPair[1]; --- -1.8.3.1 - - -From 9741b7873005419b922ba79c61ef98ae17cb58be Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 3 Jun 2017 02:03:32 +0200 -Subject: [PATCH 20/27] Refactored MainCLI.loadPassword() (part 2). - -The MainCLI.loadPassword() has been modified to fix the code -indentation. - -https://pagure.io/dogtagpki/issue/2717 - -Change-Id: I7d208f1f4568f2fb1323ab206f45af5c0338b53f ---- - .../src/com/netscape/cmstools/cli/MainCLI.java | 49 +++++++++++----------- - 1 file changed, 25 insertions(+), 24 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index 2402196..2b6b173 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -247,35 +247,36 @@ public class MainCLI extends CLI { - throw new Exception("File '" + pwfile + "' does not define a token or a password!"); - } - -- if (line.contains(delimiter)) { -- // Process 'token=password' format: -- // -- // Token: tokenPassword[0] -- // Password: tokenPassword[1] -- // -- tokenPassword = line.split(delimiter, 2); -- -- // Always trim leading/trailing whitespace from 'token' -- tokenPassword[0] = tokenPassword[0].trim(); -- -- // Check for undefined 'token' -- if (tokenPassword[0].isEmpty()) { -- // Set default 'token' -- tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME; -- } -- -- // Check for undefined 'password' -- if (tokenPassword[1].isEmpty()) { -- throw new Exception("File '" + pwfile + "' does not define a password!"); -- } -- } else { -+ if (line.contains(delimiter)) { -+ // Process 'token=password' format: -+ // -+ // Token: tokenPassword[0] -+ // Password: tokenPassword[1] -+ // -+ tokenPassword = line.split(delimiter, 2); -+ -+ // Always trim leading/trailing whitespace from 'token' -+ tokenPassword[0] = tokenPassword[0].trim(); -+ -+ // Check for undefined 'token' -+ if (tokenPassword[0].isEmpty()) { - // Set default 'token' - tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME; -+ } - -- // Set simple 'password' (do not trim leading/trailing whitespace) -- tokenPassword[1] = line; -+ // Check for undefined 'password' -+ if (tokenPassword[1].isEmpty()) { -+ throw new Exception("File '" + pwfile + "' does not define a password!"); - } - -+ } else { -+ // Set default 'token' -+ tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME; -+ -+ // Set simple 'password' (do not trim leading/trailing whitespace) -+ tokenPassword[1] = line; -+ } -+ - } finally { - if (br != null) { - br.close(); --- -1.8.3.1 - - -From 729468e46612569da4c93b15bc0d674099003aba Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 3 Jun 2017 02:28:00 +0200 -Subject: [PATCH 21/27] Refactored MainCLI.loadPassword() (part 3). - -The MainCLI.loadPassword() has been modified to use try-with- -resources. Some log messages have been added for clarity. - -https://pagure.io/dogtagpki/issue/2717 - -Change-Id: Ic4950ba677613565f548b51d1f985177c6726510 ---- - .../src/com/netscape/cmstools/cli/MainCLI.java | 21 +++++++++------------ - 1 file changed, 9 insertions(+), 12 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index 2b6b173..dcc60e2 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -230,12 +230,11 @@ public class MainCLI extends CLI { - } - - public String[] loadPassword(String pwfile) throws Exception { -+ - String[] tokenPassword = { null, null }; -- BufferedReader br = null; - String delimiter = "="; - -- try { -- br = new BufferedReader(new FileReader(pwfile)); -+ try (BufferedReader br = new BufferedReader(new FileReader(pwfile))) { - - String line = br.readLine(); - -@@ -276,11 +275,6 @@ public class MainCLI extends CLI { - // Set simple 'password' (do not trim leading/trailing whitespace) - tokenPassword[1] = line; - } -- -- } finally { -- if (br != null) { -- br.close(); -- } - } - - return tokenPassword; -@@ -399,7 +393,7 @@ public class MainCLI extends CLI { - config.setCertNickname(certNickname); - - if (certPasswordFile != null) { -- // read client security database password from specified file -+ if (verbose) System.out.println("Loading NSS password from " + certPasswordFile); - tokenPasswordPair = loadPassword(certPasswordFile); - // XXX TBD set client security database token - -@@ -413,7 +407,7 @@ public class MainCLI extends CLI { - config.setUsername(username); - - if (passwordFile != null) { -- // read user password from specified file -+ if (verbose) System.out.println("Loading user password from " + passwordFile); - tokenPasswordPair = loadPassword(passwordFile); - // XXX TBD set user token - -@@ -494,15 +488,18 @@ public class MainCLI extends CLI { - - // If password is specified, use password to access security token - if (config.getCertPassword() != null) { -- if (verbose) System.out.println("Logging into security token"); -+ - try { - CryptoManager manager = CryptoManager.getInstance(); - - String tokenName = config.getTokenName(); -- CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); -+ if (verbose) System.out.println("Getting " + (tokenName == null ? "internal" : tokenName) + " token"); - -+ CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); - manager.setThreadToken(token); - -+ if (verbose) System.out.println("Logging into " + token.getName()); -+ - Password password = new Password(config.getCertPassword().toCharArray()); - token.login(password); - --- -1.8.3.1 - - -From d4e5176702b3a08a67233e069ac211e95e01b228 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 3 Jun 2017 01:32:37 +0200 -Subject: [PATCH 22/27] Refactored CLI.runExternal(). - -The methods for running external commands in various CLI classes -have been merged into CLI.runExternal(). - -https://pagure.io/dogtagpki/issue/2717 - -Change-Id: I5b6d136db699d3bb48e4f36f7f187d0240bbbf62 ---- - .../src/com/netscape/cmstools/cli/CLI.java | 35 ++++++++++++++++++++++ - .../src/com/netscape/cmstools/cli/MainCLI.java | 10 +++---- - .../cmstools/client/ClientCertImportCLI.java | 23 ++------------ - .../cmstools/client/ClientCertModifyCLI.java | 35 +++++----------------- - .../cmstools/client/ClientCertRequestCLI.java | 10 +++---- - .../cmstools/client/ClientCertShowCLI.java | 27 +++-------------- - .../netscape/cmstools/client/ClientInitCLI.java | 25 ++++++---------- - 7 files changed, 65 insertions(+), 100 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java -index 4911b8a..60db7a1 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java -@@ -18,6 +18,7 @@ - - package com.netscape.cmstools.cli; - -+import java.io.IOException; - import java.util.ArrayList; - import java.util.Collection; - import java.util.LinkedHashMap; -@@ -351,4 +352,38 @@ public class CLI { - public static void setVerbose(boolean verbose) { - CLI.verbose = verbose; - } -+ -+ public void runExternal(List command) throws CLIException, IOException, InterruptedException { -+ String[] array = command.toArray(new String[command.size()]); -+ runExternal(array); -+ } -+ -+ public void runExternal(String[] command) throws CLIException, IOException, InterruptedException { -+ -+ if (verbose) { -+ -+ System.out.print("External command:"); -+ -+ for (String c : command) { -+ -+ boolean quote = c.contains(" "); -+ -+ System.out.print(" "); -+ -+ if (quote) System.out.print("\""); -+ System.out.print(c); -+ if (quote) System.out.print("\""); -+ } -+ -+ System.out.println(); -+ } -+ -+ Runtime rt = Runtime.getRuntime(); -+ Process p = rt.exec(command); -+ int rc = p.waitFor(); -+ -+ if (rc != 0) { -+ throw new CLIException("External command failed. RC: " + rc, rc); -+ } -+ } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index dcc60e2..51861b5 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -473,12 +473,10 @@ public class MainCLI extends CLI { - "--empty-password" - }; - -- Runtime rt = Runtime.getRuntime(); -- Process p = rt.exec(commands); -- -- int rc = p.waitFor(); -- if (rc != 0) { -- throw new Exception("Unable to create security database: " + certDatabase.getAbsolutePath() + " (rc: " + rc + ")"); -+ try { -+ runExternal(commands); -+ } catch (Exception e) { -+ throw new Exception("Unable to create security database", e); - } - } - -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -index 9cb3e67..687dfc4 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -21,14 +21,12 @@ package com.netscape.cmstools.client; - import java.io.File; - import java.io.FileOutputStream; - import java.io.FileWriter; --import java.io.IOException; - import java.io.PrintWriter; - import java.net.URI; - import java.util.Arrays; - - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; --import org.apache.commons.lang.StringUtils; - - import com.netscape.certsrv.cert.CertClient; - import com.netscape.certsrv.cert.CertData; -@@ -283,8 +281,7 @@ public class ClientCertImportCLI extends CLI { - }; - - try { -- run(command); -- -+ runExternal(command); - } catch (Exception e) { - throw new Exception("Unable to import certificate file", e); - } -@@ -305,25 +302,9 @@ public class ClientCertImportCLI extends CLI { - }; - - try { -- run(command); -- -+ runExternal(command); - } catch (Exception e) { - throw new Exception("Unable to import PKCS #12 file", e); - } - } -- -- public void run(String[] command) throws IOException, InterruptedException { -- -- if (verbose) { -- System.out.println("Command: " + StringUtils.join(command, " ")); -- } -- -- Runtime rt = Runtime.getRuntime(); -- Process p = rt.exec(command); -- int rc = p.waitFor(); -- -- if (rc != 0) { -- throw new IOException("Command failed. RC: " + rc); -- } -- } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java -index f229e67..8ae7c6d 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java -@@ -18,8 +18,6 @@ - - package com.netscape.cmstools.client; - --import java.io.IOException; -- - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; - -@@ -75,38 +73,19 @@ public class ClientCertModifyCLI extends CLI { - - String trustAttributes = cmd.getOptionValue("trust", "u,u,u"); - -- int rc = modifyCert( -- mainCLI.certDatabase.getAbsolutePath(), -- nickname, -- trustAttributes); -- -- if (rc != 0) { -- MainCLI.printMessage("Modified failed"); -- return; -- } -- -- MainCLI.printMessage("Modified certificate \"" + nickname + "\""); -- } -- -- public int modifyCert( -- String dbPath, -- String nickname, -- String trustAttributes) throws IOException, InterruptedException { -- - String[] command = { - "/usr/bin/certutil", "-M", -- "-d", dbPath, -+ "-d", mainCLI.certDatabase.getAbsolutePath(), - "-n", nickname, - "-t", trustAttributes - }; - -- return run(command); -- } -- -- public int run(String[] command) throws IOException, InterruptedException { -+ try { -+ runExternal(command); -+ } catch (Exception e) { -+ throw new Exception("Unable to modify certificate", e); -+ } - -- Runtime rt = Runtime.getRuntime(); -- Process p = rt.exec(command); -- return p.waitFor(); -+ MainCLI.printMessage("Modified certificate \"" + nickname + "\""); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -index 696ab8b..a14bb24 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -@@ -386,12 +386,10 @@ public class ClientCertRequestCLI extends CLI { - "-n", subjectDN - }; - -- Runtime rt = Runtime.getRuntime(); -- Process p = rt.exec(commands); -- -- int rc = p.waitFor(); -- if (rc != 0) { -- throw new Exception("CSR generation failed"); -+ try { -+ runExternal(commands); -+ } catch (Exception e) { -+ throw new Exception("CSR generation failed", e); - } - - if (verbose) { -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java -index 2242b37..bb60fbf 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java -@@ -20,13 +20,11 @@ package com.netscape.cmstools.client; - - import java.io.File; - import java.io.FileWriter; --import java.io.IOException; - import java.io.PrintWriter; - - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; - import org.apache.commons.lang.RandomStringUtils; --import org.apache.commons.lang.StringUtils; - import org.mozilla.jss.crypto.X509Certificate; - - import com.netscape.certsrv.client.PKIClient; -@@ -192,8 +190,7 @@ public class ClientCertShowCLI extends CLI { - }; - - try { -- run(command); -- -+ runExternal(command); - } catch (Exception e) { - throw new Exception("Unable to export PKCS #12 file", e); - } -@@ -215,8 +212,7 @@ public class ClientCertShowCLI extends CLI { - }; - - try { -- run(command); -- -+ runExternal(command); - } catch (Exception e) { - throw new Exception("Unable to export certificate", e); - } -@@ -238,8 +234,7 @@ public class ClientCertShowCLI extends CLI { - }; - - try { -- run(command); -- -+ runExternal(command); - } catch (Exception e) { - throw new Exception("Unable to export private key", e); - } -@@ -261,23 +256,9 @@ public class ClientCertShowCLI extends CLI { - }; - - try { -- run(command); -- -+ runExternal(command); - } catch (Exception e) { - throw new Exception("Unable to export client certificate and private key", e); - } - } -- -- public void run(String[] command) throws IOException, InterruptedException { -- -- if (verbose) System.out.println("Command: " + StringUtils.join(command, " ")); -- -- Runtime rt = Runtime.getRuntime(); -- Process p = rt.exec(command); -- int rc = p.waitFor(); -- -- if (rc != 0) { -- throw new IOException("Command failed. RC: " + rc); -- } -- } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java -index 893b40b..7e018de 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java -@@ -95,12 +95,11 @@ public class ClientInitCLI extends CLI { - File passwordFile = new File(certDatabase, "password.txt"); - - try { -- String[] commands = { -- "/usr/bin/certutil", "-N", -- "-d", certDatabase.getAbsolutePath(), -- }; -- -- List list = new ArrayList<>(Arrays.asList(commands)); -+ List list = new ArrayList<>(); -+ list.add("/usr/bin/certutil"); -+ list.add("-N"); -+ list.add("-d"); -+ list.add(certDatabase.getAbsolutePath()); - - if (mainCLI.config.getCertPassword() == null) { - list.add("--empty-password"); -@@ -114,16 +113,10 @@ public class ClientInitCLI extends CLI { - list.add(passwordFile.getAbsolutePath()); - } - -- commands = new String[list.size()]; -- list.toArray(commands); -- -- Runtime rt = Runtime.getRuntime(); -- Process p = rt.exec(commands); -- -- int rc = p.waitFor(); -- if (rc != 0) { -- MainCLI.printMessage("Client initialization failed"); -- return; -+ try { -+ runExternal(list); -+ } catch (Exception e) { -+ throw new Exception("Client initialization failed", e); - } - - MainCLI.printMessage("Client initialized"); --- -1.8.3.1 - - -From 3ef47867df74eb9dce408b88756ccce7d7438da5 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 3 Jun 2017 00:29:29 +0200 -Subject: [PATCH 23/27] Fixed pki client-cert-import CLI. - -The pki client-cert-import CLI has been modified to provide a -password file when invoking the certutil -A command. - -https://pagure.io/dogtagpki/issue/2717 - -Change-Id: If32f9eeb39d140aaef38c9bc1933f3ae0f57a5a2 ---- - .../cmstools/client/ClientCertImportCLI.java | 94 +++++++++++++++------- - 1 file changed, 66 insertions(+), 28 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -index 687dfc4..1c67f99 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -23,7 +23,9 @@ import java.io.FileOutputStream; - import java.io.FileWriter; - import java.io.PrintWriter; - import java.net.URI; -+import java.util.ArrayList; - import java.util.Arrays; -+import java.util.List; - - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; -@@ -128,6 +130,20 @@ public class ClientCertImportCLI extends CLI { - String serialNumber = cmd.getOptionValue("serial"); - String trustAttributes = cmd.getOptionValue("trust"); - -+ File nssdbPasswordFile = null; -+ -+ if (mainCLI.config.getCertPassword() != null) { -+ -+ // store NSS database password in a temporary file -+ -+ nssdbPasswordFile = File.createTempFile("pki-client-cert-import-", ".nssdb-pwd"); -+ nssdbPasswordFile.deleteOnExit(); -+ -+ try (PrintWriter out = new PrintWriter(new FileWriter(nssdbPasswordFile))) { -+ out.print(mainCLI.config.getCertPassword()); -+ } -+ } -+ - // load the certificate - if (certPath != null) { - -@@ -137,7 +153,8 @@ public class ClientCertImportCLI extends CLI { - trustAttributes = "u,u,u"; - - importCert( -- mainCLI.certDatabase.getAbsolutePath(), -+ mainCLI.certDatabase, -+ nssdbPasswordFile, - certPath, - nickname, - trustAttributes); -@@ -150,7 +167,8 @@ public class ClientCertImportCLI extends CLI { - trustAttributes = "CT,c,"; - - importCert( -- mainCLI.certDatabase.getAbsolutePath(), -+ mainCLI.certDatabase, -+ nssdbPasswordFile, - caCertPath, - nickname, - trustAttributes); -@@ -164,7 +182,7 @@ public class ClientCertImportCLI extends CLI { - - } else if (pkcs12Password != null) { - // store password into a temporary file -- File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pwd"); -+ File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pkcs12-pwd"); - pkcs12PasswordFile.deleteOnExit(); - - try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { -@@ -182,8 +200,8 @@ public class ClientCertImportCLI extends CLI { - - // import certificates and private key into PKCS #12 file - importPKCS12( -- mainCLI.certDatabase.getAbsolutePath(), -- mainCLI.config.getCertPassword(), -+ mainCLI.certDatabase, -+ nssdbPasswordFile, - pkcs12Path, - pkcs12PasswordPath); - -@@ -212,7 +230,8 @@ public class ClientCertImportCLI extends CLI { - trustAttributes = "CT,c,"; - - importCert( -- mainCLI.certDatabase.getAbsolutePath(), -+ mainCLI.certDatabase, -+ nssdbPasswordFile, - certFile.getAbsolutePath(), - nickname, - trustAttributes); -@@ -245,7 +264,8 @@ public class ClientCertImportCLI extends CLI { - trustAttributes = "u,u,u"; - - importCert( -- mainCLI.certDatabase.getAbsolutePath(), -+ mainCLI.certDatabase, -+ nssdbPasswordFile, - certFile.getAbsolutePath(), - nickname, - trustAttributes); -@@ -263,8 +283,9 @@ public class ClientCertImportCLI extends CLI { - } - - public void importCert( -- String dbPath, -- String certPath, -+ File dbPath, -+ File dbPasswordFile, -+ String certFile, - String nickname, - String trustAttributes) throws Exception { - -@@ -272,13 +293,23 @@ public class ClientCertImportCLI extends CLI { - throw new Exception("Missing certificate nickname."); - } - -- String[] command = { -- "/bin/certutil", "-A", -- "-d", dbPath, -- "-i", certPath, -- "-n", nickname, -- "-t", trustAttributes -- }; -+ List command = new ArrayList<>(); -+ command.add("/bin/certutil"); -+ command.add("-A"); -+ command.add("-d"); -+ command.add(dbPath.getAbsolutePath()); -+ -+ if (dbPasswordFile != null) { -+ command.add("-f"); -+ command.add(dbPasswordFile.getAbsolutePath()); -+ } -+ -+ command.add("-i"); -+ command.add(certFile); -+ command.add("-n"); -+ command.add(nickname); -+ command.add("-t"); -+ command.add(trustAttributes); - - try { - runExternal(command); -@@ -288,18 +319,25 @@ public class ClientCertImportCLI extends CLI { - } - - public void importPKCS12( -- String dbPath, -- String dbPassword, -- String pkcs12Path, -- String pkcs12PasswordPath) throws Exception { -- -- String[] command = { -- "/bin/pk12util", -- "-d", dbPath, -- "-K", dbPassword, -- "-i", pkcs12Path, -- "-w", pkcs12PasswordPath -- }; -+ File dbPath, -+ File dbPasswordFile, -+ String pkcs12File, -+ String pkcs12PasswordFile) throws Exception { -+ -+ List command = new ArrayList<>(); -+ command.add("/bin/pk12util"); -+ command.add("-d"); -+ command.add(dbPath.getAbsolutePath()); -+ -+ if (dbPasswordFile != null) { -+ command.add("-k"); -+ command.add(dbPasswordFile.getAbsolutePath()); -+ } -+ -+ command.add("-i"); -+ command.add(pkcs12File); -+ command.add("-w"); -+ command.add(pkcs12PasswordFile); - - try { - runExternal(command); --- -1.8.3.1 - - -From 64b7b7abfed29b6a520be66414139364d713461e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 3 Jun 2017 03:52:09 +0200 -Subject: [PATCH 24/27] Fixed default CA cert trust flags in pki CLI. - -The pki CLI has been modified to use CT,C,C as the default trust -flags for CA certificate import operations. - -https://pagure.io/dogtagpki/issue/2726 - -Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377 ---- - base/common/python/pki/cli/pkcs12.py | 2 +- - .../src/com/netscape/cmstools/client/ClientCertImportCLI.java | 4 ++-- - .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 1 + - 3 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py -index 6b99fcf..2f8aabf 100644 ---- a/base/common/python/pki/cli/pkcs12.py -+++ b/base/common/python/pki/cli/pkcs12.py -@@ -237,7 +237,7 @@ class PKCS12ImportCLI(pki.cli.CLI): - trust_flags = cert_info['trust_flags'] - else: - # default trust flags for CA certificates -- trust_flags = 'CT,c,c' -+ trust_flags = 'CT,C,C' - - if main_cli.verbose: - print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id)) -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -index 1c67f99..844453e 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -164,7 +164,7 @@ public class ClientCertImportCLI extends CLI { - if (verbose) System.out.println("Importing CA certificate from " + caCertPath + "."); - - if (trustAttributes == null) -- trustAttributes = "CT,c,"; -+ trustAttributes = "CT,C,C"; - - importCert( - mainCLI.certDatabase, -@@ -227,7 +227,7 @@ public class ClientCertImportCLI extends CLI { - } - - if (trustAttributes == null) -- trustAttributes = "CT,c,"; -+ trustAttributes = "CT,C,C"; - - importCert( - mainCLI.certDatabase, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index c9a375f..ebade36 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -1113,6 +1113,7 @@ public class ConfigurationUtils { - | InternalCertificate.VALID_CA); - - } else if (isAuditSigningCert(name)) { -+ // set trust flags to u,u,Pu - icert.setObjectSigningTrust(InternalCertificate.USER - | InternalCertificate.VALID_PEER - | InternalCertificate.TRUSTED_PEER); --- -1.8.3.1 - - -From c0b2daef934a8f5ac1c61d673865348aa2a0f702 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 25 May 2017 15:32:14 +1000 -Subject: [PATCH 25/27] Improve exception message for null - AuthorityKeyIdentifier - -When the Authority Key Identifier extension cannot be instantiated, -we currently fail with a generic "extension not found" error -message. Throw a better exception for this case in particular, and -improve the exception message for the general case of attempting to -add a null exception. - -Fixes: https://pagure.io/dogtagpki/issue/2705 -Change-Id: Ic79742d8a228391275ffe5bfeef0a324f6b431bd ---- - .../netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java | 4 ++++ - base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java | 2 +- - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java -index 42931de..f8d8b44 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java -@@ -183,6 +183,10 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault { - } catch (EBaseException e) { - throw new EProfileException(e); - } -+ if (ext == null) { -+ throw new EProfileException( -+ "Could not instantiate AuthorityKeyIdentifier extension."); -+ } - addExtension(PKIXExtensions.AuthorityKey_Id.toString(), ext, info); - } - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -index 1d5bfc4..6192888 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -@@ -367,7 +367,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe - protected void addExtension(String name, Extension ext, X509CertInfo info) - throws EProfileException { - if (ext == null) { -- throw new EProfileException("extension not found"); -+ throw new EProfileException("addExtension: extension '" + name + "' is null"); - } - CertificateExtensions exts = null; - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-snapshot-4.patch b/SOURCES/pki-core-snapshot-4.patch deleted file mode 100644 index fa0082b..0000000 --- a/SOURCES/pki-core-snapshot-4.patch +++ /dev/null @@ -1,3667 +0,0 @@ -From aa39354dbbf9df404f6ad374c837db0c421f2705 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 5 Jun 2017 08:50:25 -0700 -Subject: [PATCH 01/14] Ticket #2617 part2: add revocation check to signing - cert - ---- - .../cms/authentication/CMCUserSignedAuth.java | 19 +++++++++++++++++++ - .../authentication/CertUserDBAuthentication.java | 2 +- - 2 files changed, 20 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index 2128c1e..a18c25e 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; - import java.math.BigInteger; -+import java.security.cert.CertificateExpiredException; - import java.security.MessageDigest; - import java.security.PublicKey; - import java.util.Enumeration; -@@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - si.verify(digest, id, pubK); - } - CMS.debug(method + "finished checking signature"); -+ - // verify signer's certificate using the revocator -+ // ...or not; I think it just checks usage and -+ // validity, but not revocation status - if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { - CMS.debug(method + "CMC signature failed to be verified"); - s.close(); -@@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } - // At this point, the signature has been verified; - -+ // now check revocation status of the cert -+ if (CMS.isRevoked(x509Certs)) { -+ CMS.debug(method + "CMC signing cert is a revoked certificate"); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } -+ try { //do this again anyways -+ cert.checkValidity(); -+ } catch (CertificateExpiredException e) { -+ CMS.debug(method + "CMC signing cert is an expired certificate"); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } catch (Exception e) { -+ CMS.debug(method + e.toString()); -+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); -+ } -+ - IAuthToken tempToken = new AuthToken(null); - /* - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); -diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java -index 998d7e2..ae450fa 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java -@@ -168,7 +168,7 @@ public class CertUserDBAuthentication implements IAuthManager, ICertUserDBAuthen - try { - user = (User) mCULocator.locateUser(certs); - } catch (EUsrGrpException e) { -- CMS.debug("CertUserDBAuthentication: cannot map certificate to any user"); -+ CMS.debug("CertUserDBAuthentication: cannot map certificate to any user" + e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_AUTH_FAILED", x509Certs[0].getSerialNumber() - .toString(16), x509Certs[0].getSubjectDN().toString(), e.toString())); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); --- -1.8.3.1 - - -From 30fb7bf49ce0f4c726f937b3984a4e27abb39959 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Tue, 6 Jun 2017 16:16:32 -0700 -Subject: [PATCH 04/14] Minor fix to already fixed issue: - -The problem was that a tiny piece of the original patch didn't get checked in. This resolves this issue. ---- - base/native-tools/src/tkstool/key.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c -index e63da93..f208cbd 100644 ---- a/base/native-tools/src/tkstool/key.c -+++ b/base/native-tools/src/tkstool/key.c -@@ -1219,13 +1219,14 @@ TKS_StoreSymmetricKeyAndNameIt( char *symmetricKeyName, - rvExtractSymmetricKey = PK11_ExtractKeyValue( /* symmetric key */ symKey ); - if( rvExtractSymmetricKey != SECSuccess ) { - PR_fprintf( PR_STDERR, -- "ERROR: Failed to extract the %s key!\n\n", -+ "ERROR: Failed to extract the %s key for final display, OK if in FIPs mode!\n\n", - symmetricKeyName ); -- goto destroyHexSymmetricKey; -- } -+ symmetricKey = NULL; -+ } else { - -- /* If present, retrieve the raw key data */ -- symmetricKey = PK11_GetKeyData( /* symmetric key */ symKey ); -+ /* If present, retrieve the raw key data */ -+ symmetricKey = PK11_GetKeyData( /* symmetric key */ symKey ); -+ } - - #if defined(DEBUG) - /* For convenience, display the final symmetric key and */ --- -1.8.3.1 - - -From 38df4274214938ceece85627abb6d4fe77b960ff Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Fri, 26 May 2017 13:06:18 -0400 -Subject: [PATCH 06/14] Refactor client to not use keysets - -It is simpler to simply tell the client which -algorithm to use for key wrapping and encryption, rather -than use key sets. Therefore: - -* KRAInfo and CAInfo are refactored to provide the - algorithms required for key wrapping and encryption. - -* Client is modified to use these parameters to determine - which algorithms to use. - -* We specify the OIDs that will be used in the PKIARchiveOptions - more correctly. The options are basically: - AES-128-CBC, DES3-CBC, AES KeyWrap/Pad - -Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409 ---- - base/common/src/org/dogtagpki/common/CAInfo.java | 34 +++-- - base/common/src/org/dogtagpki/common/KRAInfo.java | 34 +++++ - .../src/com/netscape/cmstools/CRMFPopClient.java | 153 ++++++++++----------- - .../cmstools/client/ClientCertRequestCLI.java | 34 +---- - .../org/dogtagpki/server/rest/CAInfoService.java | 18 +-- - .../org/dogtagpki/server/rest/KRAInfoService.java | 40 +++++- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 22 +++ - 7 files changed, 206 insertions(+), 129 deletions(-) - -diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java -index f21dcd0..0f68c7a 100644 ---- a/base/common/src/org/dogtagpki/common/CAInfo.java -+++ b/base/common/src/org/dogtagpki/common/CAInfo.java -@@ -54,7 +54,8 @@ public class CAInfo extends ResourceMessage { - } - - String archivalMechanism; -- String wrappingKeySet; -+ String encryptAlgorithm; -+ String keyWrapAlgorithm; - - @XmlElement(name="ArchivalMechanism") - public String getArchivalMechanism() { -@@ -65,13 +66,20 @@ public class CAInfo extends ResourceMessage { - this.archivalMechanism = archivalMechanism; - } - -- @XmlElement(name="WrappingKeySet") -- public String getWrappingKeySet() { -- return wrappingKeySet; -+ public String getEncryptAlgorithm() { -+ return encryptAlgorithm; - } - -- public void setWrappingKeySet(String wrappingKeySet) { -- this.wrappingKeySet = wrappingKeySet; -+ public void setEncryptAlgorithm(String encryptAlgorithm) { -+ this.encryptAlgorithm = encryptAlgorithm; -+ } -+ -+ public String getKeyWrapAlgorithm() { -+ return keyWrapAlgorithm; -+ } -+ -+ public void setKeyWrapAlgorithm(String keyWrapAlgorithm) { -+ this.keyWrapAlgorithm = keyWrapAlgorithm; - } - - @Override -@@ -79,7 +87,8 @@ public class CAInfo extends ResourceMessage { - final int prime = 31; - int result = super.hashCode(); - result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); -- result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode()); -+ result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode()); -+ result = prime * result + ((keyWrapAlgorithm == null) ? 0 : keyWrapAlgorithm.hashCode()); - return result; - } - -@@ -97,10 +106,15 @@ public class CAInfo extends ResourceMessage { - return false; - } else if (!archivalMechanism.equals(other.archivalMechanism)) - return false; -- if (wrappingKeySet == null) { -- if (other.wrappingKeySet != null) -+ if (encryptAlgorithm == null) { -+ if (other.encryptAlgorithm != null) -+ return false; -+ } else if (!encryptAlgorithm.equals(other.encryptAlgorithm)) -+ return false; -+ if (keyWrapAlgorithm == null) { -+ if (other.keyWrapAlgorithm != null) - return false; -- } else if (!wrappingKeySet.equals(other.wrappingKeySet)) -+ } else if (!keyWrapAlgorithm.equals(other.keyWrapAlgorithm)) - return false; - return true; - } -diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java -index e17bd64..66fb992 100644 ---- a/base/common/src/org/dogtagpki/common/KRAInfo.java -+++ b/base/common/src/org/dogtagpki/common/KRAInfo.java -@@ -55,6 +55,8 @@ public class KRAInfo extends ResourceMessage { - - String archivalMechanism; - String recoveryMechanism; -+ String encryptAlgorithm; -+ String wrapAlgorithm; - - @XmlElement(name="ArchivalMechanism") - public String getArchivalMechanism() { -@@ -74,12 +76,32 @@ public class KRAInfo extends ResourceMessage { - this.recoveryMechanism = recoveryMechanism; - } - -+ @XmlElement(name="EncryptAlgorithm") -+ public String getEncryptAlgorithm() { -+ return encryptAlgorithm; -+ } -+ -+ public void setEncryptAlgorithm(String encryptAlgorithm) { -+ this.encryptAlgorithm = encryptAlgorithm; -+ } -+ -+ @XmlElement(name="WrapAlgorithm") -+ public String getWrapAlgorithm() { -+ return wrapAlgorithm; -+ } -+ -+ public void setWrapAlgorithm(String wrapAlgorithm) { -+ this.wrapAlgorithm = wrapAlgorithm; -+ } -+ - @Override - public int hashCode() { - final int prime = 31; - int result = super.hashCode(); - result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); -+ result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode()); - result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode()); -+ result = prime * result + ((wrapAlgorithm == null) ? 0 : wrapAlgorithm.hashCode()); - return result; - } - -@@ -97,11 +119,21 @@ public class KRAInfo extends ResourceMessage { - return false; - } else if (!archivalMechanism.equals(other.archivalMechanism)) - return false; -+ if (encryptAlgorithm == null) { -+ if (other.encryptAlgorithm != null) -+ return false; -+ } else if (!encryptAlgorithm.equals(other.encryptAlgorithm)) -+ return false; - if (recoveryMechanism == null) { - if (other.recoveryMechanism != null) - return false; - } else if (!recoveryMechanism.equals(other.recoveryMechanism)) - return false; -+ if (wrapAlgorithm == null) { -+ if (other.wrapAlgorithm != null) -+ return false; -+ } else if (!wrapAlgorithm.equals(other.wrapAlgorithm)) -+ return false; - return true; - } - -@@ -125,6 +157,8 @@ public class KRAInfo extends ResourceMessage { - KRAInfo before = new KRAInfo(); - before.setArchivalMechanism("encrypt"); - before.setRecoveryMechanism("keywrap"); -+ before.setEncryptAlgorithm("AES/CBC/Pad"); -+ before.setWrapAlgorithm("AES KeyWrap/Padding"); - - String string = before.toString(); - System.out.println(string); -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 0057a1d..b06faa6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -190,11 +190,7 @@ public class CRMFPopClient { - option.setArgName("extractable"); - options.addOption(option); - -- option = new Option("g", true, "KeyWrap"); -- option.setArgName("keyWrap"); -- options.addOption(option); -- -- option = new Option("w", true, "Wrapping Keyset"); -+ option = new Option("w", true, "Algorithm to be used for key wrapping"); - option.setArgName("keySet"); - options.addOption(option); - -@@ -231,10 +227,7 @@ public class CRMFPopClient { - System.out.println(" - POP_NONE: without POP"); - System.out.println(" - POP_SUCCESS: with valid POP"); - System.out.println(" - POP_FAIL: with invalid POP (for testing)"); -- System.out.println(" -g Use KeyWrapping to wrap private key (default: true)"); -- System.out.println(" - true: use a key wrapping algorithm"); -- System.out.println(" - false: use an encryption algorithm"); -- System.out.println(" -w Key set ID to use when wrapping the private key"); -+ System.out.println(" -w Algorithm to use for key wrapping"); - System.out.println(" -b PEM transport certificate (default: transport.txt)"); - System.out.println(" -v, --verbose Run in verbose mode."); - System.out.println(" --help Show help message."); -@@ -329,20 +322,17 @@ public class CRMFPopClient { - - boolean self_sign = cmd.hasOption("y"); - -- // get the key wrapping mechanism -- boolean keyWrap = true; -- if (cmd.hasOption("g")) { -- keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); -+ // get the keywrap algorithm -+ KeyWrapAlgorithm keyWrapAlgorithm = null; -+ String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString(); -+ if (cmd.hasOption("w")) { -+ kwAlg = cmd.getOptionValue("w"); - } else { -- String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); -- if (useKeyWrap != null) { -- keyWrap = Boolean.parseBoolean(useKeyWrap); -+ String alg = System.getenv("KEY_ARCHIVAL_KEYWRAP_ALGORITHM"); -+ if (alg != null) { -+ kwAlg = alg; - } - } -- String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : -- KRAInfoResource.ENCRYPT_MECHANISM; -- -- String wrappingKeySet = cmd.getOptionValue("w"); - - String output = cmd.getOptionValue("o"); - -@@ -351,12 +341,11 @@ public class CRMFPopClient { - String requestor = cmd.getOptionValue("r"); - - if (hostPort != null) { -- if (cmd.hasOption("g") || cmd.hasOption("w")) { -- printError("Wrapping Key Set (-g) and keywrap (-w) options should " + -- "not be specified when hostport is specified. " + -- "CRMFPopClient will contact the server to " + -- "determine the correct values for these parameters"); -- System.exit(1); -+ if (cmd.hasOption("w")) { -+ printError("Any value specified for the key wrap parameter (-w) " + -+ "will be overriden. CRMFPopClient will contact the " + -+ "CA to determine the supported algorithm when " + -+ "hostport is specified"); - } - } - -@@ -493,9 +482,9 @@ public class CRMFPopClient { - System.out.println("Keypair private key id: " + kid); - - if (hostPort != null) { -- // check the CA for the required keyset and archival mechanism -+ // check the CA for the required key wrap algorithm - // if found, override whatever has been set by the command line -- // options or environment for archivalMechanism and wrappingKeySet -+ // options for the key wrap algorithm - - ClientConfig config = new ClientConfig(); - String host = hostPort.substring(0, hostPort.indexOf(':')); -@@ -503,31 +492,17 @@ public class CRMFPopClient { - config.setServerURL("http", host, port); - - PKIClient pkiclient = new PKIClient(config); -- -- // get archival mechanism -- CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); -- try { -- CAInfo info = infoClient.getInfo(); -- archivalMechanism = info.getArchivalMechanism(); -- wrappingKeySet = info.getWrappingKeySet(); -- } catch (PKIException e) { -- if (e.getCode() == 404) { -- // assume this is an older server, -- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -- wrappingKeySet = "0"; -- } else { -- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -- } -- } catch (Exception e) { -- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -- } -+ kwAlg = getKeyWrapAlgotihm(pkiclient); - } - -+ if (verbose) System.out.println("Using key wrap algorithm: " + kwAlg); -+ keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); -+ - if (verbose) System.out.println("Creating certificate request"); - CertRequest certRequest = client.createCertRequest( - self_sign, - token, transportCert, algorithm, keyPair, -- subject, archivalMechanism, wrappingKeySet); -+ subject, keyWrapAlgorithm); - - ProofOfPossession pop = null; - -@@ -592,6 +567,36 @@ public class CRMFPopClient { - } - } - -+ public static String getKeyWrapAlgotihm(PKIClient pkiclient) -+ throws Exception { -+ String kwAlg = null; -+ CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); -+ String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -+ -+ try { -+ CAInfo info = infoClient.getInfo(); -+ archivalMechanism = info.getArchivalMechanism(); -+ kwAlg = info.getKeyWrapAlgorithm(); -+ } catch (PKIException e) { -+ if (e.getCode() == 404) { -+ // assume this is an older server, -+ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -+ kwAlg = KeyWrapAlgorithm.DES3_CBC_PAD.toString(); -+ } else { -+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -+ } -+ } catch (Exception e) { -+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -+ } -+ -+ if (!archivalMechanism.equals(KRAInfoResource.KEYWRAP_MECHANISM)) { -+ // new server with encryption set. Use something we know will -+ // work. AES-128-CBC -+ kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString(); -+ } -+ return kwAlg; -+ } -+ - public void setVerbose(boolean verbose) { - this.verbose = verbose; - } -@@ -637,10 +642,9 @@ public class CRMFPopClient { - String algorithm, - KeyPair keyPair, - Name subject, -- String archivalMechanism, -- String wrappingKeySet) throws Exception { -+ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { - return createCertRequest(false, token, transportCert, algorithm, keyPair, -- subject, archivalMechanism, wrappingKeySet); -+ subject, keyWrapAlgorithm); - } - - public CertRequest createCertRequest( -@@ -650,24 +654,15 @@ public class CRMFPopClient { - String algorithm, - KeyPair keyPair, - Name subject, -- String archivalMechanism, -- String wrappingKeySet) throws Exception { -- EncryptionAlgorithm encryptAlg = null; -- -- if (wrappingKeySet == null) { -- wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET"); -+ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { -+ byte[] iv = null; -+ if (keyWrapAlgorithm.getParameterClasses() != null) { -+ iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); - } -+ OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); - -- if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) { -- // talking to an old server? -- encryptAlg = EncryptionAlgorithm.DES3_CBC; -- } else { -- encryptAlg = EncryptionAlgorithm.AES_128_CBC; -- } -- -- byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); -- AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); -- WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism); -+ AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); -+ WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); - - PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( - token, -@@ -698,29 +693,21 @@ public class CRMFPopClient { - return new CertRequest(new INTEGER(1), certTemplate, seq); - } - -- private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV, -- String archivalMechanism) throws Exception { -- if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) { -- KeyWrapAlgorithm wrapAlg = null; -- IVParameterSpec wrapIVS = null; -- if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) { -- // We will use AES_CBC_PAD as the a key wrap mechanism. This -- // can be decrypted using the same mechanism on the server. -- wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD; -- wrapIVS = new IVParameterSpec(wrapIV); -- } else { -- wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; -- } -+ private WrappingParams getWrappingParams(KeyWrapAlgorithm kwAlg, byte[] iv) throws Exception { -+ IVParameterSpec ivps = iv != null ? new IVParameterSpec(iv): null; -+ -+ if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD || -+ kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { - return new WrappingParams( - SymmetricKey.AES, KeyGenAlgorithm.AES, 128, -- KeyWrapAlgorithm.RSA, encryptAlg, -- wrapAlg, wrapIVS, wrapIVS); -- } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) { -+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_128_CBC_PAD, -+ kwAlg, ivps, ivps); -+ } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { - return new WrappingParams( - SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD, -- new IVParameterSpec(wrapIV), new IVParameterSpec(wrapIV)); -+ ivps, ivps); - } else { - throw new Exception("Invalid encryption algorithm"); - } -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -index a14bb24..9a0cfcc 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -@@ -29,18 +29,15 @@ import java.util.Vector; - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; - import org.apache.commons.io.FileUtils; --import org.dogtagpki.common.CAInfo; --import org.dogtagpki.common.CAInfoClient; --import org.dogtagpki.common.KRAInfoResource; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.CryptoToken; -+import org.mozilla.jss.crypto.KeyWrapAlgorithm; - import org.mozilla.jss.crypto.Signature; - import org.mozilla.jss.crypto.X509Certificate; - import org.mozilla.jss.pkix.crmf.CertRequest; - import org.mozilla.jss.pkix.crmf.ProofOfPossession; - import org.mozilla.jss.pkix.primitive.Name; - --import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.cert.CertClient; - import com.netscape.certsrv.cert.CertEnrollmentRequest; - import com.netscape.certsrv.cert.CertRequestInfos; -@@ -249,29 +246,13 @@ public class ClientCertRequestCLI extends CLI { - CryptoManager manager = CryptoManager.getInstance(); - X509Certificate transportCert = manager.importCACertPackage(transportCertData); - -- // get archival mechanism -- CAInfoClient infoClient = new CAInfoClient(client, "ca"); -- String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -- String wrappingKeySet = "1"; -- try { -- CAInfo info = infoClient.getInfo(); -- archivalMechanism = info.getArchivalMechanism(); -- wrappingKeySet = info.getWrappingKeySet(); -- } catch (PKIException e) { -- if (e.getCode() == 404) { -- // assume this is an older server, -- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; -- wrappingKeySet = "0"; -- } else { -- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -- } -- } catch (Exception e) { -- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); -- } -+ // get archival and key wrap mechanisms from CA -+ String kwAlg = CRMFPopClient.getKeyWrapAlgotihm(client); -+ KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); - - csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, - algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, -- archivalMechanism, wrappingKeySet); -+ keyWrapAlgorithm); - - } else { - throw new Exception("Unknown request type: " + requestType); -@@ -411,8 +392,7 @@ public class ClientCertRequestCLI extends CLI { - int sensitive, - int extractable, - boolean withPop, -- String archivalMechanism, -- String wrappingKeySet -+ KeyWrapAlgorithm keyWrapAlgorithm - ) throws Exception { - - CryptoManager manager = CryptoManager.getInstance(); -@@ -434,7 +414,7 @@ public class ClientCertRequestCLI extends CLI { - } - - CertRequest certRequest = client.createCertRequest( -- token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet); -+ token, transportCert, algorithm, keyPair, subject, keyWrapAlgorithm); - - ProofOfPossession pop = null; - if (withPop) { -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -index 398f499..52c9ca0 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java -@@ -28,6 +28,8 @@ import org.dogtagpki.common.CAInfo; - import org.dogtagpki.common.CAInfoResource; - import org.dogtagpki.common.KRAInfo; - import org.dogtagpki.common.KRAInfoClient; -+import org.mozilla.jss.crypto.EncryptionAlgorithm; -+import org.mozilla.jss.crypto.KeyWrapAlgorithm; - import org.slf4j.Logger; - import org.slf4j.LoggerFactory; - -@@ -73,7 +75,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { - // KRA-related fields (the initial values are only used if we - // did not yet receive authoritative info from KRA) - private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM; -- private static String wrappingKeySet = "0"; -+ private static String encryptAlgorithm; -+ private static String keyWrapAlgorithm; - - @Override - public Response getInfo() throws Exception { -@@ -116,7 +119,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { - } - - info.setArchivalMechanism(archivalMechanism); -- info.setWrappingKeySet(wrappingKeySet); -+ info.setEncryptAlgorithm(encryptAlgorithm); -+ info.setKeyWrapAlgorithm(keyWrapAlgorithm); - } - } - -@@ -125,10 +129,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { - KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo(); - - archivalMechanism = kraInfo.getArchivalMechanism(); -- -- // request succeeded; the KRA is 10.4 or higher, -- // therefore supports key set v1 -- wrappingKeySet = "1"; -+ encryptAlgorithm = kraInfo.getEncryptAlgorithm(); -+ keyWrapAlgorithm = kraInfo.getWrapAlgorithm(); - - // mark info as authoritative - kraInfoAuthoritative = true; -@@ -137,8 +139,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { - // The KRAInfoResource was added in 10.4, - // so we are talking to a pre-10.4 KRA - -- // pre-10.4 only supports key set v0 -- wrappingKeySet = "0"; -+ encryptAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD.toString(); -+ keyWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD.toString(); - - // pre-10.4 KRA does not advertise the archival - // mechanism; look for the old knob in CA's config -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -index c4b3252..a9c3cdf 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -@@ -29,14 +29,25 @@ import org.slf4j.LoggerFactory; - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -+import com.netscape.certsrv.security.IStorageKeyUnit; - import com.netscape.cms.servlet.base.PKIService; - -+import netscape.security.util.WrappingParams; -+ - /** - * @author Ade Lee - */ - public class KRAInfoService extends PKIService implements KRAInfoResource { - - private static Logger logger = LoggerFactory.getLogger(InfoService.class); -+ private IKeyRecoveryAuthority kra; -+ private IStorageKeyUnit storageUnit; -+ -+ public KRAInfoService() { -+ kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra"); -+ storageUnit = kra.getStorageKeyUnit(); -+ } - - @Override - public Response getInfo() throws Exception { -@@ -47,7 +58,8 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { - KRAInfo info = new KRAInfo(); - info.setArchivalMechanism(getArchivalMechanism()); - info.setRecoveryMechanism(getRecoveryMechanism()); -- -+ info.setEncryptAlgorithm(getEncryptAlgorithm()); -+ info.setArchivalMechanism(getWrapAlgorithm()); - - return createOKResponse(info); - } -@@ -63,5 +75,31 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { - boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false); - return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; - } -+ -+ String getWrapAlgorithm() throws EBaseException { -+ IConfigStore cs = CMS.getConfigStore(); -+ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); -+ WrappingParams params = null; -+ try { -+ params = storageUnit.getWrappingParams(encrypt_archival); -+ } catch (Exception e) { -+ // return something that should always work -+ return "AES/CBC/Padding"; -+ } -+ return params.getPayloadWrapAlgorithm().toString(); -+ } -+ -+ String getEncryptAlgorithm() throws EBaseException { -+ IConfigStore cs = CMS.getConfigStore(); -+ boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); -+ WrappingParams params = null; -+ try { -+ params = storageUnit.getWrappingParams(encrypt_archival); -+ } catch (Exception e) { -+ // return something that should always work -+ return "AES/CBC/Padding"; -+ } -+ return params.getPayloadEncryptionAlgorithm().toString(); -+ } - } - -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 95b8f81..84e4a65 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -2713,6 +2713,28 @@ public class CryptoUtil { - throw new NoSuchAlgorithmException(); - } - -+ /* -+ * Useful method to map KeyWrap algorithms to an OID. -+ * This is not yet defined within JSS, although it will be valuable to do -+ * so. The hard thing though is that the KeyWrapAlgorithms in JSS do not take -+ * KEK key size into account for algorithms like AES. We assume 128 bits in -+ * this case. -+ * -+ * This is used in the generation of CRMF requests, and will be correlated to -+ * the subsequent reverse mapping method below. -+ */ -+ public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException { -+ if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) -+ return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); -+ if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) -+ return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); -+ if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) || -+ (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD)) -+ return new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); -+ -+ throw new NoSuchAlgorithmException(); -+ } -+ - } - - // START ENABLE_ECC --- -1.8.3.1 - - -From d5c331a42955365b76a1549aec047e613d3185dc Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 6 Jun 2017 16:16:40 -0400 -Subject: [PATCH 07/14] Server side changes to correctly parse the new - PKIArchiveOptions - -The server is modified to read the new OIDs in the PKIArchiveOptions -and handle them correctly. - -Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4 ---- - base/common/src/org/dogtagpki/common/CAInfo.java | 2 + - .../src/com/netscape/cmstools/CRMFPopClient.java | 20 ++++++-- - .../kra/src/com/netscape/kra/TransportKeyUnit.java | 21 ++++----- - .../org/dogtagpki/server/rest/KRAInfoService.java | 2 +- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 34 ++++++++++--- - .../src/netscape/security/util/WrappingParams.java | 55 ++++++++++++++++++++++ - 6 files changed, 109 insertions(+), 25 deletions(-) - -diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java -index 0f68c7a..ada8098 100644 ---- a/base/common/src/org/dogtagpki/common/CAInfo.java -+++ b/base/common/src/org/dogtagpki/common/CAInfo.java -@@ -66,6 +66,7 @@ public class CAInfo extends ResourceMessage { - this.archivalMechanism = archivalMechanism; - } - -+ @XmlElement(name="EncryptAlgorithm") - public String getEncryptAlgorithm() { - return encryptAlgorithm; - } -@@ -74,6 +75,7 @@ public class CAInfo extends ResourceMessage { - this.encryptAlgorithm = encryptAlgorithm; - } - -+ @XmlElement(name="WrapAlgorithm") - public String getKeyWrapAlgorithm() { - return keyWrapAlgorithm; - } -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index b06faa6..25de2dd 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -191,7 +191,7 @@ public class CRMFPopClient { - options.addOption(option); - - option = new Option("w", true, "Algorithm to be used for key wrapping"); -- option.setArgName("keySet"); -+ option.setArgName("keywrap algorithm"); - options.addOption(option); - - options.addOption("y", false, "for Self-signed cmc."); -@@ -655,13 +655,23 @@ public class CRMFPopClient { - KeyPair keyPair, - Name subject, - KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { -- byte[] iv = null; -- if (keyWrapAlgorithm.getParameterClasses() != null) { -- iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); -- } -+ byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); - OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); - -+ /* TODO(alee) -+ * -+ * HACK HACK! -+ * algorithms like AES KeyWrap do not require an IV, but we need to include one -+ * in the AlgorithmIdentifier above, or the creation and parsing of the -+ * PKIArchiveOptions options will fail. So we include an IV in aid, but null it -+ * later to correctly encrypt the data -+ */ - AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); -+ -+ Class[] iv_classes = keyWrapAlgorithm.getParameterClasses(); -+ if (iv_classes == null || iv_classes.length == 0) -+ iv = null; -+ - WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); - - PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( -diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java -index d0ad8b3..91af7cf 100644 ---- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java -+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java -@@ -267,7 +267,7 @@ public class TransportKeyUnit extends EncryptionUnit implements - * Decrypts the user private key. This is called on the transport unit. - */ - public byte[] decryptExternalPrivate(byte encSymmKey[], -- String symmAlgOID, byte symmAlgParams[], byte encValue[], -+ String wrapOID, byte wrapIV[], byte encValue[], - org.mozilla.jss.crypto.X509Certificate transCert) - throws Exception { - -@@ -279,12 +279,10 @@ public class TransportKeyUnit extends EncryptionUnit implements - CryptoToken token = getToken(transCert); - PrivateKey wrappingKey = getPrivateKey(transCert); - String priKeyAlgo = wrappingKey.getAlgorithm(); -- WrappingParams params = new WrappingParams( -- symmAlgOID, -- null, -+ WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions( -+ wrapOID, - priKeyAlgo, -- new IVParameterSpec(symmAlgParams), -- null); -+ new IVParameterSpec(wrapIV)); - - SymmetricKey sk = CryptoUtil.unwrap( - token, -@@ -303,6 +301,7 @@ public class TransportKeyUnit extends EncryptionUnit implements - params.getPayloadEncryptionAlgorithm()); - } - -+ - /** - * External unwrapping. Unwraps the symmetric key using - * the transport private key. -@@ -342,19 +341,17 @@ public class TransportKeyUnit extends EncryptionUnit implements - * the transport private key. - */ - public PrivateKey unwrap(byte encSymmKey[], -- String symmAlgOID, byte symmAlgParams[], -+ String wrapOID, byte wrapIV[], - byte encValue[], PublicKey pubKey, - org.mozilla.jss.crypto.X509Certificate transCert) - throws Exception { - CryptoToken token = getToken(transCert); - PrivateKey wrappingKey = getPrivateKey(transCert); - String priKeyAlgo = wrappingKey.getAlgorithm(); -- WrappingParams params = new WrappingParams( -- symmAlgOID, -- null, -+ WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions( -+ wrapOID, - priKeyAlgo, -- new IVParameterSpec(symmAlgParams), -- new IVParameterSpec(symmAlgParams)); -+ new IVParameterSpec(wrapIV)); - - // (1) unwrap the session key - SymmetricKey sk = CryptoUtil.unwrap( -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -index a9c3cdf..c855b22 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java -@@ -59,7 +59,7 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { - info.setArchivalMechanism(getArchivalMechanism()); - info.setRecoveryMechanism(getRecoveryMechanism()); - info.setEncryptAlgorithm(getEncryptAlgorithm()); -- info.setArchivalMechanism(getWrapAlgorithm()); -+ info.setWrapAlgorithm(getWrapAlgorithm()); - - return createOKResponse(info); - } -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 84e4a65..eca8ddd 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -2713,6 +2713,10 @@ public class CryptoUtil { - throw new NoSuchAlgorithmException(); - } - -+ public static final OBJECT_IDENTIFIER KW_AES_KEY_WRAP_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); -+ public static final OBJECT_IDENTIFIER KW_AES_CBC_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); -+ public static final OBJECT_IDENTIFIER KW_DES_CBC_PAD = new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); -+ - /* - * Useful method to map KeyWrap algorithms to an OID. - * This is not yet defined within JSS, although it will be valuable to do -@@ -2724,13 +2728,29 @@ public class CryptoUtil { - * the subsequent reverse mapping method below. - */ - public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException { -- if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) -- return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); -- if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) -- return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); -- if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) || -- (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD)) -- return new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); -+ String name = kwAlg.toString(); -+ if (name.equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString())) -+ return KW_AES_KEY_WRAP_PAD; -+ if (name.equals(KeyWrapAlgorithm.AES_CBC_PAD.toString())) -+ return KW_AES_CBC_PAD; -+ if (name.equals(KeyWrapAlgorithm.DES3_CBC_PAD.toString())) -+ return KW_DES_CBC_PAD; -+ if (name.equals(KeyWrapAlgorithm.DES_CBC_PAD.toString())) -+ return KW_DES_CBC_PAD; -+ -+ throw new NoSuchAlgorithmException(); -+ } -+ -+ public static KeyWrapAlgorithm getKeyWrapAlgorithmFromOID(String wrapOID) throws NoSuchAlgorithmException { -+ OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID); -+ if (oid.equals(KW_AES_KEY_WRAP_PAD)) -+ return KeyWrapAlgorithm.AES_KEY_WRAP_PAD; -+ -+ if (oid.equals(KW_AES_CBC_PAD)) -+ return KeyWrapAlgorithm.AES_CBC_PAD; -+ -+ if (oid.equals(KW_DES_CBC_PAD)) -+ return KeyWrapAlgorithm.DES3_CBC_PAD; - - throw new NoSuchAlgorithmException(); - } -diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java -index 8fe5df6..cda8870 100644 ---- a/base/util/src/netscape/security/util/WrappingParams.java -+++ b/base/util/src/netscape/security/util/WrappingParams.java -@@ -10,6 +10,8 @@ import org.mozilla.jss.crypto.KeyWrapAlgorithm; - import org.mozilla.jss.crypto.SymmetricKey; - import org.mozilla.jss.crypto.SymmetricKey.Type; - -+import com.netscape.cmsutil.crypto.CryptoUtil; -+ - public class WrappingParams { - // session key attributes - SymmetricKey.Type skType; -@@ -123,6 +125,59 @@ public class WrappingParams { - } - } - -+ private WrappingParams(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV) -+ throws NumberFormatException, NoSuchAlgorithmException { -+ KeyWrapAlgorithm kwAlg = CryptoUtil.getKeyWrapAlgorithmFromOID(wrapOID); -+ -+ if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) { -+ skType = SymmetricKey.AES; -+ skKeyGenAlgorithm = KeyGenAlgorithm.AES; -+ payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; -+ payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; -+ skLength = 128; -+ } -+ -+ if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { -+ skType = SymmetricKey.AES; -+ skKeyGenAlgorithm = KeyGenAlgorithm.AES; -+ payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; -+ payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; -+ skLength = 128; -+ } -+ -+ if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { -+ skType = SymmetricKey.DES; -+ skKeyGenAlgorithm = KeyGenAlgorithm.DES; -+ skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; -+ payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; -+ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; -+ skLength = 0; -+ } -+ -+ if (priKeyAlgo.equals("EC")) { -+ skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB; -+ } else { -+ skWrapAlgorithm = KeyWrapAlgorithm.RSA; -+ } -+ -+ // set the IVs -+ payloadEncryptionIV = wrapIV; -+ -+ if (payloadWrapAlgorithm == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) { -+ // TODO(alee) Hack -- if we pass in null for the iv in the -+ // PKIArchiveOptions, we fail to decode correctly when parsing a -+ // CRMFPopClient request. -+ payloadWrappingIV = null; -+ } else { -+ payloadWrappingIV = wrapIV; -+ } -+ } -+ -+ public static WrappingParams getWrappingParamsFromArchiveOptions(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV) -+ throws NumberFormatException, NoSuchAlgorithmException { -+ return new WrappingParams(wrapOID, priKeyAlgo, wrapIV); -+ } -+ - public SymmetricKey.Type getSkType() { - return skType; - } --- -1.8.3.1 - - -From 5bf30f2f6a52b7164ba31ab12ed2317b2c572610 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 8 Jun 2017 16:08:30 -0400 -Subject: [PATCH 10/14] Stop using hardcoded IV in CMC - -Bugzilla #BZ 1458055 - -Change-Id: I229d7f18c46f0b55ec83f051614de1b59e125b82 ---- - base/java-tools/src/com/netscape/cmstools/CMCRequest.java | 13 ++++++++----- - .../src/com/netscape/cms/profile/common/EnrollProfile.java | 13 ++++++------- - .../com/netscape/cms/servlet/common/CMCOutputTemplate.java | 8 +++----- - 3 files changed, 17 insertions(+), 17 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 8d49b20..4adf22b 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -40,6 +40,7 @@ import java.util.StringTokenizer; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.ANY; - import org.mozilla.jss.asn1.ASN1Util; -+import org.mozilla.jss.asn1.ASN1Value; - import org.mozilla.jss.asn1.BIT_STRING; - import org.mozilla.jss.asn1.ENUMERATED; - import org.mozilla.jss.asn1.GeneralizedTime; -@@ -1708,6 +1709,12 @@ public class CMCRequest { - try { - TaggedRequest request = encryptedPop.getRequest(); - AlgorithmIdentifier thePOPAlgID = encryptedPop.getThePOPAlgID(); -+ -+ ASN1Value v = thePOPAlgID.getParameters(); -+ v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); -+ byte iv[] = ((OCTET_STRING) v).toByteArray(); -+ IVParameterSpec ivps = new IVParameterSpec(iv); -+ - AlgorithmIdentifier witnessAlgID = encryptedPop.getWitnessAlgID(); - OCTET_STRING witness = encryptedPop.getWitness(); - ContentInfo cms = encryptedPop.getContentInfo(); -@@ -1734,13 +1741,9 @@ public class CMCRequest { - } - System.out.println(method + "symKey unwrapped."); - -- // TODO(alee) The code below should be replaced by code that generates a random IV -- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- IVParameterSpec default_iv = new IVParameterSpec(iv); -- - byte challenge[] = CryptoUtil.decryptUsingSymmetricKey( - token, -- default_iv, -+ ivps, - encCI.getEncryptedContent().toByteArray(), - symKey, - EncryptionAlgorithm.AES_128_CBC); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 12fb736..2591ace 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -403,8 +403,7 @@ public abstract class EnrollProfile extends BasicProfile - String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); - token = CryptoUtil.getCryptoToken(tokenName); - -- // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length -- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -+ byte[] iv = CryptoUtil.getNonceData(EncryptionAlgorithm.AES_128_CBC.getIVLength()); - IVParameterSpec ivps = new IVParameterSpec(iv); - - PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data)); -@@ -466,6 +465,8 @@ public abstract class EnrollProfile extends BasicProfile - - req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession); - -+ req.setExtData("pop_encryptedDataIV", iv); -+ - // now compute and set witness - CMS.debug(method + "now compute and set witness"); - String hashName = CryptoUtil.getDefaultHashAlgName(); -@@ -1123,14 +1124,12 @@ public abstract class EnrollProfile extends BasicProfile - return null; - } - -- // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request -- // This IV is supposed to be random -- byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- IVParameterSpec default_iv = new IVParameterSpec(iv); -+ byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV"); -+ IVParameterSpec ivps = new IVParameterSpec(iv); - - byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey( - token, -- default_iv, -+ ivps, - pop_encryptedData, - symKey, - EncryptionAlgorithm.AES_128_CBC); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index 8e47298..8d6c37f 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -491,6 +491,7 @@ public class CMCOutputTemplate { - //don't need this for encryptedPOP, but need to check for existence anyway - byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); - byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession"); -+ byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV"); - if ((pop_encryptedData != null) && - (pop_sysPubEncryptedSession != null) && - (pop_userPubEncryptedSession != null)) { -@@ -517,11 +518,8 @@ public class CMCOutputTemplate { - throw new EBaseException(method + msg); - } - -- // TODO(alee) The code below should be replaced by code that generates a random IV -- byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; -- - OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); -- AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); -+ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(iv)); - - encPop = new EncryptedPOP( - tReq, -@@ -532,7 +530,7 @@ public class CMCOutputTemplate { - - } catch (Exception e) { - CMS.debug(method + " excepton:" + e); -- throw new EBaseException(method + " excepton:" + e); -+ throw new EBaseException(method + " exception:" + e); - } - - } else { --- -1.8.3.1 - - -From 698192f4f62c55142a557f6489ed2323e17401b0 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 30 May 2017 14:12:06 -0700 -Subject: [PATCH 11/14] Ticket #2619 Allow CA to process user-signed CMC - revocation requests - -First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth. It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken). - -One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest. - -This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing. - -On the client side: - -CMCRequest - -- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens. - -- removed the revRequest.nickname parameter from the configuration. From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request. The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject. By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial. It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db. In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert. - -- added support for unsigned data in support of shared secret in both CMCRequest and server; The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing. - -CMCRevoke - -- The original code assumed that the nss db password is the same as Shared Secret (!!). This patch added a "-t" to accept shred secret, and keep the -p for the nss db password. - -- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out. Both are unusable directly. This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet); Again, this is not RFC conforming, but I fixed it anyways; - -- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below) - -- This code still requires the signer certificate nickname to run, making the shared secret method moot. Since CMCRequest has been updated to work properly, we can leave this for now. - -On the server side. - -CMCUserSignedAuth has been updated to handle unsigned DATA; Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests). This addition is important to support shared secrets properly. - -Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth. The original code did not do that, I think it is because it always checks if it's an agent or not. - -Something that could be improved on is to have its own servlet. However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests. - -The shared secret handling is left in the CMCOutputTemplate for now. Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement. Shared Token plugin implementation will be added in later ticket as well. - -Previously missed signing cert validation is also added for more complete check. -Some SHA1 are turned into SHA2 - -Finally, some auditing are added, but it is not finalized. It will be done in the next ticket(s). ---- - base/common/src/com/netscape/certsrv/apps/CMS.java | 10 + - .../src/com/netscape/certsrv/apps/ICMSEngine.java | 8 + - .../com/netscape/certsrv/base/SessionContext.java | 5 + - .../src/com/netscape/cmstools/CMCRequest.java | 251 ++++++++----- - .../src/com/netscape/cmstools/CMCRevoke.java | 133 +++---- - .../com/netscape/cms/authentication/CMCAuth.java | 19 +- - .../cms/authentication/CMCUserSignedAuth.java | 198 +++++----- - .../netscape/cms/profile/common/EnrollProfile.java | 80 ++-- - .../cms/servlet/cert/CMCRevReqServlet.java | 4 +- - .../com/netscape/cms/servlet/cert/ListCerts.java | 10 +- - .../cms/servlet/common/CMCOutputTemplate.java | 407 +++++++++++++++------ - .../servlet/common/GenPendingTemplateFiller.java | 15 +- - .../servlet/profile/ProfileSubmitCMCServlet.java | 12 +- - .../src/com/netscape/cmscore/apps/CMSEngine.java | 33 ++ - .../netscape/cmscore/app/CMSEngineDefaultStub.java | 5 + - base/util/src/com/netscape/cmsutil/util/Utils.java | 5 + - 16 files changed, 769 insertions(+), 426 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java -index cc634cc..9df99ab 100644 ---- a/base/common/src/com/netscape/certsrv/apps/CMS.java -+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java -@@ -36,6 +36,7 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; - import org.mozilla.jss.CryptoManager.CertificateUsage; - import org.mozilla.jss.util.PasswordCallback; - -+import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.acls.EACLsException; - import com.netscape.certsrv.acls.IACL; - import com.netscape.certsrv.authentication.IAuthSubsystem; -@@ -1575,6 +1576,15 @@ public final class CMS { - } - - /** -+ * Retrieves the SharedToken class. -+ * -+ * @return named SharedToken class -+ */ -+ public static ISharedToken getSharedTokenClass(String configName) { -+ return _engine.getSharedTokenClass(configName); -+ } -+ -+ /** - * Puts a password entry into the single-sign on cache. - * - * @param tag password tag -diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -index 3655b03..563b7c9 100644 ---- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -@@ -38,6 +38,7 @@ import org.mozilla.jss.util.PasswordCallback; - - import com.netscape.certsrv.acls.EACLsException; - import com.netscape.certsrv.acls.IACL; -+import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.authority.IAuthority; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; -@@ -681,6 +682,13 @@ public interface ICMSEngine extends ISubsystem { - public ILdapConnFactory getLdapAnonConnFactory(String id) throws ELdapException; - - /** -+ * Retrieves the named SharedToken class -+ * -+ * @return named shared token class -+ */ -+ public ISharedToken getSharedTokenClass(String configName); -+ -+ /** - * Retrieves the password check. - * - * @return default password checker -diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java -index 81debae..8bcb3c1 100644 ---- a/base/common/src/com/netscape/certsrv/base/SessionContext.java -+++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java -@@ -53,6 +53,11 @@ public class SessionContext extends Hashtable { - public static final String AUTH_MANAGER_ID = "authManagerId"; // String - - /** -+ * Principal name object of the signed CMC request -+ */ -+ public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal"; -+ -+ /** - * User object of the authenticated user in the current thread. - */ - public static final String USER = "user"; // IUser -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 4adf22b..00e03a7 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -72,15 +72,14 @@ import org.mozilla.jss.pkix.cmc.GetCert; - import org.mozilla.jss.pkix.cmc.IdentityProofV2; - import org.mozilla.jss.pkix.cmc.LraPopWitness; - import org.mozilla.jss.pkix.cmc.OtherInfo; --import org.mozilla.jss.pkix.cmc.OtherMsg; - import org.mozilla.jss.pkix.cmc.PKIData; - import org.mozilla.jss.pkix.cmc.PendInfo; - import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2; - import org.mozilla.jss.pkix.cmc.ResponseBody; -+import org.mozilla.jss.pkix.cmc.RevokeRequest; - import org.mozilla.jss.pkix.cmc.TaggedAttribute; - import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; - import org.mozilla.jss.pkix.cmc.TaggedRequest; --import org.mozilla.jss.pkix.cmmf.RevRequest; - import org.mozilla.jss.pkix.cms.ContentInfo; - import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; - import org.mozilla.jss.pkix.cms.EncryptedContentInfo; -@@ -374,14 +373,30 @@ public class CMCRequest { - - /** - * getCMCBlob create and return the enrollment request. -- * -+ * It now handles two types of data input: -+ * - SignedData (which is for signed data) -+ * - data (which is for unsigned data) - * @return the CMC enrollment request encoded in base64 - * - */ -- static ContentInfo getCMCBlob(SignedData req) { -+ static ContentInfo getCMCBlob(SignedData signedData, byte[] data) { - String method = "getCMCBlob: "; - System.out.println(method + "begins"); -- ContentInfo fullEnrollmentReq = new ContentInfo(req); -+ ContentInfo fullEnrollmentReq = null; -+ if (signedData != null && data == null) { -+ System.out.println("getCMCBlob: generating signed data"); -+ fullEnrollmentReq = new ContentInfo(signedData); -+ } else if (data != null && signedData == null) { -+ System.out.println("getCMCBlob: generating unsigned data"); -+ fullEnrollmentReq = new ContentInfo(data); -+ } else if (signedData == null && data == null) { -+ System.out.println("getCMCBlob: both params are null"); -+ System.exit(1); -+ } else { -+ System.out.println("getCMCBlob: both params are not null; only one of them can be used, the other must be null"); -+ System.exit(1); -+ } -+ - try { - ByteArrayOutputStream bs = new ByteArrayOutputStream(); - PrintStream ps = new PrintStream(bs); -@@ -768,29 +783,32 @@ public class CMCRequest { - System.out.println(""); - System.out.println("#input: full path for the PKCS10 request or CRMF request,"); - System.out.println("#the content must be in Base-64 encoded format"); -- System.out.println("#Multiple files are supported. They must be separated by space."); -+// System.out.println("#Multiple files are supported. They must be separated by space."); -+ System.out.println("# in case of revocation, input will be ignored"); - System.out.println("input=crmf.req"); - System.out.println(""); - System.out.println("#output: full path for the CMC request in binary format"); - System.out.println("output=cmc.req"); - System.out.println(""); -- System.out.println("#tokenname: name of token where agent signing cert can be found (default is internal)"); -+ System.out.println("#tokenname: name of token where user signing cert can be found (default is internal)"); - System.out.println("tokenname=internal"); - System.out.println(""); -- System.out.println("#nickname: nickname for agent certificate which will be used"); -- System.out.println("#to sign the CMC full request."); -+ System.out.println("#nickname: nickname for user certificate which will be used"); -+ System.out.println("#to sign the CMC full request (enrollment or revocation)."); -+ System.out.println(""); - System.out.println("#selfSign: if selfSign is true, the CMC request will be"); -- System.out.println("#signed with the pairing private key of the request;"); -+ System.out.println("#signed with the pairing private key of the enrollment request;"); - System.out.println("#and in which case the nickname will be ignored"); -- System.out.println("nickname=CMS Agent Certificate"); -+ System.out.println("#If revRequest.sharedSecret is specified, then nickname will also be ignored."); -+ System.out.println("nickname=CMS User Signing Certificate"); - System.out.println(""); - System.out.println("selfSign=false"); - System.out.println(""); - System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); - System.out.println("dbdir=./"); - System.out.println(""); -- System.out.println("#password: password for cert8.db which stores the agent"); -- System.out.println("#certificate"); -+ System.out.println("#password: password for cert8.db which stores the user signing"); -+ System.out.println("#certificate and keys"); - System.out.println("password=pass"); - System.out.println(""); - System.out.println("#format: request format, either pkcs10 or crmf"); -@@ -844,13 +862,19 @@ public class CMCRequest { - System.out.println("#control. Otherwise, false."); - System.out.println("revRequest.enable=false"); - System.out.println(""); -+/* - System.out.println("#revRequest.nickname: The nickname for the revoke certificate"); - System.out.println("revRequest.nickname=newuser's 102504a ID"); - System.out.println(""); -+*/ - System.out.println("#revRequest.issuer: The issuer name for the certificate being"); -- System.out.println("#revoked."); -+ System.out.println("#revoked. It only needs to be specified when the request is unsigned,;"); -+ System.out.println("#as in the case when sharedSecret is used;"); - System.out.println("revRequest.issuer=cn=Certificate Manager,c=us"); - System.out.println(""); -+ System.out.println("#revRequest.sharedSecret: The sharedSecret"); -+ System.out.println("revRequest.sharedSecret="); -+ System.out.println(""); - System.out.println("#revRequest.serial: The serial number for the certificate being"); - System.out.println("#revoked."); - System.out.println("revRequest.serial=61"); -@@ -861,9 +885,6 @@ public class CMCRequest { - System.out.println("# certificateHold, removeFromCRL"); - System.out.println("revRequest.reason=unspecified"); - System.out.println(""); -- System.out.println("#revRequest.sharedSecret: The sharedSecret"); -- System.out.println("revRequest.sharedSecret="); -- System.out.println(""); - System.out.println("#revRequest.comment: The human readable comment"); - System.out.println("revRequest.comment="); - System.out.println(""); -@@ -972,27 +993,27 @@ public class CMCRequest { - - private static ENUMERATED toCRLReason(String str) { - if (str.equalsIgnoreCase("unspecified")) { -- return RevRequest.unspecified; -+ return RevokeRequest.unspecified; - } else if (str.equalsIgnoreCase("keyCompromise")) { -- return RevRequest.keyCompromise; -+ return RevokeRequest.keyCompromise; - } else if (str.equalsIgnoreCase("caCompromise")) { -- return RevRequest.cACompromise; -+ return RevokeRequest.cACompromise; - } else if (str.equalsIgnoreCase("affiliationChanged")) { -- return RevRequest.affiliationChanged; -+ return RevokeRequest.affiliationChanged; - } else if (str.equalsIgnoreCase("superseded")) { -- return RevRequest.superseded; -+ return RevokeRequest.superseded; - } else if (str.equalsIgnoreCase("cessationOfOperation")) { -- return RevRequest.cessationOfOperation; -+ return RevokeRequest.cessationOfOperation; - } else if (str.equalsIgnoreCase("certificateHold")) { -- return RevRequest.certificateHold; -+ return RevokeRequest.certificateHold; - } else if (str.equalsIgnoreCase("removeFromCRL")) { -- return RevRequest.removeFromCRL; -+ return RevokeRequest.removeFromCRL; - } - - System.out.println("Unrecognized CRL reason"); - System.exit(1); - -- return RevRequest.unspecified; -+ return RevokeRequest.unspecified; - } - - /** -@@ -1119,42 +1140,84 @@ public class CMCRequest { - return bpid; - } - -- private static int addRevRequestAttr(int bpid, SEQUENCE seq, SEQUENCE otherMsgSeq, CryptoToken token, String tokenName, String nickname, -+ /* -+ * addRevRequestAttr adds the RevokeRequest control -+ * If sharedSecret exist, issuer name needs to be supplied; -+ * else signing cert is needed to extract issuerName -+ */ -+ private static int addRevRequestAttr(int bpid, SEQUENCE seq, -+ CryptoToken token, X509Certificate revokeSignCert, - String revRequestIssuer, String revRequestSerial, String revRequestReason, - String revRequestSharedSecret, String revRequestComment, String invalidityDatePresent, - CryptoManager manager) { -+ -+ String method = "addRevRequestAttr: "; - try { -- if (nickname.length() <= 0) { -- System.out.println("The nickname for the certificate being revoked is null"); -- System.exit(1); -- } -- String nickname1 = nickname; - UTF8String comment = null; - OCTET_STRING sharedSecret = null; - GeneralizedTime d = null; -- X500Name subjectname = new X500Name(revRequestIssuer); -+ X500Name issuerName = null; -+ -+ if ((revRequestSerial == null) || (revRequestSerial.length() <= 0)) { -+ System.out.println(method + "revocation serial number must be supplied"); -+ System.exit(1); -+ } -+ if ((revRequestReason == null) || (revRequestReason.length() <= 0)) { -+ System.out.println(method + "revocation reason must be supplied"); -+ System.exit(1); -+ } - INTEGER snumber = new INTEGER(revRequestSerial); - ENUMERATED reason = toCRLReason(revRequestReason); -- if (revRequestSharedSecret.length() > 0) -+ -+ if ((revRequestSharedSecret != null) && (revRequestSharedSecret.length() > 0)) { - sharedSecret = new OCTET_STRING(revRequestSharedSecret.getBytes()); -- if (revRequestComment.length() > 0) -+ // in case of sharedSecret, -+ // issuer name will have to be provided; -+ // revokeSignCert is ignored; -+ if (revRequestIssuer == null) { -+ System.out.println(method + "issuer name must be supplied when shared secret is used"); -+ System.exit(1); -+ } -+ issuerName = new X500Name(revRequestIssuer); -+ } else { // signing case; revokeSignCert is required -+ if (revokeSignCert == null) { -+ System.out.println(method + "revokeSignCert must be supplied in the signing case"); -+ System.exit(1); -+ } -+ } -+ -+ if (revRequestComment != null && revRequestComment.length() > 0) - comment = new UTF8String(revRequestComment); - if (invalidityDatePresent.equals("true")) - d = new GeneralizedTime(new Date()); -- RevRequest revRequest = -- new RevRequest(new ANY(subjectname.getEncoded()), snumber, -- reason, d, sharedSecret, comment); -- int revokeBpid = bpid; -+ -+ if (sharedSecret == null) { -+ System.out.println(method + "no sharedSecret found; request will be signed;"); -+ -+ // getting issuerName from revokeSignCert -+ byte[] certB = revokeSignCert.getEncoded(); -+ X509CertImpl impl = new X509CertImpl(certB); -+ issuerName = (X500Name) impl.getIssuerDN(); -+ } else { -+ System.out.println(method + "sharedSecret found; request will be unsigned;"); -+ } -+ -+ RevokeRequest revRequest = new RevokeRequest(new ANY(issuerName.getEncoded()), snumber, -+ reason, d, sharedSecret, comment); -+ - TaggedAttribute revRequestControl = new TaggedAttribute( - new INTEGER(bpid++), - OBJECT_IDENTIFIER.id_cmc_revokeRequest, revRequest); - seq.addElement(revRequestControl); -+ System.out.println(method + "RevokeRequest control created."); - -- if (sharedSecret != null) { -- System.out.println("Successfully create revRequest control. bpid = " + (bpid - 1)); -- System.out.println(""); -- return bpid; -- } -+ return bpid; -+/* -+ * Constructing OtherMsg to include the SignerInfo makes no sense here -+ * as the outer layer SignedData would have SignerInfo. -+ * It is possibly done because the original code assumed a self-signed -+ * revocation request that is subsequently signed by an agent... -+ * which is not conforming to the RFC. - - EncapsulatedContentInfo revokeContent = new EncapsulatedContentInfo( - OBJECT_IDENTIFIER.id_cct_PKIData, revRequestControl); -@@ -1241,6 +1304,7 @@ public class CMCRequest { - otherMsgSeq.addElement(otherMsg); - System.out.println("Successfully create revRequest control. bpid = " + (bpid - 1)); - System.out.println(""); -+*/ - } catch (Exception e) { - System.out.println("Error in creating revRequest control. Check the parameters. Exception="+ e.toString()); - System.exit(1); -@@ -1346,9 +1410,9 @@ public class CMCRequest { - String salt = "lala123" + date.toString(); - - try { -- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); -+ MessageDigest SHA256Digest = MessageDigest.getInstance("SHA256"); - -- dig = SHA1Digest.digest(salt.getBytes()); -+ dig = SHA256Digest.digest(salt.getBytes()); - } catch (NoSuchAlgorithmException ex) { - dig = salt.getBytes(); - } -@@ -1825,7 +1889,6 @@ public class CMCRequest { - String dataReturnEnable = "false", dataReturnData = null; - String transactionMgtEnable = "false", transactionMgtId = null; - String senderNonceEnable = "false", senderNonce = null; -- String revCertNickname = ""; - String revRequestEnable = "false", revRequestIssuer = null, revRequestSerial = null; - String revRequestReason = null, revRequestSharedSecret = null, revRequestComment = null; - String revRequestInvalidityDatePresent = "false"; -@@ -1941,8 +2004,6 @@ public class CMCRequest { - revRequestComment = val; - } else if (name.equals("revRequest.invalidityDatePresent")) { - revRequestInvalidityDatePresent = val; -- } else if (name.equals("revRequest.nickname")) { -- revCertNickname = val; - } else if (name.equals("identification.enable")) { - identificationEnable = val; - } else if (name.equals("identification")) { -@@ -1985,7 +2046,8 @@ public class CMCRequest { - printUsage(); - } - -- if (!selfSign.equals("true") && nickname == null) { -+ if ((!selfSign.equals("true") && (revRequestSharedSecret == null)) -+ && nickname == null) { - System.out.println("Missing nickname."); - printUsage(); - } -@@ -2031,11 +2093,12 @@ public class CMCRequest { - certname.append(tokenName); - certname.append(":"); - } -- if (!selfSign.equals("true") && nickname != null) { -+ if ((!selfSign.equals("true") || (revRequestSharedSecret == null)) -+ && nickname != null) { - certname.append(nickname); - signerCert = cm.findCertByNickname(certname.toString()); - if (signerCert != null) { -- System.out.println("got signerCert: "+ certname.toString()); -+ System.out.println("got signerCert: " + certname.toString()); - } - } - -@@ -2065,6 +2128,7 @@ public class CMCRequest { - } - } - -+ boolean isSharedSecretRevoke = false; - if (decryptedPopEnable.equalsIgnoreCase("true")) { - if (encryptedPopResponseFile == null) { - System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified."); -@@ -2091,7 +2155,7 @@ public class CMCRequest { - } - } else { // !decryptedPopEnable - -- if (ifilename == null) { -+ if (!revRequestEnable.equalsIgnoreCase("true") && ifilename == null) { - System.out.println("Missing input filename for PKCS10 or CRMF."); - printUsage(); - } -@@ -2109,14 +2173,17 @@ public class CMCRequest { - } - } - -- StringTokenizer tokenizer = new StringTokenizer(ifilename, " "); -- String[] ifiles = new String[num]; -- for (int i = 0; i < num; i++) { -- String ss = tokenizer.nextToken(); -- ifiles[i] = ss; -- if (ss == null) { -- System.out.println("Missing input file for the request."); -- System.exit(1); -+ String[] ifiles = null; -+ if (revRequestEnable.equalsIgnoreCase("false")) { -+ StringTokenizer tokenizer = new StringTokenizer(ifilename, " "); -+ ifiles = new String[num]; -+ for (int i = 0; i < num; i++) { -+ String ss = tokenizer.nextToken(); -+ ifiles[i] = ss; -+ if (ss == null) { -+ System.out.println("Missing input file for the request."); -+ System.exit(1); -+ } - } - } - -@@ -2126,11 +2193,12 @@ public class CMCRequest { - } - - if (format == null) { -- System.out.println("Missing format."); -- printUsage(); -+ System.out.println("Missing format..assume revocation"); -+ //printUsage(); - } -+ - String[] requests = new String[num]; -- for (int i = 0; i < num; i++) { -+ for (int i = 0; i < num && revRequestEnable.equalsIgnoreCase("false") ; i++) { - BufferedReader inputBlob = null; - try { - inputBlob = new BufferedReader(new InputStreamReader( -@@ -2222,20 +2290,20 @@ public class CMCRequest { - - SEQUENCE otherMsgSeq = new SEQUENCE(); - if (revRequestEnable.equalsIgnoreCase("true")) { -- if (revRequestIssuer.length() == 0 || revRequestSerial.length() == 0 || -- revRequestReason.length() == 0) { -- System.out.println("Illegal parameters for revRequest control"); -- printUsage(); -- System.exit(1); -+ if ((revRequestSharedSecret!= null) -+ && (revRequestSharedSecret.length() > 0)) { -+ isSharedSecretRevoke = true; -+ //this will result in unsigned data - } - -- bpid = addRevRequestAttr(bpid, controlSeq, otherMsgSeq, token, tokenName, revCertNickname, -+ bpid = addRevRequestAttr(bpid, controlSeq, token, signerCert, - revRequestIssuer, revRequestSerial, revRequestReason, revRequestSharedSecret, - revRequestComment, revRequestInvalidityDatePresent, cm); -- } -+ pkidata = new PKIData(controlSeq, new SEQUENCE(), new SEQUENCE(), new SEQUENCE()); -+ } else { - -- // create the request PKIData -- pkidata = createPKIData( -+ // create the request PKIData -+ pkidata = createPKIData( - selfSign, - requests, - format, transactionMgtEnable, transactionMgtId, -@@ -2248,6 +2316,7 @@ public class CMCRequest { - popLinkWitnessV2keyGenAlg, popLinkWitnessV2macAlg, - controlSeq, otherMsgSeq, bpid, - token, privk); -+ } - - if (pkidata == null) { - System.out.println("pkidata null after createPKIData(). Exiting with error"); -@@ -2255,22 +2324,30 @@ public class CMCRequest { - } - } - -- // sign the request -- SignedData signedData = null; -- if (selfSign.equalsIgnoreCase("true")) { -- // selfSign signs with private key -- System.out.println("selfSign is true..."); -- signedData = signData(privk, pkidata); -+ if (isSharedSecretRevoke) { -+ cmcblob = getCMCBlob(null, -+ ASN1Util.encode(pkidata)); - } else { -- // none selfSign signs with existing cert -- System.out.println("selfSign is false..."); -- signedData = signData(signerCert, tokenName, nickname, cm, pkidata); -- } -- if (signedData == null) { -- System.out.println("signData() returns null. Exiting with error"); -- System.exit(1); -+ -+ SignedData signedData = null; -+ -+ // sign the request -+ if (selfSign.equalsIgnoreCase("true")) { -+ // selfSign signs with private key -+ System.out.println("selfSign is true..."); -+ signedData = signData(privk, pkidata); -+ } else { -+ // none selfSign signs with existing cert -+ System.out.println("selfSign is false..."); -+ signedData = signData(signerCert, tokenName, nickname, cm, pkidata); -+ } -+ if (signedData == null) { -+ System.out.println("signData() returns null. Exiting with error"); -+ System.exit(1); -+ } -+ cmcblob = getCMCBlob(signedData, null); - } -- cmcblob = getCMCBlob(signedData); -+ - if (cmcblob == null) { - System.out.println("getCMCBlob() returns null. Exiting with error"); - System.exit(1); -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java -index c2572e6..e46e883 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java -@@ -75,6 +75,7 @@ public class CMCRevoke { - public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----"; - static String dValue = null, nValue = null, iValue = null, sValue = null, mValue = null, hValue = null, - pValue = null, cValue = null; -+ static String tValue = null; - - public static final String CMS_BASE_CA_SIGNINGCERT_NOT_FOUND = "CA signing certificate not found"; - public static final String PR_REQUEST_CMC = "CMC"; -@@ -109,8 +110,9 @@ public class CMCRevoke { - "-d

    " + - "-n " + - "-i " + -- "-s " + -+ "-s " + - "-m " + -+ "-t " + - "-p " + - "-h " + - "-c "); -@@ -135,6 +137,8 @@ public class CMCRevoke { - mValue = cleanArgs(s[i].substring(2)); - } else if (s[i].startsWith("-p")) { - pValue = cleanArgs(s[i].substring(2)); -+ } else if (s[i].startsWith("-t")) { -+ tValue = cleanArgs(s[i].substring(2)); - } else if (s[i].startsWith("-h")) { - hValue = cleanArgs(s[i].substring(2)); - } else if (s[i].startsWith("-c")) { -@@ -143,8 +147,6 @@ public class CMCRevoke { - - } - // optional parameters -- if (cValue == null) -- cValue = ""; - if (hValue == null) - hValue = ""; - -@@ -160,7 +162,7 @@ public class CMCRevoke { - "-d " + - "-n " + - "-i " + -- "-s " + -+ "-s " + - "-m " + - "-p " + - "-h " + -@@ -191,9 +193,9 @@ public class CMCRevoke { - - token.login(pass); - X509Certificate signerCert = getCertificate(cm, hValue, nValue); -- String outBlob = createRevokeReq(hValue, signerCert, cm); -+ ContentInfo fullEnrollmentRequest = createRevokeReq(hValue, signerCert, cm); - -- printCMCRevokeRequest(outBlob); -+ printCMCRevokeRequest(fullEnrollmentRequest); - } catch (Exception e) { - e.printStackTrace(); - System.exit(1); -@@ -209,29 +211,48 @@ public class CMCRevoke { - * - * @param asciiBASE64Blob the ascii string of the request - */ -- static void printCMCRevokeRequest(String asciiBASE64Blob) { -+ static void printCMCRevokeRequest(ContentInfo fullEnrollmentReq) { -+ String method = "printCMCRevokeRequest: "; - -- // (6) Finally, print the actual CMCSigning blob to the -+ ByteArrayOutputStream os = new ByteArrayOutputStream(); -+ ByteArrayOutputStream bs = new ByteArrayOutputStream(); -+ PrintStream ps = new PrintStream(bs); -+ -+ if (fullEnrollmentReq == null) { -+ System.out.println(method + "param fullEnrollmentRequest is null"); -+ System.exit(1); -+ } -+ // format is PR_REQUEST_CMC -+ try { -+ fullEnrollmentReq.encode(os); -+ } catch (IOException e) { -+ System.out.println("CMCSigning: I/O error " + -+ "encountered during write():\n" + -+ e); -+ System.exit(1); -+ } -+ //ps.print(Utils.base64encode(os.toByteArray())); -+ // no line breaks for ease of copy/paste for CA acceptance -+ System.out.println(RFC7468_HEADER); -+ ps.print(Utils.base64encodeSingleLine(os.toByteArray())); -+ ////fullEnrollmentReq.print(ps); // no header/trailer -+ -+ String asciiBASE64Blob = bs.toString(); -+ System.out.println(asciiBASE64Blob + "\n" + RFC7468_TRAILER); -+ -+ // (6) Finally, print the actual CMCSigning binary blob to the - // specified output file - FileOutputStream outputBlob = null; - - try { - outputBlob = new FileOutputStream("CMCRevoke.out"); -+ fullEnrollmentReq.encode(outputBlob); - } catch (IOException e) { - System.out.println("CMCSigning: unable to open file CMCRevoke.out for writing:\n" + e); - return; - } - -- System.out.println(RFC7468_HEADER); -- System.out.println(asciiBASE64Blob + RFC7468_TRAILER); -- try { -- asciiBASE64Blob = RFC7468_HEADER + "\n" + asciiBASE64Blob + RFC7468_TRAILER; -- outputBlob.write(asciiBASE64Blob.getBytes()); -- } catch (IOException e) { -- System.out.println("CMCSigning: I/O error " + -- "encountered during write():\n" + -- e); -- } -+ System.out.println("\nCMC revocation binary blob written to CMCRevoke.out\n"); - - try { - outputBlob.close(); -@@ -280,12 +301,11 @@ public class CMCRevoke { - * @param manager the crypto manger. - * @return the CMC revocation request encoded in base64 - */ -- static String createRevokeReq(String tokenname, X509Certificate signerCert, CryptoManager manager) { -+ static ContentInfo createRevokeReq(String tokenname, X509Certificate signerCert, CryptoManager manager) { - - java.security.PrivateKey privKey = null; - SignerIdentifier si = null; - ContentInfo fullEnrollmentReq = null; -- String asciiBASE64Blob = null; - - try { - -@@ -305,8 +325,8 @@ public class CMCRevoke { - - if (privKey == null) { - System.out.println("CMCRevoke::createRevokeReq() - " + -- "privKey is null!"); -- return ""; -+ "privKey is null!"); -+ return null; - } - - int bpid = 1; -@@ -319,65 +339,64 @@ public class CMCRevoke { - byte[] dig; - - try { -- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); -+ MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256"); - -- dig = SHA1Digest.digest(salt.getBytes()); -+ dig = SHA2Digest.digest(salt.getBytes()); - } catch (NoSuchAlgorithmException ex) { - dig = salt.getBytes(); - } - String sn = Utils.base64encode(dig); - -- TaggedAttribute senderNonce = -- new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_senderNonce, -- new OCTET_STRING(sn.getBytes())); -+ TaggedAttribute senderNonce = new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_senderNonce, -+ new OCTET_STRING(sn.getBytes())); - - controlSeq.addElement(senderNonce); - - Name subjectName = new Name(); - - subjectName.addCommonName(iValue); -- org.mozilla.jss.pkix.cmmf.RevRequest lRevokeRequest = -- new org.mozilla.jss.pkix.cmmf.RevRequest(new ANY((new X500Name(iValue)).getEncoded()), -- new INTEGER(sValue), -- //org.mozilla.jss.pkix.cmmf.RevRequest.unspecified, -- new ENUMERATED((new Integer(mValue)).longValue()), -- null, -- new OCTET_STRING(pValue.getBytes()), -- new UTF8String(cValue.toCharArray())); -+ org.mozilla.jss.pkix.cmc.RevokeRequest lRevokeRequest = new org.mozilla.jss.pkix.cmc.RevokeRequest( -+ new ANY((new X500Name(iValue)).getEncoded()), -+ new INTEGER(sValue), -+ //org.mozilla.jss.pkix.cmc.RevokeRequest.unspecified, -+ new ENUMERATED((new Integer(mValue)).longValue()), -+ null, -+ (tValue != null) ? new OCTET_STRING(tValue.getBytes()) : null, -+ (cValue != null) ? new UTF8String(cValue.toCharArray()) : null); - //byte[] encoded = ASN1Util.encode(lRevokeRequest); -- //org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmmf.RevRequest.Template(); -- //org.mozilla.jss.pkix.cmmf.RevRequest revRequest = (org.mozilla.jss.pkix.cmmf.RevRequest) -+ //org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmc.RevokeRequest.Template(); -+ //org.mozilla.jss.pkix.cmc.RevokeRequest revRequest = (org.mozilla.jss.pkix.cmc.RevokeRequest) - // template.decode(new java.io.ByteArrayInputStream( - // encoded)); - -- ByteArrayOutputStream os = new ByteArrayOutputStream(); -- //lRevokeRequest.encode(os); // khai -- TaggedAttribute revokeRequestTag = -- new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_revokeRequest, -- lRevokeRequest); -+ TaggedAttribute revokeRequestTag = new TaggedAttribute(new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_revokeRequest, -+ lRevokeRequest); - - controlSeq.addElement(revokeRequestTag); - PKIData pkidata = new PKIData(controlSeq, new SEQUENCE(), new SEQUENCE(), new SEQUENCE()); - - EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata); -- // SHA1 is the default digest Alg for now. - DigestAlgorithm digestAlg = null; - SignatureAlgorithm signAlg = null; -- org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey).getType(); -+ org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey) -+ .getType(); - if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) { -- signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest; -+ signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; - } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) { -- signAlg = SignatureAlgorithm.ECSignatureWithSHA1Digest; -- } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) { -- signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest; -+ signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; -+ } else { -+ System.out.println("Algorithm not supported:" + -+ signingKeyType); -+ return null; - } - - MessageDigest SHADigest = null; - byte[] digest = null; - - try { -- SHADigest = MessageDigest.getInstance("SHA1"); -- digestAlg = DigestAlgorithm.SHA1; -+ SHADigest = MessageDigest.getInstance("SHA256"); -+ digestAlg = DigestAlgorithm.SHA256; - - ByteArrayOutputStream ostream = new ByteArrayOutputStream(); - -@@ -411,21 +430,11 @@ public class CMCRevoke { - - fullEnrollmentReq = new ContentInfo(req); - -- ByteArrayOutputStream bs = new ByteArrayOutputStream(); -- PrintStream ps = new PrintStream(bs); -- -- if (fullEnrollmentReq != null) { -- // format is PR_REQUEST_CMC -- fullEnrollmentReq.encode(os); -- ps.print(Utils.base64encode(os.toByteArray())); -- ////fullEnrollmentReq.print(ps); // no header/trailer -- } -- -- asciiBASE64Blob = bs.toString(); - } catch (Exception e) { - e.printStackTrace(); - System.exit(1); - } -- return asciiBASE64Blob; -+ -+ return fullEnrollmentReq; - } - } -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index b898353..9441167 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -237,6 +237,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - */ - public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials, - EBaseException { -+ String method = "CMCAuth: authenticate: "; -+ String msg = ""; -+ - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditReqType = ILogger.UNIDENTIFIED; -@@ -261,7 +264,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } - String cmc = (String) returnVal; - if (cmc == null) { -- CMS.debug("CMCAuth: Authentication failed. Missing CMC."); -+ CMS.debug(method + "Authentication failed. Missing CMC."); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -279,8 +282,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } - - if (cmc.equals("")) { -- log(ILogger.LL_FAILURE, -- "cmc : attempted login with empty CMC."); -+ msg = "attempted login with empty CMC"; -+ CMS.debug(method + msg); -+ log(ILogger.LL_FAILURE, method + msg); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( -@@ -331,6 +335,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - if (!cmcReq.getContentType().equals( - org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || - !cmcReq.hasContent()) { -+ CMS.debug(method + "malformed cmc: either not ContentInfo.SIGNED_DATA or cmcReq has no content"); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, -@@ -358,13 +363,13 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); - if (agentToken == null) { -- CMS.debug("CMCAuth: authenticate() agentToken null"); -+ CMS.debug(method + "agentToken null"); - throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); - } - userid = agentToken.getInString("userid"); - uid = agentToken.getInString("cn"); - } else { -- CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed"); -+ CMS.debug(method + "signerInfo verification bypassed"); - } - // reset value of auditSignerInfo - if (uid != null) { -@@ -377,6 +382,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || - !ci.hasContent()) { -+ msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; -+ CMS.debug( method + msg); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY, -@@ -406,6 +413,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - if (numReqs == 0) { - // revocation request -+ CMS.debug(method + "numReqs 0, assume revocation request"); - - // reset value of auditReqType - auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE; -@@ -476,6 +484,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - } - } else { - // enrollment request -+ CMS.debug(method + "numReqs not 0, assume enrollment request"); - - // reset value of auditReqType - auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE; -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index a18c25e..2e4d6dc 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -29,9 +29,9 @@ import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; - import java.math.BigInteger; --import java.security.cert.CertificateExpiredException; - import java.security.MessageDigest; - import java.security.PublicKey; -+import java.security.cert.CertificateExpiredException; - import java.util.Enumeration; - import java.util.Hashtable; - import java.util.Locale; -@@ -323,85 +323,90 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob); - ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob); - -- org.mozilla.jss.pkix.cms.ContentInfo cmcReq = -- (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo -+ org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo - .getTemplate().decode( - cmcBlobIn); - -- if (!cmcReq.getContentType().equals( -- org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) || -- !cmcReq.hasContent()) { -- -- cmcBlobIn.close(); -- msg = "cmc rquest content type is not ContentInfo.SIGNED_DATA"; -- CMS.debug(msg); -- throw new EBaseException(msg); -- } -- -- SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); -- - String userid = ILogger.UNIDENTIFIED; - String uid = ILogger.UNIDENTIFIED; - -- IConfigStore cmc_config = CMS.getConfigStore(); -- boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true); -- if (checkSignerInfo) { -- // selfSigned will be set in verifySignerInfo if applicable -- IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq); -- if (userToken == null) { -- msg = "userToken null; verifySignerInfo failure"; -- CMS.debug(method + msg); -- throw new EBaseException(msg); -- } else { -- if (selfSigned) { -- CMS.debug(method -- + " self-signed cmc request will not have user identification info at this point."); -- auditSignerInfo = "selfSigned"; -+ SignedData cmcFullReq = null; -+ OCTET_STRING content = null; -+ OBJECT_IDENTIFIER id = null; -+ org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = null; -+ if (cmcReq.getContentType().equals( -+ org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA)) { -+ CMS.debug(method + "cmc request content is signed data"); -+ cmcFullReq = (SignedData) cmcReq.getInterpretedContent(); -+ -+ IConfigStore cmc_config = CMS.getConfigStore(); -+ boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true); -+ if (checkSignerInfo) { -+ // selfSigned will be set in verifySignerInfo if applicable -+ IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq); -+ if (userToken == null) { -+ msg = "userToken null; verifySignerInfo failure"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); - } else { -- CMS.debug(method + "signed with user cert"); -- userid = userToken.getInString("userid"); -- uid = userToken.getInString("cn"); -- if (userid == null && uid == null) { -- msg = " verifySignerInfo failure... missing userid and cn"; -- CMS.debug(method + msg); -- throw new EBaseException(msg); -- } -- // reset value of auditSignerInfo -- if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { -- CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); -- auditSignerInfo = uid.trim(); -- auditSubjectID = uid.trim(); -- authToken.set(IAuthToken.USER_ID, auditSubjectID); -- } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { -- CMS.debug(method + "setting auditSignerInfo to userid:" + userid); -- auditSignerInfo = userid.trim(); -- auditSubjectID = userid.trim(); -- authToken.set(IAuthToken.USER_ID, auditSubjectID); -+ if (selfSigned) { -+ CMS.debug(method -+ + " self-signed cmc request will not have user identification info at this point."); -+ auditSignerInfo = "selfSigned"; -+ } else { -+ CMS.debug(method + "signed with user cert"); -+ userid = userToken.getInString("userid"); -+ uid = userToken.getInString("cn"); -+ if (userid == null && uid == null) { -+ msg = " verifySignerInfo failure... missing userid and cn"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); -+ } -+ // reset value of auditSignerInfo -+ if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) { -+ CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim()); -+ auditSignerInfo = uid.trim(); -+ auditSubjectID = uid.trim(); -+ authToken.set(IAuthToken.USER_ID, auditSubjectID); -+ } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) { -+ CMS.debug(method + "setting auditSignerInfo to userid:" + userid); -+ auditSignerInfo = userid.trim(); -+ auditSubjectID = userid.trim(); -+ authToken.set(IAuthToken.USER_ID, auditSubjectID); -+ } - } - } -+ } else { -+ CMS.debug(method + " signerInfo verification bypassed"); - } -- } else { -- CMS.debug(method + " signerInfo verification bypassed"); -- } - -- EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); -- SET sis = cmcFullReq.getSignerInfos(); -- // only one SignerInfo for selfSigned -- org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = -- (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0); -+ EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); -+ SET sis = cmcFullReq.getSignerInfos(); -+ // only one SignerInfo for selfSigned -+ selfsign_signerInfo = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0); - -- OBJECT_IDENTIFIER id = ci.getContentType(); -+ id = ci.getContentType(); - -- if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || -- !ci.hasContent()) { -- msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; -- CMS.debug(method + msg); -+ if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) || -+ !ci.hasContent()) { -+ msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData"; -+ CMS.debug(method + msg); -+ -+ throw new EBaseException(msg); -+ } - -+ content = ci.getContent(); -+ } else if (cmcReq.getContentType().equals( //unsigned -+ org.mozilla.jss.pkix.cms.ContentInfo.DATA)) { -+ CMS.debug(method + "cmc request content is unsigned data...verifySignerInfo will not be called;"); -+ content = (OCTET_STRING) cmcReq.getInterpretedContent(); -+ } else { -+ cmcBlobIn.close(); -+ msg = "unsupported cmc rquest content type; must be either ContentInfo.SIGNED_DATA or ContentInfo.DATA;"; -+ CMS.debug(msg); - throw new EBaseException(msg); - } - -- OCTET_STRING content = ci.getContent(); -- - ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); - PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); - -@@ -426,7 +431,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - if (type.equals( - OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { -- /* TODO: user-signed revocation to be handled in next ticket -+ //further checks and actual revocation happen in CMCOutputTemplate -+ - // if( i ==1 ) { - // taggedAttribute.getType() == - // OBJECT_IDENTIFIER.id_cmc_revokeRequest -@@ -440,25 +446,23 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - for (int j = 0; j < numVals; j++) { - // serialNumber INTEGER - -- // SEQUENCE RevRequest = (SEQUENCE) -+ // SEQUENCE RevokeRequest = (SEQUENCE) - // values.elementAt(j); - byte[] encoded = ASN1Util.encode( - values.elementAt(j)); -- org.mozilla.jss.asn1.ASN1Template template = new -- org.mozilla.jss.pkix.cmmf.RevRequest.Template(); -- org.mozilla.jss.pkix.cmmf.RevRequest revRequest = -- (org.mozilla.jss.pkix.cmmf.RevRequest) -- ASN1Util.decode(template, encoded); -+ org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmc.RevokeRequest.Template(); -+ org.mozilla.jss.pkix.cmc.RevokeRequest revRequest = (org.mozilla.jss.pkix.cmc.RevokeRequest) ASN1Util -+ .decode(template, encoded); - -- // SEQUENCE RevRequest = (SEQUENCE) -+ // SEQUENCE RevokeRequest = (SEQUENCE) - // ASN1Util.decode( - // SEQUENCE.getTemplate(), - // ASN1Util.encode( - // values.elementAt(j))); - -- // SEQUENCE RevRequest = -+ // SEQUENCE RevokeRequest = - // values.elementAt(j); -- // int revReqSize = RevRequest.size(); -+ // int revReqSize = RevokeRequest.size(); - // if( revReqSize > 3 ) { - // INTEGER serialNumber = - // new INTEGER((long)0); -@@ -473,13 +477,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - Integer IntObject = Integer.valueOf((int) reasonCode); - authToken.set(REASON_CODE, IntObject); - -- - //authToken.set("uid", uid); - //authToken.set("userid", userid); - - } -- */ -- - } - } - -@@ -648,8 +649,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - certInfoArray[i] = certInfo; - - if (selfSigned) { -- selfsign_skiExtn = -- (SubjectKeyIdentifierExtension) CryptoUtil -+ selfsign_skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil - .getExtensionFromCertTemplate(template, PKIXExtensions.SubjectKey_Id); - if (selfsign_skiExtn != null) { - CMS.debug(method + -@@ -702,16 +702,24 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - throw new EInvalidCredentials(e.toString()); - } - -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, -- auditSubjectID, -- ILogger.SUCCESS, -- auditReqType, -- auditCertSubject, -- auditSignerInfo); -- -- audit(auditMessage); -+ // For accuracy, make sure revocation by shared secret doesn't -+ // log CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS -+ if (authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT) != null || -+ authToken.get(IAuthManager.CRED_CMC_SELF_SIGNED) != null) { -+ // store a message in the signed audit log file -+ auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, -+ auditSubjectID, -+ ILogger.SUCCESS, -+ auditReqType, -+ auditCertSubject, -+ auditSignerInfo); -+ -+ audit(auditMessage); -+ } else { -+ CMS.debug(method -+ + "audit event CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS not logged due to unsigned data for revocation with shared secret."); -+ } - - CMS.debug(method + "ends successfully; returning authToken"); - return authToken; -@@ -1029,10 +1037,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } else { - CMS.debug(method + "found signing cert... verifying"); - -- //capture auditSubjectID first in case of failure -- netscape.security.x509.X500Name tempPrincipal = -+ // capture auditSubjectID first in case of failure -+ netscape.security.x509.X500Name principal = - (X500Name) x509Certs[0].getSubjectDN(); -- CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); -+ -+ // capture signer principal to be checked against -+ // cert subject principal later in CMCOutputTemplate -+ // in case of user signed revocation -+ auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, principal); -+ CN = principal.getCommonName(); //tempToken.get("userid"); - CMS.debug(method + " Principal name = " + CN); - auditContext.put(SessionContext.USER_ID, CN); - -@@ -1093,15 +1106,18 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // now check revocation status of the cert - if (CMS.isRevoked(x509Certs)) { - CMS.debug(method + "CMC signing cert is a revoked certificate"); -+ s.close(); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - try { //do this again anyways - cert.checkValidity(); - } catch (CertificateExpiredException e) { - CMS.debug(method + "CMC signing cert is an expired certificate"); -+ s.close(); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } catch (Exception e) { - CMS.debug(method + e.toString()); -+ s.close(); - throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - } - -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 2591ace..74da8e7 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -588,16 +588,25 @@ public abstract class EnrollProfile extends BasicProfile - try { - byte data[] = CMS.AtoB(creq); - ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(data); -+ PKIData pkiData = null; - - org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo - .getTemplate().decode(cmcBlobIn); -- org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq -- .getInterpretedContent(); -- org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); -- OCTET_STRING content = ci.getContent(); -- -+ OCTET_STRING content = null; -+ if (cmcReq.getContentType().equals( -+ org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA)) { -+ CMS.debug(method + "cmc request content is signed data"); -+ org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq -+ .getInterpretedContent(); -+ org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); -+ content = ci.getContent(); -+ -+ } else { // for unsigned revocation requests (using shared secret) -+ CMS.debug(method + "cmc request content is unsigned data"); -+ content = (OCTET_STRING) cmcReq.getInterpretedContent(); -+ } - ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); -- PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); -+ pkiData = (PKIData) (new PKIData.Template()).decode(s); - - mCMCData = pkiData; - //PKIData pkiData = (PKIData) -@@ -708,6 +717,8 @@ public abstract class EnrollProfile extends BasicProfile - byte randomSeed[] = null; - UTF8String ident_s = null; - SessionContext context = SessionContext.getContext(); -+ -+ boolean id_cmc_revokeRequest = false; - if (!context.containsKey("numOfControls")) { - CMS.debug(method + "numcontrols="+ numcontrols); - if (numcontrols > 0) { -@@ -735,7 +746,13 @@ public abstract class EnrollProfile extends BasicProfile - for (int i = 0; i < numcontrols; i++) { - attributes[i] = (TaggedAttribute) controlSeq.elementAt(i); - OBJECT_IDENTIFIER oid = attributes[i].getType(); -- if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) { -+ if (oid.equals(OBJECT_IDENTIFIER.id_cmc_revokeRequest)) { -+ id_cmc_revokeRequest = true; -+ // put in context for processing in -+ // CMCOutputTemplate.java later -+ context.put(OBJECT_IDENTIFIER.id_cmc_revokeRequest, -+ attributes[i]); -+ } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) { - CMS.debug(method + " id_cmc_decryptedPOP found"); - id_cmc_decryptedPOP = true; - decPopVals = attributes[i].getValues(); -@@ -766,6 +783,10 @@ public abstract class EnrollProfile extends BasicProfile - */ - CMS.debug(method + "processing controls..."); - -+ if (id_cmc_revokeRequest) { -+ CMS.debug(method + "revocation control"); -+ } -+ - if (id_cmc_identification) { - if (ident == null) { - msg = "id_cmc_identification contains null attribute value"; -@@ -801,7 +822,7 @@ public abstract class EnrollProfile extends BasicProfile - - // checking Proof Of Identity, if not pre-signed - -- if (donePOI) { -+ if (donePOI || id_cmc_revokeRequest) { - // for logging purposes - if (id_cmc_identityProofV2) { - CMS.debug(method -@@ -921,6 +942,7 @@ public abstract class EnrollProfile extends BasicProfile - SEQUENCE otherMsgSeq = pkiData.getOtherMsgSequence(); - int numOtherMsgs = otherMsgSeq.size(); - if (!context.containsKey("numOfOtherMsgs")) { -+ CMS.debug(method + "found numOfOtherMsgs: " + numOtherMsgs); - context.put("numOfOtherMsgs", Integer.valueOf(numOtherMsgs)); - for (int i = 0; i < numOtherMsgs; i++) { - OtherMsg omsg = (OtherMsg) (ASN1Util.decode(OtherMsg.getTemplate(), -@@ -959,6 +981,8 @@ public abstract class EnrollProfile extends BasicProfile - boolean valid = true; - for (int i = 0; i < nummsgs; i++) { - msgs[i] = (TaggedRequest) reqSeq.elementAt(i); -+ if (id_cmc_revokeRequest) -+ continue; - if (popLinkWitnessRequired && - !context.containsKey("POPLinkWitnessV2") && - !context.containsKey("POPLinkWitness")) { -@@ -1271,7 +1295,7 @@ public abstract class EnrollProfile extends BasicProfile - boolean sharedSecretFound = true; - String configName = "cmc.sharedSecret.class"; - String sharedSecret = null; -- ISharedToken tokenClass = getSharedTokenClass(configName); -+ ISharedToken tokenClass = CMS.getSharedTokenClass(configName); - if (tokenClass == null) { - CMS.debug(method + " Failed to retrieve shared secret plugin class"); - sharedSecretFound = false; -@@ -1498,40 +1522,6 @@ public abstract class EnrollProfile extends BasicProfile - return bpids; - } - -- -- ISharedToken getSharedTokenClass(String configName) { -- String method = "EnrollProfile: getSharedTokenClass: "; -- ISharedToken tokenClass = null; -- -- String name = null; -- try { -- CMS.debug(method + "getting :" + configName); -- name = CMS.getConfigStore().getString(configName); -- CMS.debug(method + "Shared Secret plugin class name retrieved:" + -- name); -- } catch (Exception e) { -- CMS.debug(method + " Failed to retrieve shared secret plugin class name"); -- return null; -- } -- -- try { -- tokenClass = (ISharedToken) Class.forName(name).newInstance(); -- CMS.debug(method + "Shared Secret plugin class retrieved"); -- } catch (ClassNotFoundException e) { -- CMS.debug(method + " Failed to find class name: " + name); -- return null; -- } catch (InstantiationException e) { -- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); -- return null; -- } catch (IllegalAccessException e) { -- CMS.debug(method + " Illegal access: " + name); -- return null; -- } -- -- return tokenClass; -- } -- -- - /** - * verifyIdentityProofV2 handles IdentityProofV2 as defined by RFC5272 - * -@@ -1577,7 +1567,7 @@ public abstract class EnrollProfile extends BasicProfile - } - - String configName = "cmc.sharedSecret.class"; -- ISharedToken tokenClass = getSharedTokenClass(configName); -+ ISharedToken tokenClass = CMS.getSharedTokenClass(configName); - - if (tokenClass == null) { - msg = " Failed to retrieve shared secret plugin class"; -@@ -1681,7 +1671,7 @@ public abstract class EnrollProfile extends BasicProfile - return false; - - String configName = "cmc.sharedSecret.class"; -- ISharedToken tokenClass = getSharedTokenClass(configName); -+ ISharedToken tokenClass = CMS.getSharedTokenClass(configName); - if (tokenClass == null) { - CMS.debug(method + " Failed to retrieve shared secret plugin class"); - return false; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -index 24ba494..a66cd95 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java -@@ -142,6 +142,8 @@ public class CMCRevReqServlet extends CMSServlet { - * @param cmsReq the object holding the request and response information - */ - protected void process(CMSRequest cmsReq) throws EBaseException { -+ String method = "CMCRevReqServlet: process: "; -+ CMS.debug(method + "begins"); - - String cmcAgentSerialNumber = null; - IArgBlock httpParams = cmsReq.getHttpParams(); -@@ -151,7 +153,7 @@ public class CMCRevReqServlet extends CMSServlet { - CMSTemplate form = null; - Locale[] locale = new Locale[1]; - -- CMS.debug("**** mFormPath = " + mFormPath); -+ CMS.debug(method + "**** mFormPath = " + mFormPath); - try { - form = getTemplate(mFormPath, req, locale); - } catch (IOException e) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java b/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java -index 3794f10..01c4b6a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java -@@ -461,11 +461,11 @@ public class ListCerts extends CMSServlet { - ICertRecord rec = e.nextElement(); - - if (rec == null) { -- CMS.debug("ListCerts: * record " + count + " is null"); -+ //CMS.debug("ListCerts: * record " + count + " is null"); - break; - } - curSerial = rec.getSerialNumber(); -- CMS.debug("ListCerts: * record " + count + ": " + curSerial); -+ //CMS.debug("ListCerts: * record " + count + ": " + curSerial); - - if (count == 0) { - firstSerial = curSerial; -@@ -493,11 +493,11 @@ public class ListCerts extends CMSServlet { - } - - if (mReverse) { -- CMS.debug("ListCerts: returning with rcount: " + rcount); -+ //CMS.debug("ListCerts: returning with rcount: " + rcount); - recs[rcount++] = rec; - - } else { -- CMS.debug("ListCerts: returning with arg block"); -+ //CMS.debug("ListCerts: returning with arg block"); - IArgBlock rarg = CMS.createArgBlock(); - fillRecordIntoArg(rec, rarg); - argSet.addRepeatRecord(rarg); -@@ -514,7 +514,7 @@ public class ListCerts extends CMSServlet { - CMS.debug("ListCerts: fill records into arg block and argSet"); - for (int ii = rcount - 1; ii >= 0; ii--) { - if (recs[ii] != null) { -- CMS.debug("ListCerts: processing recs[" + ii + "]"); -+ //CMS.debug("ListCerts: processing recs[" + ii + "]"); - IArgBlock rarg = CMS.createArgBlock(); - // CMS.debug("item " + ii + " is serial #" + recs[ii].getSerialNumber()); - fillRecordIntoArg(recs[ii], rarg); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index 8d6c37f..067dce7 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -25,6 +25,7 @@ import java.math.BigInteger; - import java.security.MessageDigest; - import java.security.NoSuchAlgorithmException; - import java.security.PublicKey; -+import java.security.cert.CertificateExpiredException; - import java.util.Date; - import java.util.Hashtable; - -@@ -55,9 +56,9 @@ import org.mozilla.jss.pkix.cmc.OtherInfo; - import org.mozilla.jss.pkix.cmc.OtherMsg; - import org.mozilla.jss.pkix.cmc.PendInfo; - import org.mozilla.jss.pkix.cmc.ResponseBody; -+import org.mozilla.jss.pkix.cmc.RevokeRequest; - import org.mozilla.jss.pkix.cmc.TaggedAttribute; - import org.mozilla.jss.pkix.cmc.TaggedRequest; --import org.mozilla.jss.pkix.cmmf.RevRequest; - import org.mozilla.jss.pkix.cms.ContentInfo; - import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; - import org.mozilla.jss.pkix.cms.EnvelopedData; -@@ -76,8 +77,10 @@ import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IRequestQueue; -@@ -101,6 +104,8 @@ import netscape.security.x509.X509Key; - * @version $ $, $Date$ - */ - public class CMCOutputTemplate { -+ protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); -+ - public CMCOutputTemplate() { - } - -@@ -212,14 +217,12 @@ public class CMCOutputTemplate { - } - } - } else { -- CMS.debug(method + " reqs null. why?"); -+ CMS.debug(method + " reqs null. could be revocation"); - } - - TaggedAttribute tagattr = null; - CMCStatusInfo cmcStatusInfo = null; - --//cfu -- - SEQUENCE decryptedPOPBpids = (SEQUENCE) context.get("decryptedPOP"); - if (decryptedPOPBpids != null && decryptedPOPBpids.size() > 0) { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -@@ -880,8 +883,8 @@ public class CMCOutputTemplate { - String salt = "lala123" + date.toString(); - byte[] dig; - try { -- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); -- dig = SHA1Digest.digest(salt.getBytes()); -+ MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256"); -+ dig = SHA2Digest.digest(salt.getBytes()); - } catch (NoSuchAlgorithmException ex) { - dig = salt.getBytes(); - } -@@ -920,22 +923,59 @@ public class CMCOutputTemplate { - private int processRevokeRequestControl(TaggedAttribute attr, - SEQUENCE controlSeq, int bpid) throws InvalidBERException, EBaseException, - IOException { -+ String method = "CMCOutputTemplate: processRevokeRequestControl: "; -+ String msg = ""; -+ CMS.debug(method + "begins"); - boolean revoke = false; - SessionContext context = SessionContext.getContext(); -+ String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); -+ if (authManagerId == null) { -+ CMS.debug(method + "authManagerId null.????"); -+ //unlikely, but... -+ authManagerId = "none"; -+ } else { -+ CMS.debug(method + "authManagerId =" + authManagerId); -+ } -+ -+ // in case of CMCUserSignedAuth, -+ // for matching signer and revoked cert principal -+ X500Name signerPrincipal = null; -+ -+ // for auditing -+ String auditRequesterID = null; -+ auditRequesterID = (String) context.get(SessionContext.USER_ID); -+ -+ if (auditRequesterID != null) { -+ auditRequesterID = auditRequesterID.trim(); -+ } else { -+ auditRequesterID = ILogger.NONROLEUSER; -+ } -+ signerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL); -+ String auditSubjectID = null; -+ String auditRequestType = "revoke"; -+ String auditSerialNumber = null; -+ String auditReasonNum = null; -+ RequestStatus auditApprovalStatus = RequestStatus.REJECTED; -+ - if (attr != null) { - INTEGER attrbpid = attr.getBodyPartID(); - CMCStatusInfo cmcStatusInfo = null; - SET vals = attr.getValues(); - if (vals.size() > 0) { -- RevRequest revRequest = -- (RevRequest) (ASN1Util.decode(new RevRequest.Template(), -- ASN1Util.encode(vals.elementAt(0)))); -- OCTET_STRING str = revRequest.getSharedSecret(); -+ RevokeRequest revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(), -+ ASN1Util.encode(vals.elementAt(0)))); -+ OCTET_STRING reqSecret = revRequest.getSharedSecret(); - INTEGER pid = attr.getBodyPartID(); - TaggedAttribute tagattr = null; - INTEGER revokeCertSerial = revRequest.getSerialNumber(); -+ ENUMERATED n = revRequest.getReason(); -+ RevocationReason reason = toRevocationReason(n); -+ auditReasonNum = reason.toString(); - BigInteger revokeSerial = new BigInteger(revokeCertSerial.toByteArray()); -- if (str == null) { -+ auditSerialNumber = revokeSerial.toString(); -+ -+ if (reqSecret == null) { -+ CMS.debug(method + "no shared secret in request; Checking signature;"); - boolean needVerify = true; - try { - needVerify = CMS.getConfigStore().getBoolean("cmc.revokeCert.verify", true); -@@ -943,67 +983,75 @@ public class CMCOutputTemplate { - } - - if (needVerify) { -- Integer num1 = (Integer) context.get("numOfOtherMsgs"); -- int num = num1.intValue(); -- for (int i = 0; i < num; i++) { -- OtherMsg data = (OtherMsg) context.get("otherMsg" + i); -- INTEGER dpid = data.getBodyPartID(); -- if (pid.longValue() == dpid.longValue()) { -- ANY msgValue = data.getOtherMsgValue(); -- SignedData msgData = -- (SignedData) msgValue.decodeWith(SignedData.getTemplate()); -- if (!verifyRevRequestSignature(msgData)) { -- OtherInfo otherInfo = -- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -- null); -- SEQUENCE failed_bpids = new SEQUENCE(); -- failed_bpids.addElement(attrbpid); -- cmcStatusInfo = -- new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, -- otherInfo); -- tagattr = new TaggedAttribute( -- new INTEGER(bpid++), -- OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -- controlSeq.addElement(tagattr); -- return bpid; -+ if (authManagerId.equals("CMCUserSignedAuth")) { -+ if (signerPrincipal == null) { -+ CMS.debug(method + "missing CMC signer principal"); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -+ new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -+ null); -+ SEQUENCE failed_bpids = new SEQUENCE(); -+ failed_bpids.addElement(attrbpid); -+ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, -+ otherInfo); -+ tagattr = new TaggedAttribute( -+ new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ controlSeq.addElement(tagattr); -+ return bpid; -+ } -+ } else { // !CMCUserSignedAuth -+ -+ // this code is making the assumption that OtherMsg -+ // is used for signer info in signed cmc revocation, -+ // when in fact the signer info is -+ // in the outer layer and should have already been -+ // verified in the auth manager; -+ // Left here for possible legacy client(s) -+ -+ Integer num1 = (Integer) context.get("numOfOtherMsgs"); -+ CMS.debug(method + "found numOfOtherMsgs =" + num1.toString()); -+ int num = num1.intValue(); -+ for (int i = 0; i < num; i++) { -+ OtherMsg data = (OtherMsg) context.get("otherMsg" + i); -+ INTEGER dpid = data.getBodyPartID(); -+ if (pid.longValue() == dpid.longValue()) { -+ CMS.debug(method + "body part id match;"); -+ ANY msgValue = data.getOtherMsgValue(); -+ SignedData msgData = (SignedData) msgValue.decodeWith(SignedData.getTemplate()); -+ if (!verifyRevRequestSignature(msgData)) { -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, -+ new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -+ null); -+ SEQUENCE failed_bpids = new SEQUENCE(); -+ failed_bpids.addElement(attrbpid); -+ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, -+ (String) null, -+ otherInfo); -+ tagattr = new TaggedAttribute( -+ new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ controlSeq.addElement(tagattr); -+ return bpid; -+ } -+ } else { -+ CMS.debug(method + "body part id do not match;"); - } - } - } - } - - revoke = true; -+ } else { //use shared secret; request unsigned -+ CMS.debug(method + "checking shared secret"); - // check shared secret -- } else { -- ISharedToken tokenClass = null; -- boolean sharedSecretFound = true; -- String name = null; -- try { -- name = CMS.getConfigStore().getString("cmc.revokeCert.sharedSecret.class"); -- } catch (EPropertyNotFound e) { -- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); -- sharedSecretFound = false; -- } catch (EBaseException e) { -- CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); -- sharedSecretFound = false; -- } -- -- try { -- tokenClass = (ISharedToken) Class.forName(name).newInstance(); -- } catch (ClassNotFoundException e) { -- CMS.debug("EnrollProfile: Failed to find class name: " + name); -- sharedSecretFound = false; -- } catch (InstantiationException e) { -- CMS.debug("EnrollProfile: Failed to instantiate class: " + name); -- sharedSecretFound = false; -- } catch (IllegalAccessException e) { -- CMS.debug("EnrollProfile: Illegal access: " + name); -- sharedSecretFound = false; -- } -- -- if (!sharedSecretFound) { -- CMS.debug("CMCOutputTemplate: class for shared secret was not found."); -- OtherInfo otherInfo = -- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null); -+ //TODO: remember to provide one-time-use when working -+ // on shared token -+ ISharedToken tokenClass = -+ CMS.getSharedTokenClass("cmc.revokeCert.sharedSecret.class"); -+ if (tokenClass == null) { -+ CMS.debug(method + " Failed to retrieve shared secret plugin class"); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), -+ null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); - cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -@@ -1014,15 +1062,13 @@ public class CMCOutputTemplate { - return bpid; - } - -- String sharedSecret = null; -- if (tokenClass != null) { -- sharedSecret = tokenClass.getSharedToken(revokeSerial); -- } -+ String sharedSecret = -+ sharedSecret = tokenClass.getSharedToken(revokeSerial); - - if (sharedSecret == null) { -- CMS.debug("CMCOutputTemplate: class for shared secret was not found."); -- OtherInfo otherInfo = -- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null); -+ CMS.debug("CMCOutputTemplate: shared secret not found."); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), -+ null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); - cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -@@ -1033,15 +1079,17 @@ public class CMCOutputTemplate { - return bpid; - } - -- byte[] strb = str.toByteArray(); -- String clientSC = new String(strb); -+ byte[] reqSecretb = reqSecret.toByteArray(); -+ String clientSC = new String(reqSecretb); - if (clientSC.equals(sharedSecret)) { -- CMS.debug("CMCOutputTemplate: Both client and server shared secret are the same, can go ahead to revoke certificate."); -+ CMS.debug(method -+ + " Client and server shared secret are the same, can go ahead and revoke certificate."); - revoke = true; - } else { -- CMS.debug("CMCOutputTemplate: Both client and server shared secret are not the same, cant revoke certificate."); -- OtherInfo otherInfo = -- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null); -+ CMS.debug(method -+ + " Client and server shared secret are not the same, cannot revoke certificate."); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -+ null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); - cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -@@ -1049,6 +1097,16 @@ public class CMCOutputTemplate { - new INTEGER(bpid++), - OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); - controlSeq.addElement(tagattr); -+ -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequesterID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus)); -+ - return bpid; - } - } -@@ -1060,11 +1118,11 @@ public class CMCOutputTemplate { - try { - record = repository.readCertificateRecord(revokeSerial); - } catch (EBaseException ee) { -- CMS.debug("CMCOutputTemplate: Exception: " + ee.toString()); -+ CMS.debug(method + "Exception: " + ee.toString()); - } - - if (record == null) { -- CMS.debug("CMCOutputTemplate: The certificate is not found"); -+ CMS.debug(method + " The certificate is not found"); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -@@ -1088,11 +1146,46 @@ public class CMCOutputTemplate { - controlSeq.addElement(tagattr); - return bpid; - } -+ - X509CertImpl impl = record.getCertificate(); -+ -+ X500Name certPrincipal = (X500Name) impl.getSubjectDN(); -+ auditSubjectID = certPrincipal.getCommonName(); -+ -+ // in case of user-signed request, check if signer -+ // principal matches that of the revoking cert -+ if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) { -+ if (!certPrincipal.equals(signerPrincipal)) { -+ msg = "certificate principal and signer do not match"; -+ CMS.debug(method + msg); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), -+ null); -+ SEQUENCE failed_bpids = new SEQUENCE(); -+ failed_bpids.addElement(attrbpid); -+ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, msg, -+ otherInfo); -+ tagattr = new TaggedAttribute( -+ new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); -+ controlSeq.addElement(tagattr); -+ -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequesterID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus)); -+ -+ return bpid; -+ } else { -+ CMS.debug(method + "certificate principal and signer match"); -+ } -+ } -+ - X509CertImpl[] impls = new X509CertImpl[1]; - impls[0] = impl; -- ENUMERATED n = revRequest.getReason(); -- RevocationReason reason = toRevocationReason(n); - CRLReasonExtension crlReasonExtn = new CRLReasonExtension(reason); - CRLExtensions entryExtn = new CRLExtensions(); - GeneralizedTime t = revRequest.getInvalidityDate(); -@@ -1105,8 +1198,8 @@ public class CMCOutputTemplate { - entryExtn.set(crlReasonExtn.getName(), crlReasonExtn); - } - -- RevokedCertImpl revCertImpl = -- new RevokedCertImpl(impl.getSerialNumber(), CMS.getCurrentDate(), entryExtn); -+ RevokedCertImpl revCertImpl = new RevokedCertImpl(impl.getSerialNumber(), CMS.getCurrentDate(), -+ entryExtn); - RevokedCertImpl[] revCertImpls = new RevokedCertImpl[1]; - revCertImpls[0] = revCertImpl; - IRequestQueue queue = ca.getRequestQueue(); -@@ -1122,20 +1215,30 @@ public class CMCOutputTemplate { - RequestStatus stat = revReq.getRequestStatus(); - if (stat == RequestStatus.COMPLETE) { - Integer result = revReq.getExtDataInInteger(IRequest.RESULT); -- CMS.debug("CMCOutputTemplate: revReq result = " + result); -+ CMS.debug(method + " revReq result = " + result); - if (result.equals(IRequest.RES_ERROR)) { - CMS.debug("CMCOutputTemplate: revReq exception: " + - revReq.getExtDataInString(IRequest.ERROR)); -- OtherInfo otherInfo = -- new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), null); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), -+ null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -- cmcStatusInfo = -- new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo); -+ cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, -+ otherInfo); - tagattr = new TaggedAttribute( - new INTEGER(bpid++), - OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); - controlSeq.addElement(tagattr); -+ -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequesterID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus)); -+ - return bpid; - } - } -@@ -1148,7 +1251,7 @@ public class CMCOutputTemplate { - impl.getSubjectDN(), - impl.getSerialNumber().toString(16), - reason.toString() }); -- CMS.debug("CMCOutputTemplate: Certificate get revoked."); -+ CMS.debug(method + " Certificate revoked."); - SEQUENCE success_bpids = new SEQUENCE(); - success_bpids.addElement(attrbpid); - cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS, -@@ -1157,6 +1260,16 @@ public class CMCOutputTemplate { - new INTEGER(bpid++), - OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); - controlSeq.addElement(tagattr); -+ -+ auditApprovalStatus = RequestStatus.COMPLETE; -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.SUCCESS, -+ auditRequesterID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus)); - return bpid; - } else { - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null); -@@ -1167,6 +1280,16 @@ public class CMCOutputTemplate { - new INTEGER(bpid++), - OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo); - controlSeq.addElement(tagattr); -+ -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditRequesterID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus)); -+ - return bpid; - } - } -@@ -1175,54 +1298,81 @@ public class CMCOutputTemplate { - return bpid; - } - -+ protected void audit(AuditEvent event) { -+ -+ String template = event.getMessage(); -+ Object[] params = event.getParameters(); -+ -+ String message = CMS.getLogMessage(template, params); -+ -+ audit(message); -+ } -+ -+ protected void audit(String msg) { -+ // in this case, do NOT strip preceding/trailing whitespace -+ // from passed-in String parameters -+ -+ if (mSignedAuditLogger == null) { -+ return; -+ } -+ -+ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, -+ null, -+ ILogger.S_SIGNED_AUDIT, -+ ILogger.LL_SECURITY, -+ msg); -+ } -+ - private RevocationReason toRevocationReason(ENUMERATED n) { - long code = n.getValue(); -- if (code == RevRequest.aACompromise.getValue()) -+ if (code == RevokeRequest.aACompromise.getValue()) - return RevocationReason.UNSPECIFIED; -- else if (code == RevRequest.affiliationChanged.getValue()) -+ else if (code == RevokeRequest.affiliationChanged.getValue()) - return RevocationReason.AFFILIATION_CHANGED; -- else if (code == RevRequest.cACompromise.getValue()) -+ else if (code == RevokeRequest.cACompromise.getValue()) - return RevocationReason.CA_COMPROMISE; -- else if (code == RevRequest.certificateHold.getValue()) -+ else if (code == RevokeRequest.certificateHold.getValue()) - return RevocationReason.CERTIFICATE_HOLD; -- else if (code == RevRequest.cessationOfOperation.getValue()) -+ else if (code == RevokeRequest.cessationOfOperation.getValue()) - return RevocationReason.CESSATION_OF_OPERATION; -- else if (code == RevRequest.keyCompromise.getValue()) -+ else if (code == RevokeRequest.keyCompromise.getValue()) - return RevocationReason.KEY_COMPROMISE; -- else if (code == RevRequest.privilegeWithdrawn.getValue()) -+ else if (code == RevokeRequest.privilegeWithdrawn.getValue()) - return RevocationReason.UNSPECIFIED; -- else if (code == RevRequest.removeFromCRL.getValue()) -+ else if (code == RevokeRequest.removeFromCRL.getValue()) - return RevocationReason.REMOVE_FROM_CRL; -- else if (code == RevRequest.superseded.getValue()) -+ else if (code == RevokeRequest.superseded.getValue()) - return RevocationReason.SUPERSEDED; -- else if (code == RevRequest.unspecified.getValue()) -+ else if (code == RevokeRequest.unspecified.getValue()) - return RevocationReason.UNSPECIFIED; - return RevocationReason.UNSPECIFIED; - } - - private boolean verifyRevRequestSignature(SignedData msgData) { -+ String method = "CMCOutputTemplate: verifyRevRequestSignature: "; -+ CMS.debug(method + "begins"); - try { - EncapsulatedContentInfo ci = msgData.getContentInfo(); - OCTET_STRING content = ci.getContent(); - ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); - TaggedAttribute tattr = (TaggedAttribute) (new TaggedAttribute.Template()).decode(s); - SET values = tattr.getValues(); -- RevRequest revRequest = null; -- if (values != null && values.size() > 0) -- revRequest = -- (RevRequest) (ASN1Util.decode(new RevRequest.Template(), -- ASN1Util.encode(values.elementAt(0)))); -+ RevokeRequest revRequest = null; -+ if (values != null && values.size() > 0) { -+ revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(), -+ ASN1Util.encode(values.elementAt(0)))); -+ } else { -+ CMS.debug(method + "attribute null"); -+ return false; -+ } - - SET dias = msgData.getDigestAlgorithmIdentifiers(); - int numDig = dias.size(); - Hashtable digs = new Hashtable(); - for (int i = 0; i < numDig; i++) { -- AlgorithmIdentifier dai = -- (AlgorithmIdentifier) dias.elementAt(i); -- String name = -- DigestAlgorithm.fromOID(dai.getOID()).toString(); -- MessageDigest md = -- MessageDigest.getInstance(name); -+ AlgorithmIdentifier dai = (AlgorithmIdentifier) dias.elementAt(i); -+ String name = DigestAlgorithm.fromOID(dai.getOID()).toString(); -+ MessageDigest md = MessageDigest.getInstance(name); - byte[] digest = md.digest(content.toByteArray()); - digs.put(name, digest); - } -@@ -1230,8 +1380,7 @@ public class CMCOutputTemplate { - SET sis = msgData.getSignerInfos(); - int numSis = sis.size(); - for (int i = 0; i < numSis; i++) { -- org.mozilla.jss.pkix.cms.SignerInfo si = -- (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); -+ org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i); - String name = si.getDigestAlgorithm().toString(); - byte[] digest = digs.get(name); - if (digest == null) { -@@ -1242,17 +1391,15 @@ public class CMCOutputTemplate { - } - SignerIdentifier sid = si.getSignerIdentifier(); - if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) { -- org.mozilla.jss.pkix.cms.IssuerAndSerialNumber issuerAndSerialNumber = -- sid.getIssuerAndSerialNumber(); -+ org.mozilla.jss.pkix.cms.IssuerAndSerialNumber issuerAndSerialNumber = sid -+ .getIssuerAndSerialNumber(); - java.security.cert.X509Certificate cert = null; - if (msgData.hasCertificates()) { - SET certs = msgData.getCertificates(); - int numCerts = certs.size(); - for (int j = 0; j < numCerts; j++) { -- org.mozilla.jss.pkix.cert.Certificate certJss = -- (Certificate) certs.elementAt(j); -- org.mozilla.jss.pkix.cert.CertificateInfo certI = -- certJss.getInfo(); -+ org.mozilla.jss.pkix.cert.Certificate certJss = (Certificate) certs.elementAt(j); -+ org.mozilla.jss.pkix.cert.CertificateInfo certI = certJss.getInfo(); - Name issuer = certI.getIssuer(); - byte[] issuerB = ASN1Util.encode(issuer); - INTEGER sn = certI.getSerialNumber(); -@@ -1268,11 +1415,33 @@ public class CMCOutputTemplate { - } - - if (cert != null) { -+ CMS.debug(method + "found cert"); - PublicKey pbKey = cert.getPublicKey(); - PK11PubKey pubK = PK11PubKey.fromSPKI(((X509Key) pbKey).getKey()); - si.verify(digest, ci.getContentType(), pubK); -+ -+ // now check validity of the cert -+ java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1]; -+ x509Certs[0] = cert; -+ if (CMS.isRevoked(x509Certs)) { -+ CMS.debug(method + "CMC signing cert is a revoked certificate"); -+ return false; -+ } -+ try { -+ cert.checkValidity(); -+ } catch (CertificateExpiredException e) { -+ CMS.debug(method + "CMC signing cert is an expired certificate"); -+ return false; -+ } catch (Exception e) { -+ return false; -+ } -+ - return true; -+ } else { -+ CMS.debug(method + "cert not found"); - } -+ } else { -+ CMS.debug(method + "unsupported SignerIdentifier for CMC revocation"); - } - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java -index 83a2d8c..4578a98 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java -@@ -158,9 +158,9 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { - byte[] dig; - - try { -- MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); -+ MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256"); - -- dig = SHA1Digest.digest(salt.getBytes()); -+ dig = SHA2Digest.digest(salt.getBytes()); - } catch (NoSuchAlgorithmException ex) { - dig = salt.getBytes(); - } -@@ -199,16 +199,15 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { - SignerIdentifier si = new - SignerIdentifier(SignerIdentifier.ISSUER_AND_SERIALNUMBER, ias, null); - -- // SHA1 is the default digest Alg for now. - DigestAlgorithm digestAlg = null; - SignatureAlgorithm signAlg = null; - org.mozilla.jss.crypto.PrivateKey privKey = CryptoManager.getInstance().findPrivKeyByCert(x509cert); - org.mozilla.jss.crypto.PrivateKey.Type keyType = privKey.getType(); - - if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.RSA)) { -- signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest; -- } else if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.DSA)) { -- signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest; -+ signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest; -+ } else if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.EC)) { -+ signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest; - } else { - CMS.debug("GenPendingTemplateFiller::getTemplateParams() - " - + "keyType " + keyType.toString() -@@ -220,8 +219,8 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller { - byte[] digest = null; - - try { -- SHADigest = MessageDigest.getInstance("SHA1"); -- digestAlg = DigestAlgorithm.SHA1; -+ SHADigest = MessageDigest.getInstance("SHA256"); -+ digestAlg = DigestAlgorithm.SHA256; - - ByteArrayOutputStream ostream = new ByteArrayOutputStream(); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 93039a4..330b5ff 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -413,7 +413,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - - setInputsIntoContext(request, profile, ctx); -- CMS.debug("ProfileSubmistServlet: set Inputs into Context"); -+ CMS.debug("ProfileSubmitCMCServlet: set Inputs into Context"); - - // before creating the request, authenticate the request - -@@ -560,9 +560,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - // In case of decryptedPOP, request already exists, find it and - // put in provedReq. - IRequest provedReq = null; -+ boolean isRevoke = false; - if (reqs == null) { - // handling DecryptedPOP request here - Integer reqID = (Integer) context.get("cmcDecryptedPopReqId"); -+ if (reqID == null) { -+ CMS.debug("ProfileSubmitCMCServlet: revocation request"); -+ isRevoke = true; -+ } else { - provedReq = profile.getRequestQueue().findRequest(new RequestId(reqID.toString())); - if (provedReq == null) { - -@@ -584,6 +589,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } else { - CMS.debug("ProfileSubmitCMCServlet: provedReq not null"); - } -+ } - } - - String errorCode = null; -@@ -592,7 +598,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - /////////////////////////////////////////////// - // populate request - /////////////////////////////////////////////// -- for (int k = 0; (provedReq == null) &&(k < reqs.length); k++) { -+ for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) { - // adding parameters to request - setInputsIntoRequest(request, profile, reqs[k]); - -@@ -712,7 +718,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - if (reqs != null && reqs.length > 0) - error_codes = new int[reqs.length]; - -- for (int k = 0; (provedReq == null) && (k < reqs.length); k++) { -+ for (int k = 0; (!isRevoke) && (provedReq == null) && (k < reqs.length); k++) { - try { - // reset the "auditRequesterID" - auditRequesterID = auditRequesterID(reqs[k]); -diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -index 94a0783..b111f71 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -62,6 +62,7 @@ import org.mozilla.jss.util.PasswordCallback; - import org.w3c.dom.Element; - import org.w3c.dom.NodeList; - -+import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.acls.ACL; - import com.netscape.certsrv.acls.ACLEntry; - import com.netscape.certsrv.acls.EACLsException; -@@ -1912,6 +1913,38 @@ public class CMSEngine implements ICMSEngine { - } - } - -+ public ISharedToken getSharedTokenClass(String configName) { -+ String method = "CMSEngine: getSharedTokenClass: "; -+ ISharedToken tokenClass = null; -+ -+ String name = null; -+ try { -+ CMS.debug(method + "getting :" + configName); -+ name = CMS.getConfigStore().getString(configName); -+ CMS.debug(method + "Shared Secret plugin class name retrieved:" + -+ name); -+ } catch (Exception e) { -+ CMS.debug(method + " Failed to retrieve shared secret plugin class name"); -+ return null; -+ } -+ -+ try { -+ tokenClass = (ISharedToken) Class.forName(name).newInstance(); -+ CMS.debug(method + "Shared Secret plugin class retrieved"); -+ } catch (ClassNotFoundException e) { -+ CMS.debug(method + " Failed to find class name: " + name); -+ return null; -+ } catch (InstantiationException e) { -+ CMS.debug("EnrollProfile: Failed to instantiate class: " + name); -+ return null; -+ } catch (IllegalAccessException e) { -+ CMS.debug(method + " Illegal access: " + name); -+ return null; -+ } -+ -+ return tokenClass; -+ } -+ - public ILogger getLogger() { - return Logger.getLogger(); - } -diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -index dd28adb..b314dac 100644 ---- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -@@ -23,6 +23,7 @@ import com.netscape.certsrv.acls.EACLsException; - import com.netscape.certsrv.acls.IACL; - import com.netscape.certsrv.apps.ICMSEngine; - import com.netscape.certsrv.apps.ICommandQueue; -+import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.authority.IAuthority; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; -@@ -370,6 +371,10 @@ public class CMSEngineDefaultStub implements ICMSEngine { - return null; - } - -+ public ISharedToken getSharedTokenClass(String configName) { -+ return null; -+ } -+ - public void putPasswordCache(String tag, String pw) { - } - -diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java -index 98becdc..933432d 100644 ---- a/base/util/src/com/netscape/cmsutil/util/Utils.java -+++ b/base/util/src/com/netscape/cmsutil/util/Utils.java -@@ -285,6 +285,11 @@ public class Utils { - return string; - } - -+ public static String base64encodeSingleLine(byte[] bytes) { -+ String string = new Base64().encodeToString(bytes); -+ return string; -+ } -+ - public static byte[] base64decode(String string) { - byte[] bytes = Base64.decodeBase64(string); - return bytes; --- -1.8.3.1 - - -From 4328b770f8cbbb4c85919bc50201dff2e230dcc3 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 8 Jun 2017 21:14:00 -0400 -Subject: [PATCH 12/14] Add possible keywrap algorithms to usage - -Added possible key wrap algorithms to the CRMFPopClient -usage statement to make it clear what options are available. - -Part of BZ #1458047 - -Change-Id: Ie49ec9cd9bbb5c112668469f701363b967695ef3 ---- - base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 25de2dd..0aaec28 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -228,6 +228,8 @@ public class CRMFPopClient { - System.out.println(" - POP_SUCCESS: with valid POP"); - System.out.println(" - POP_FAIL: with invalid POP (for testing)"); - System.out.println(" -w Algorithm to use for key wrapping"); -+ System.out.println(" - default: \"AES KeyWrap/Padding\""); -+ System.out.println(" - \"AES/CBC/PKCS5Padding\""); - System.out.println(" -b PEM transport certificate (default: transport.txt)"); - System.out.println(" -v, --verbose Run in verbose mode."); - System.out.println(" --help Show help message."); --- -1.8.3.1 - - -From 9edd684fef78845acee95a766f34a9c57a1ab604 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 8 Jun 2017 22:08:01 -0400 -Subject: [PATCH 13/14] Add one more possible keywrap algorithm to usage - -Added one more key wrap algorithms to the CRMFPopClient -usage statement. - -Part of BZ #1458047 - -Change-Id: Ic52410a6a23f850944a6b96385b26a9bba12b51a ---- - base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index 0aaec28..66453c3 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -230,6 +230,7 @@ public class CRMFPopClient { - System.out.println(" -w Algorithm to use for key wrapping"); - System.out.println(" - default: \"AES KeyWrap/Padding\""); - System.out.println(" - \"AES/CBC/PKCS5Padding\""); -+ System.out.println(" - \"DES3/CBC/Pad\""); - System.out.println(" -b PEM transport certificate (default: transport.txt)"); - System.out.println(" -v, --verbose Run in verbose mode."); - System.out.println(" --help Show help message."); --- -1.8.3.1 - - -From 53564487e46040a9115fba51c8403ecacb50187e Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 8 Jun 2017 14:25:23 +1000 -Subject: [PATCH 14/14] KRA PKCS #12 export: add config to use 3DES PBE - encryption - -Restore the 3DES PKCS #12 key recovery code path, alongside the new -AES variant, which is broken on Thales nethsm. Add the -'kra.legacyPKCS12' config for selecting which version to use, with -the default value of 'true' (i.e., use 3DES). - -Part of: https://pagure.io/dogtagpki/issue/2728 - -Change-Id: Ic02fe8ba3a4c2c049913ff48d3f6dfdc830b4360 ---- - base/kra/src/com/netscape/kra/RecoveryService.java | 43 ++++++++++++++++------ - 1 file changed, 32 insertions(+), 11 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java -index eee800a..023eb80 100644 ---- a/base/kra/src/com/netscape/kra/RecoveryService.java -+++ b/base/kra/src/com/netscape/kra/RecoveryService.java -@@ -487,19 +487,40 @@ public class RecoveryService implements IService { - PasswordConverter passConverter = new - PasswordConverter(); - -- byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( -- /* NSS has a bug that causes any AES CBC encryption -- * to use AES-256, but AlgorithmID contains chosen -- * alg. To avoid mismatch, use AES_256_CBC. */ -- passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); -- CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); -- if (epkiBytes == null) { -- CMS.debug("RecoverService: createPFX() epkiBytes null"); -- throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); -+ boolean legacyP12 = -+ CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true); -+ -+ ASN1Value key; -+ if (legacyP12) { -+ Random ran = new SecureRandom(); -+ byte[] salt = new byte[20]; -+ ran.nextBytes(salt); -+ -+ key = EncryptedPrivateKeyInfo.createPBE( -+ PBEAlgorithm.PBE_SHA1_DES3_CBC, -+ pass, salt, 1, passConverter, priKey, ct); -+ CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned"); -+ if (key == null) { -+ CMS.debug("RecoverService: createPFX() key null"); -+ throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed"); -+ } else { -+ CMS.debug("RecoverService: createPFX() key not null"); -+ } - } else { -- CMS.debug("RecoverService: createPFX() epkiBytes not null"); -+ byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( -+ /* NSS has a bug that causes any AES CBC encryption -+ * to use AES-256, but AlgorithmID contains chosen -+ * alg. To avoid mismatch, use AES_256_CBC. */ -+ passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); -+ CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); -+ if (epkiBytes == null) { -+ CMS.debug("RecoverService: createPFX() epkiBytes null"); -+ throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); -+ } else { -+ CMS.debug("RecoverService: createPFX() epkiBytes not null"); -+ } -+ key = new ANY(epkiBytes); - } -- ASN1Value key = new ANY(epkiBytes); - - SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), --- -1.8.3.1 - diff --git a/SOURCES/pki-core-subsystem-cert-update-CLI-cert-option.patch b/SOURCES/pki-core-subsystem-cert-update-CLI-cert-option.patch deleted file mode 100644 index 78c3b8a..0000000 --- a/SOURCES/pki-core-subsystem-cert-update-CLI-cert-option.patch +++ /dev/null @@ -1,90 +0,0 @@ -From c5312d0b44b5f58ba5b92aba85b89e405213e8a8 Mon Sep 17 00:00:00 2001 -From: Dinesh Prasanth M K -Date: Fri, 23 Jun 2017 15:57:29 -0400 -Subject: [PATCH] Patch for "pki-server subsystem-cert-update" command - -Currently, the --cert option has not been implemented for -`pki-server subsystem-cert-update` command. The --cert takes -certificate name that needs to be added to the NSS database -and replaces the existing certificate (if exists) in the -database - -https://pagure.io/dogtagpki/issue/2756 - -Change-Id: If8be9edd55a673230f86e213fc803be365e55a92 -(cherry picked from commit d762073c4b5bcd4f9f30e3b8439983a497a77c97) ---- - base/server/python/pki/server/cli/subsystem.py | 29 +++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py -index 10af8ca..a9857ba 100644 ---- a/base/server/python/pki/server/cli/subsystem.py -+++ b/base/server/python/pki/server/cli/subsystem.py -@@ -741,6 +741,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): - print(' -i, --instance Instance ID (default: pki-tomcat).') - print(' -v, --verbose Run in verbose mode.') - print(' --help Show help message.') -+ print(' --cert New certificate to be added') - print() - - def execute(self, argv): -@@ -748,7 +749,8 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): - try: - opts, args = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', -- 'verbose', 'help']) -+ 'verbose', 'help', -+ 'cert=']) - - except getopt.GetoptError as e: - print('ERROR: ' + str(e)) -@@ -756,6 +758,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): - sys.exit(1) - - instance_name = 'pki-tomcat' -+ cert_file = None - - for o, a in opts: - if o in ('-i', '--instance'): -@@ -768,6 +771,9 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): - self.usage() - sys.exit() - -+ elif o == '--cert': -+ cert_file = a -+ - else: - print('ERROR: unknown option ' + o) - self.usage() -@@ -807,6 +813,27 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): - - token = subsystem_cert['token'] - nssdb = instance.open_nssdb(token) -+ -+ if cert_file: -+ if not os.path.isfile(cert_file): -+ print('ERROR: %s certificate does not exist.' % cert_file) -+ self.usage() -+ sys.exit(1) -+ -+ data = nssdb.get_cert( -+ nickname=subsystem_cert['nickname'], -+ output_format='base64') -+ -+ if data: -+ if self.verbose: -+ print('Removing old %s certificate from database.' % subsystem_cert['nickname']) -+ nssdb.remove_cert(nickname=subsystem_cert['nickname']) -+ if self.verbose: -+ print('Adding new %s certificate into database.' % subsystem_cert['nickname']) -+ nssdb.add_cert( -+ nickname=subsystem_cert['nickname'], -+ cert_file=cert_file) -+ - data = nssdb.get_cert( - nickname=subsystem_cert['nickname'], - output_format='base64') --- -1.8.3.1 - diff --git a/SOURCES/pki-core-system-cert-CMC-enroll-profile.patch b/SOURCES/pki-core-system-cert-CMC-enroll-profile.patch deleted file mode 100644 index 0417ac6..0000000 --- a/SOURCES/pki-core-system-cert-CMC-enroll-profile.patch +++ /dev/null @@ -1,1132 +0,0 @@ -From f10ba33f3d6f9cbd31831d0fb571e15b818e9990 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 26 Jun 2017 18:09:55 -0700 -Subject: [PATCH] Ticket #2757 CMC enrollment profiles for system certificates - -This patch supports CMC-based system certificate requests. - -This patch contains the following: -* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert -* The cmc-based system enrollment profiles: -caCMCauditSigningCert.cfg -caCMCcaCert.cfg -caCMCkraStorageCert.cfg -caCMCkraTransportCert.cfg -caCMCocspCert.cfg -caCMCserverCert.cfg -caCMCsubsystemCert.cfg -* new URI's in web.xml as new access points - -Usage example can be found here: -http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29 - -(cherry picked from commit 65b1242cd139e6306fb3e039193a3a6b223ea9b1) ---- - base/ca/shared/conf/CS.cfg | 20 ++- - .../shared/profiles/ca/caCMCauditSigningCert.cfg | 80 +++++++++ - base/ca/shared/profiles/ca/caCMCcaCert.cfg | 96 ++++++++++ - base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 86 +++++++++ - .../shared/profiles/ca/caCMCkraTransportCert.cfg | 86 +++++++++ - base/ca/shared/profiles/ca/caCMCocspCert.cfg | 71 ++++++++ - base/ca/shared/profiles/ca/caCMCserverCert.cfg | 90 ++++++++++ - base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 86 +++++++++ - base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 4 +- - .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +- - base/ca/shared/webapps/ca/WEB-INF/web.xml | 196 +++++++++++++++++++++ - .../src/com/netscape/cmstools/CMCRequest.java | 2 +- - .../com/netscape/cms/authentication/CMCAuth.java | 48 ++++- - .../cms/authentication/CMCUserSignedAuth.java | 2 + - .../netscape/cms/profile/common/EnrollProfile.java | 12 ++ - .../servlet/profile/ProfileSubmitCMCServlet.java | 2 +- - 16 files changed, 872 insertions(+), 11 deletions(-) - create mode 100644 base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCcaCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCocspCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCserverCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 5a244d7..8976575 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -969,7 +969,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 - oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension - oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 - os.userid=nobody --profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment -+profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment - profile.caUUIDdeviceCert.class_id=caEnrollImpl - profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg - profile.caManualRenewal.class_id=caEnrollImpl -@@ -988,12 +988,26 @@ profile.caAgentServerCert.class_id=caEnrollImpl - profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg - profile.caRAserverCert.class_id=caEnrollImpl - profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg -+profile.caCMCUserCert.class_id=caEnrollImpl -+profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg -+profile.caCMCauditSigningCert.class_id=caEnrollImpl -+profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg -+profile.caCMCcaCert.class_id=caEnrollImpl -+profile.caCMCcaCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCcaCert.cfg -+profile.caCMCkraStorageCert.class_id=caEnrollImpl -+profile.caCMCkraStorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraStorageCert.cfg -+profile.caCMCkraTransportCert.class_id=caEnrollImpl -+profile.caCMCkraTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraTransportCert.cfg -+profile.caCMCocspCert.class_id=caEnrollImpl -+profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg -+profile.caCMCserverCert.class_id=caEnrollImpl -+profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg -+profile.caCMCsubsystemCert.class_id=caEnrollImpl -+profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg - profile.caCACert.class_id=caEnrollImpl - profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg - profile.caInstallCACert.class_id=caEnrollImpl - profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInstallCACert.cfg --profile.caCMCUserCert.class_id=caEnrollImpl --profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg - profile.caCrossSignedCACert.class_id=caEnrollImpl - profile.caCrossSignedCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCrossSignedCACert.cfg - profile.caDirBasedDualCert.class_id=caEnrollImpl -diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -new file mode 100644 -index 0000000..ed5a1b2 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -@@ -0,0 +1,80 @@ -+desc=This certificate profile is for enrolling audit signing certificates using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Audit Signing Certificate Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=auditSigningCertSet -+policyset.auditSigningCertSet.list=1,2,3,4,5,6,9 -+policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint -+policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.* -+policyset.auditSigningCertSet.1.constraint.params.accept=true -+policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.auditSigningCertSet.1.default.name=Subject Name Default -+policyset.auditSigningCertSet.1.default.params.name= -+policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.auditSigningCertSet.2.constraint.name=Validity Constraint -+policyset.auditSigningCertSet.2.constraint.params.range=720 -+policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false -+policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false -+policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl -+policyset.auditSigningCertSet.2.default.name=Validity Default -+policyset.auditSigningCertSet.2.default.params.range=720 -+policyset.auditSigningCertSet.2.default.params.startTime=0 -+policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.auditSigningCertSet.3.constraint.name=Key Constraint -+policyset.auditSigningCertSet.3.constraint.params.keyType=RSA -+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.auditSigningCertSet.3.default.name=Key Default -+policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl -+policyset.auditSigningCertSet.4.constraint.name=No Constraint -+policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default -+policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl -+policyset.auditSigningCertSet.5.constraint.name=No Constraint -+policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.auditSigningCertSet.5.default.name=AIA Extension Default -+policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false -+policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true -+policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.auditSigningCertSet.6.default.name=Key Usage Default -+policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true -+policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false -+policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl -+policyset.auditSigningCertSet.9.constraint.name=No Constraint -+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl -+policyset.auditSigningCertSet.9.default.name=Signing Alg -+policyset.auditSigningCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -new file mode 100644 -index 0000000..f6df36f ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -@@ -0,0 +1,96 @@ -+desc=This certificate profile is for enrolling Certificate Authority certificates using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Certificate Manager Signing Certificate Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=caCertSet -+policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 -+policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.caCertSet.1.constraint.name=Subject Name Constraint -+policyset.caCertSet.1.constraint.params.pattern=CN=.* -+policyset.caCertSet.1.constraint.params.accept=true -+policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.caCertSet.1.default.name=Subject Name Default -+policyset.caCertSet.1.default.params.name= -+policyset.caCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.caCertSet.2.constraint.name=Validity Constraint -+policyset.caCertSet.2.constraint.params.range=7305 -+policyset.caCertSet.2.constraint.params.notBeforeCheck=false -+policyset.caCertSet.2.constraint.params.notAfterCheck=false -+policyset.caCertSet.2.default.class_id=caValidityDefaultImpl -+policyset.caCertSet.2.default.name=CA Certificate Validity Default -+policyset.caCertSet.2.default.params.range=7305 -+policyset.caCertSet.2.default.params.startTime=0 -+policyset.caCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.caCertSet.3.constraint.name=Key Constraint -+policyset.caCertSet.3.constraint.params.keyType=- -+policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.caCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.caCertSet.3.default.name=Key Default -+policyset.caCertSet.4.constraint.class_id=noConstraintImpl -+policyset.caCertSet.4.constraint.name=No Constraint -+policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.caCertSet.4.default.name=Authority Key Identifier Default -+policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl -+policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint -+policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true -+policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true -+policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 -+policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 -+policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl -+policyset.caCertSet.5.default.name=Basic Constraints Extension Default -+policyset.caCertSet.5.default.params.basicConstraintsCritical=true -+policyset.caCertSet.5.default.params.basicConstraintsIsCA=true -+policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 -+policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.caCertSet.6.constraint.params.keyUsageCritical=true -+policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true -+policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true -+policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.caCertSet.6.default.name=Key Usage Default -+policyset.caCertSet.6.default.params.keyUsageCritical=true -+policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true -+policyset.caCertSet.6.default.params.keyUsageCrlSign=true -+policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.caCertSet.8.constraint.class_id=noConstraintImpl -+policyset.caCertSet.8.constraint.name=No Constraint -+policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl -+policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default -+policyset.caCertSet.8.default.params.critical=false -+policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl -+policyset.caCertSet.9.constraint.name=No Constraint -+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl -+policyset.caCertSet.9.default.name=Signing Alg -+policyset.caCertSet.9.default.params.signingAlg=- -+policyset.caCertSet.10.constraint.class_id=noConstraintImpl -+policyset.caCertSet.10.constraint.name=No Constraint -+policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl -+policyset.caCertSet.10.default.name=AIA Extension Default -+policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true -+policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName -+policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= -+policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.caCertSet.10.default.params.authInfoAccessCritical=false -+policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 -diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -new file mode 100644 -index 0000000..259430b ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -@@ -0,0 +1,86 @@ -+desc=This certificate profile is for enrolling KRA storage certificates using CMC -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=KRA storage Certificate Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=drmStorageCertSet -+policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 -+policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint -+policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* -+policyset.drmStorageCertSet.1.constraint.params.accept=true -+policyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.drmStorageCertSet.1.default.name=Subject Name Default -+policyset.drmStorageCertSet.1.default.params.name= -+policyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.drmStorageCertSet.2.constraint.name=Validity Constraint -+policyset.drmStorageCertSet.2.constraint.params.range=720 -+policyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false -+policyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false -+policyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl -+policyset.drmStorageCertSet.2.default.name=Validity Default -+policyset.drmStorageCertSet.2.default.params.range=720 -+policyset.drmStorageCertSet.2.default.params.startTime=0 -+policyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.drmStorageCertSet.3.constraint.name=Key Constraint -+policyset.drmStorageCertSet.3.constraint.params.keyType=RSA -+policyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.drmStorageCertSet.3.default.name=Key Default -+policyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl -+policyset.drmStorageCertSet.4.constraint.name=No Constraint -+policyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default -+policyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl -+policyset.drmStorageCertSet.5.constraint.name=No Constraint -+policyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.drmStorageCertSet.5.default.name=AIA Extension Default -+policyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false -+policyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true -+policyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true -+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.drmStorageCertSet.6.default.name=Key Usage Default -+policyset.drmStorageCertSet.6.default.params.keyUsageCritical=true -+policyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true -+policyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false -+policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl -+policyset.drmStorageCertSet.7.constraint.name=No Constraint -+policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false -+policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -+policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl -+policyset.drmStorageCertSet.9.constraint.name=No Constraint -+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl -+policyset.drmStorageCertSet.9.default.name=Signing Alg -+policyset.drmStorageCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -new file mode 100644 -index 0000000..ec54f9c ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -@@ -0,0 +1,86 @@ -+desc=This certificate profile is for enrolling Key Archival Authority transport certificates using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Key Archival Authority Transport Certificate Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=transportCertSet -+policyset.transportCertSet.list=1,2,3,4,5,6,7,8 -+policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.transportCertSet.1.constraint.name=Subject Name Constraint -+policyset.transportCertSet.1.constraint.params.pattern=CN=.* -+policyset.transportCertSet.1.constraint.params.accept=true -+policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.transportCertSet.1.default.name=Subject Name Default -+policyset.transportCertSet.1.default.params.name= -+policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.transportCertSet.2.constraint.name=Validity Constraint -+policyset.transportCertSet.2.constraint.params.range=720 -+policyset.transportCertSet.2.constraint.params.notBeforeCheck=false -+policyset.transportCertSet.2.constraint.params.notAfterCheck=false -+policyset.transportCertSet.2.default.class_id=validityDefaultImpl -+policyset.transportCertSet.2.default.name=Validity Default -+policyset.transportCertSet.2.default.params.range=720 -+policyset.transportCertSet.2.default.params.startTime=0 -+policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.transportCertSet.3.constraint.name=Key Constraint -+policyset.transportCertSet.3.constraint.params.keyType=RSA -+policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.transportCertSet.3.default.name=Key Default -+policyset.transportCertSet.4.constraint.class_id=noConstraintImpl -+policyset.transportCertSet.4.constraint.name=No Constraint -+policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.transportCertSet.4.default.name=Authority Key Identifier Default -+policyset.transportCertSet.5.constraint.class_id=noConstraintImpl -+policyset.transportCertSet.5.constraint.name=No Constraint -+policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.transportCertSet.5.default.name=AIA Extension Default -+policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.transportCertSet.5.default.params.authInfoAccessCritical=false -+policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.transportCertSet.6.constraint.params.keyUsageCritical=true -+policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true -+policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.transportCertSet.6.default.name=Key Usage Default -+policyset.transportCertSet.6.default.params.keyUsageCritical=true -+policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true -+policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.transportCertSet.6.default.params.keyUsageCrlSign=false -+policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.transportCertSet.7.constraint.class_id=noConstraintImpl -+policyset.transportCertSet.7.constraint.name=No Constraint -+policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.transportCertSet.7.default.params.exKeyUsageCritical=false -+policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -+policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.transportCertSet.8.constraint.name=No Constraint -+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.transportCertSet.8.default.name=Signing Alg -+policyset.transportCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg -new file mode 100644 -index 0000000..8afbd46 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg -@@ -0,0 +1,71 @@ -+desc=This certificate profile is for enrolling OCSP Responder signing certificates using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=OCSP Responder Signing Certificate Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=ocspCertSet -+policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 -+policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.ocspCertSet.1.constraint.name=Subject Name Constraint -+policyset.ocspCertSet.1.constraint.params.pattern=CN=.* -+policyset.ocspCertSet.1.constraint.params.accept=true -+policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.ocspCertSet.1.default.name=Subject Name Default -+policyset.ocspCertSet.1.default.params.name= -+policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.ocspCertSet.2.constraint.name=Validity Constraint -+policyset.ocspCertSet.2.constraint.params.range=720 -+policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false -+policyset.ocspCertSet.2.constraint.params.notAfterCheck=false -+policyset.ocspCertSet.2.default.class_id=validityDefaultImpl -+policyset.ocspCertSet.2.default.name=Validity Default -+policyset.ocspCertSet.2.default.params.range=720 -+policyset.ocspCertSet.2.default.params.startTime=0 -+policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.ocspCertSet.3.constraint.name=Key Constraint -+policyset.ocspCertSet.3.constraint.params.keyType=- -+policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.ocspCertSet.3.default.name=Key Default -+policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl -+policyset.ocspCertSet.4.constraint.name=No Constraint -+policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.ocspCertSet.4.default.name=Authority Key Identifier Default -+policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl -+policyset.ocspCertSet.5.constraint.name=No Constraint -+policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.ocspCertSet.5.default.name=AIA Extension Default -+policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false -+policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl -+policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension -+policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false -+policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 -+policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.ocspCertSet.6.default.name=Extended Key Usage Default -+policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false -+policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 -+policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl -+policyset.ocspCertSet.8.constraint.name=No Constraint -+policyset.ocspCertSet.8.constraint.params.extCritical=false -+policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 -+policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl -+policyset.ocspCertSet.8.default.name=OCSP No Check Extension -+policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false -+policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl -+policyset.ocspCertSet.9.constraint.name=No Constraint -+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl -+policyset.ocspCertSet.9.default.name=Signing Alg -+policyset.ocspCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -new file mode 100644 -index 0000000..8215d65 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -@@ -0,0 +1,90 @@ -+desc=This certificate profile is for enrolling server certificates using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Server Certificate Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=- -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.9.constraint.name=No Constraint -+policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.9.default.name=copy CN to SAN Default -diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -new file mode 100644 -index 0000000..f473f98 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -@@ -0,0 +1,86 @@ -+desc=This certificate profile is for enrolling subsystem certificates using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Subsystem Certificate Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=- -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -index 29baeed..90cb424 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -@@ -1,7 +1,7 @@ --desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. -+desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication. - enable=true - enableBy=admin --name=Signed CMC-Authenticated User Certificate Enrollment -+name=Agent-Signed CMC-Authenticated User Certificate Enrollment - visible=false - auth.instance_id=CMCAuth - input.list=i1,i2 -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -index 63a4bca..7bfad9c 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -@@ -1,4 +1,4 @@ --desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication. -+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. - enable=true - enableBy=admin - name=User-Signed CMC-Authenticated User Certificate Enrollment -diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml -index a550142..2666049 100644 ---- a/base/ca/shared/webapps/ca/WEB-INF/web.xml -+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml -@@ -1553,6 +1553,167 @@ - - - -+ caProfileSubmitCMCFullCACert -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caCMCcaCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ -+ caProfileSubmitCMCFullServerCert -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caCMCserverCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ -+ caProfileSubmitCMCFullOCSPCert -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caCMCocspCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ -+ caProfileSubmitCMCFullSubsystemCert -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caCMCsubsystemCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ -+ caProfileSubmitCMCFullAuditSigningCert -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caCMCauditSigningCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ -+ caProfileSubmitCMCFullKRATransportCert -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caCMCkraTransportCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ -+ caProfileSubmitCMCFullKRAstorageCert -+ com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet -+ GetClientCert -+ false -+ cert_request_type -+ cmc -+ profileId -+ caCMCkraStorageCert -+ AuthzMgr -+ BasicAclAuthz -+ authorityId -+ ca -+ ID -+ caProfileSubmitCMCFull -+ templatePath -+ /ee/ca/ProfileSubmit.template -+ resourceID -+ certServer.ee.profile -+ interface -+ ee -+ -+ -+ - caProfileSubmitUserSignedCMCFull - com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet - GetClientCert -@@ -2303,6 +2464,41 @@ - - - -+ caProfileSubmitCMCFullCACert -+ /ee/ca/profileSubmitCMCFullCACert -+ -+ -+ -+ caProfileSubmitCMCFullServerCert -+ /ee/ca/profileSubmitCMCFullServerCert -+ -+ -+ -+ caProfileSubmitCMCFullOCSPCert -+ /ee/ca/profileSubmitCMCFullOCSPCert -+ -+ -+ -+ caProfileSubmitCMCFullSubsystemCert -+ /ee/ca/profileSubmitCMCFullSubsystemCert -+ -+ -+ -+ caProfileSubmitCMCFullAuditSigningCert -+ /ee/ca/profileSubmitCMCFullAuditSigningCert -+ -+ -+ -+ caProfileSubmitCMCFullKRATransportCert -+ /ee/ca/profileSubmitCMCFullKRAtransportCert -+ -+ -+ -+ caProfileSubmitCMCFullKRAstorageCert -+ /ee/ca/profileSubmitCMCFullKRAstorageCert -+ -+ -+ - caProfileSubmitUserSignedCMCFull - /ee/ca/profileSubmitUserSignedCMCFull - -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index fd59aa1..9fcb8db 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -2393,7 +2393,7 @@ public class CMCRequest { - System.out.println(""); - System.out.println(""); - System.out.println("The CMC enrollment request in binary format is stored in " + -- ofilename + "."); -+ ofilename); - } catch (IOException e) { - System.out.println("CMCRequest: unable to open file " + ofilename + - " for writing:\n" + e); -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index 9441167..459c7c6 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; - import java.math.BigInteger; -+import java.security.cert.X509Certificate; - import java.security.MessageDigest; - import java.security.PublicKey; - import java.util.Enumeration; -@@ -246,6 +247,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - String auditCertSubject = ILogger.UNIDENTIFIED; - String auditSignerInfo = ILogger.UNIDENTIFIED; - -+ SessionContext auditContext = SessionContext.getExistingContext(); -+ X509Certificate clientCert = -+ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); -+ - // ensure that any low-level exceptions are reported - // to the signed audit log and stored as failures - try { -@@ -361,7 +366,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - String userid = "defUser"; - String uid = "defUser"; - if (checkSignerInfo) { -- IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); -+ IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq); - if (agentToken == null) { - CMS.debug(method + "agentToken null"); - throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); -@@ -812,8 +817,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - level, "CMC Authentication: " + msg); - } - -- protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { -- -+ protected IAuthToken verifySignerInfo( -+ SessionContext auditContext, -+ AuthToken authToken, -+ SignedData cmcFullReq) throws EBaseException { -+ String method = "CMCAuth: verifySignerInfo: "; -+ String msg = ""; - EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); - OBJECT_IDENTIFIER id = ci.getContentType(); - OCTET_STRING content = ci.getContent(); -@@ -822,6 +831,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - CryptoToken signToken = null; - CryptoToken savedToken = null; - CryptoManager cm = null; -+ -+ if (auditContext == null) { -+ CMS.debug(method + " auditConext can't be null"); -+ return null; -+ } - try { - cm = CryptoManager.getInstance(); - ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); -@@ -909,6 +923,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - si.verify(digest, id); - } else { - CMS.debug("CMCAuth: found signing cert... verifying"); -+ -+ X509Certificate clientCert = -+ (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); -+ if (clientCert == null) { -+ // createAuditSubjectFromCert(auditContext, x509Certs[0]); -+ msg = "missing SSL client authentication certificate;"; -+ CMS.debug(method + msg); -+ s.close(); -+ throw new EMissingCredential( -+ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); -+ } -+ netscape.security.x509.X500Name clientPrincipal = -+ (X500Name) clientCert.getSubjectDN(); -+ -+ netscape.security.x509.X500Name cmcPrincipal = -+ (X500Name) x509Certs[0].getSubjectDN(); -+ -+ // check ssl client cert against cmc signer -+ if (!clientPrincipal.equals(cmcPrincipal)) { -+ msg = "SSL client authentication certificate and CMC signer do not match"; -+ CMS.debug(method + msg); -+ s.close(); -+ throw new EInvalidCredentials( -+ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); -+ } else { -+ CMS.debug(method + "ssl client cert principal and cmc signer principal match"); -+ } -+ - PublicKey signKey = cert.getPublicKey(); - PrivateKey.Type keyType = null; - String alg = signKey.getAlgorithm(); -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index 6c3ee8f..e11a344 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -1078,6 +1078,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - s.close(); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); -+ } else { -+ CMS.debug(method + "ssl client cert principal and cmc signer principal match"); - } - - PublicKey signKey = cert.getPublicKey(); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 8f3e986..1356035 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -198,6 +198,7 @@ public abstract class EnrollProfile extends BasicProfile - if (signingUserSerial != null) { - donePOI = true; - } -+ - // catch for invalid request - cmc_msgs = parseCMC(locale, cert_request, donePOI); - if (cmc_msgs == null) { -@@ -723,6 +724,17 @@ public abstract class EnrollProfile extends BasicProfile - byte randomSeed[] = null; - UTF8String ident_s = null; - SessionContext context = SessionContext.getContext(); -+ String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); -+ if (authManagerId == null) { -+ CMS.debug(method + "authManagerId null.????"); -+ //unlikely, but... -+ authManagerId = "none"; -+ } else { -+ CMS.debug(method + "authManagerId =" + authManagerId); -+ } -+ if(authManagerId.equals("CMCAuth")) { -+ donePOI = true; -+ } - - boolean id_cmc_revokeRequest = false; - if (!context.containsKey("numOfControls")) { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index d087162..f7a6470 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -496,7 +496,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - /////////////////////////////////////////////// - String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); - if (tmpCertSerialS != null) { -- // unlikely to happenm, but do this just in case -+ // unlikely to happen, but do this just in case - CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); - CMS.debug("ProfileSubmitCMCServlet: null it out"); - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); --- -1.8.3.1 - diff --git a/SOURCES/pki-core-tps-externalReg-regression.patch b/SOURCES/pki-core-tps-externalReg-regression.patch deleted file mode 100644 index 1b727ba..0000000 --- a/SOURCES/pki-core-tps-externalReg-regression.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 47fccfaa32bf327c56c5789f373e4d18c714556f Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Fri, 10 Nov 2017 15:55:36 -0800 -Subject: [PATCH] ReFix for #2824 TPS new configuration to allow the protocol - of the to determine applet loaded. - -The problem discovered was that in only the external registration case, there was a problem obtaining the protocol -information for the token being enrolled. This simple fix makes sure the protocol info is obtained correctly for external -reg and non external reg enrollment cases. - -Change-Id: Iccd40adbdafd5e94e04cbb8c391bd2706e483a1f -(cherry picked from commit e48374cd8a744fad5a03f64e8685ec3b3c465553) -(cherry picked from commit 3718b369598c3ecfdb6733c25b08e4b51042423f) ---- - .../src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index 4ec277e..03d6532 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -33,8 +33,6 @@ import java.util.List; - import java.util.Map; - import java.util.Set; - --import netscape.security.x509.RevocationReason; -- - import org.dogtagpki.server.tps.TPSSession; - import org.dogtagpki.server.tps.TPSSubsystem; - import org.dogtagpki.server.tps.authentication.AuthUIParameter; -@@ -102,6 +100,8 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.symkey.SessionKey; - -+import netscape.security.x509.RevocationReason; -+ - public class TPSProcessor { - - public static final int RESULT_NO_ERROR = 0; -@@ -556,8 +556,10 @@ public class TPSProcessor { - CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData"); - } - -- // We already do this when checking for applet upgrade earlier. -- //acquireChannelPlatformAndProtocolInfo(); -+ // Do this on behalf of external reg, which needs it -+ // If already called, the routine will return anyway. -+ -+ acquireChannelPlatformAndProtocolInfo(); - - TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch b/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch deleted file mode 100644 index accac88..0000000 --- a/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch +++ /dev/null @@ -1,429 +0,0 @@ -From d3f50c6a77b164cc876192ab95639ad913f33deb Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 20 Jul 2017 17:50:38 -0700 -Subject: [PATCH] Ticket #1665 (code realignment) Certificate Revocation - Reasons not being updated in some cases This patch makes sure that when a - token is temporarily lost (certs on_hold), its certs are properly revoked - when moving to other revocation reasons when marked damaged or permanently - lost. In addition, on the CA side, this patch to some degree mimics the - original request for transitions from SUPERSEDED to KEY_COMPROMISED, although - in the current TPS that is prohibited. Also, the original requested code - skipped over informing CRLIssuingPoints, while in this patch, that is not - skipped as the revocation reason has changed it should be updated; Time - stamp in the cert record is also updated, which is different from the - original requested code. Development tests were conducted on currently - allowed TPS token state transitions only. - -Change-Id: I675ce13892a7c48eba42870a87954398d7dc8168 -(cherry picked from commit 36213c8b614775feadfebef54db034e1155d33c7) -(cherry picked from commit 34aabcc5fb21f35d96f76fc5b822959f26aacf42) ---- - base/ca/src/com/netscape/ca/CAService.java | 58 +++++++++++++++++-- - .../netscape/certsrv/dbs/certdb/ICertRecord.java | 9 +++ - .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 51 +++++++++++++---- - base/server/cmsbundle/src/LogMessages.properties | 2 + - base/server/cmsbundle/src/UserMessages.properties | 1 + - .../src/com/netscape/cmscore/dbs/CertRecord.java | 65 +++++++++++++++------- - .../cmscore/dbs/CertificateRepository.java | 32 ++++++----- - 7 files changed, 166 insertions(+), 52 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java -index c9eacfe..7cc6a31 100644 ---- a/base/ca/src/com/netscape/ca/CAService.java -+++ b/base/ca/src/com/netscape/ca/CAService.java -@@ -980,8 +980,28 @@ public class CAService implements ICAService, IService { - BigInteger serialno = crlentry.getSerialNumber(); - Date revdate = crlentry.getRevocationDate(); - CRLExtensions crlentryexts = crlentry.getExtensions(); -+ String msg = ""; - - CMS.debug("CAService.revokeCert: revokeCert begins"); -+ -+ // Get the revocation reason -+ Enumeration enum1 = crlentryexts.getElements(); -+ RevocationReason revReason = null; -+ while (enum1.hasMoreElements()) { -+ Extension ext = (Extension) enum1.nextElement(); -+ if (ext instanceof CRLReasonExtension) { -+ revReason = ((CRLReasonExtension) ext).getReason(); -+ break; -+ } -+ } -+ if (revReason == null) { -+ CMS.debug("CAService.revokeCert: missing revocation reason"); -+ mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_REV_REASON=", serialno.toString(16))); -+ throw new ECAException( -+ CMS.getUserMessage("CMS_CA_MISSING_REV_REASON", -+ "0x" + serialno.toString(16))); -+ } -+ - CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno); - - if (certRec == null) { -@@ -995,24 +1015,52 @@ public class CAService implements ICAService, IService { - // allow revoking certs that are on hold. - String certStatus = certRec.getStatus(); - -- if ((certStatus.equals(ICertRecord.STATUS_REVOKED) && -- !certRec.isCertOnHold()) || -+ RevocationReason recRevReason = null; -+ if (certStatus.equals(ICertRecord.STATUS_REVOKED)) { -+ try { -+ recRevReason = certRec.getRevReason(); -+ } catch (Exception e) { -+ throw new EBaseException(e); -+ } -+ if (recRevReason == null) { -+ msg = "existing revoked cert missing revocation reason"; -+ CMS.debug("CAService.revokeCert: " + msg); -+ throw new EBaseException(msg); -+ } -+ } -+ -+ // for cert already revoked, also check whether revocation reason is changed from SUPERSEDED to KEY_COMPROMISE -+ if (((certStatus.equals(ICertRecord.STATUS_REVOKED) && -+ !certRec.isCertOnHold()) && -+ ((recRevReason != RevocationReason.SUPERSEDED) || -+ revReason != RevocationReason.KEY_COMPROMISE)) -+ || - certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { - CMS.debug("CAService.revokeCert: cert already revoked:" + - serialno.toString()); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_ALREADY_REVOKED", - "0x" + Long.toHexString(serialno.longValue()))); - } -+ - try { -+ // if cert has already revoked, update the revocation info only - CMS.debug("CAService.revokeCert: about to call markAsRevoked"); -- if (certRec.isCertOnHold()) { -+ if (certStatus.equals(ICertRecord.STATUS_REVOKED) && certRec.isCertOnHold()) { - mCA.getCertificateRepository().markAsRevoked(serialno, -- new RevocationInfo(revdate, crlentryexts), true /*isAlreadyOnHold*/); -+ new RevocationInfo(revdate, crlentryexts), -+ true /*isAlreadyRevoked*/); -+ CMS.debug("CAService.revokeCert: on_hold cert marked revoked"); -+ mCA.log(ILogger.LL_INFO, -+ CMS.getLogMessage("CMSCORE_CA_CERT_REVO_INFO_UPDATE", -+ recRevReason.toString(), -+ revReason.toString(), -+ serialno.toString(16))); - } else { - mCA.getCertificateRepository().markAsRevoked(serialno, - new RevocationInfo(revdate, crlentryexts)); - } -- CMS.debug("CAService.revokeCert: cert revoked"); -+ -+ CMS.debug("CAService.revokeCert: cert now revoked"); - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED", - serialno.toString(16))); - // inform all CRLIssuingPoints about revoked certificate -diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java -index 3a0c955..65db57e 100644 ---- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java -+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java -@@ -20,6 +20,9 @@ package com.netscape.certsrv.dbs.certdb; - import java.math.BigInteger; - import java.util.Date; - -+import com.netscape.certsrv.base.EBaseException; -+import netscape.security.x509.RevocationReason; -+import netscape.security.x509.X509ExtensionException; - import netscape.security.x509.X509CertImpl; - - import com.netscape.certsrv.base.MetaInfo; -@@ -181,4 +184,10 @@ public interface ICertRecord extends IDBObj { - * is this cert on hold? - */ - public boolean isCertOnHold(); -+ -+ /** -+ * returns the revocation reason -+ */ -+ public RevocationReason getRevReason() -+ throws EBaseException, X509ExtensionException; - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -index a9a6238..47062f2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java -@@ -1,4 +1,4 @@ --// --- BEGIN COPYRIGHT BLOCK --- -+ - // This program is free software; you can redistribute it and/or modify - // it under the terms of the GNU General Public License as published by - // the Free Software Foundation; version 2 of the License. -@@ -330,8 +330,10 @@ public class DoRevokeTPS extends CMSServlet { - String auditRequestType = auditRequestType(reason); - RequestStatus auditApprovalStatus = null; - String auditReasonNum = String.valueOf(reason); -- String method = "DoRevokeTPS.process"; -+ String method = "DoRevokeTPS.process:"; -+ String msg = ""; - -+ CMS.debug(method + "begins"); - if (revokeAll != null) { - CMS.debug("DoRevokeTPS.process revokeAll" + revokeAll); - -@@ -357,6 +359,8 @@ public class DoRevokeTPS extends CMSServlet { - Vector revCertImplsV = new Vector(); - - // Construct a CRL reason code extension. -+ -+ CMS.debug(method + "reason code = " + reason); - RevocationReason revReason = RevocationReason.fromInt(reason); - CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason); - -@@ -401,22 +405,47 @@ public class DoRevokeTPS extends CMSServlet { - } - - if (xcert != null) { -+ RevocationReason recRevReason = null; -+ if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { -+ try { -+ recRevReason = rec.getRevReason(); -+ } catch (Exception ex) { -+ CMS.debug(method + ex.toString()); -+ throw new EBaseException(ex); -+ } -+ if (recRevReason == null) { -+ msg = "existing revoked cert missing revocation reason"; -+ CMS.debug(method + msg); -+ throw new EBaseException(msg); -+ } -+ } -+ - rarg.addStringValue("serialNumber", - xcert.getSerialNumber().toString(16)); - -- if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED) -- && !rec.isCertOnHold()) { -- alreadyRevokedCertFound = true; -- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " has already been revoked."); -- } else { -+ boolean updateRevocation = true; -+ if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED) && -+ revReason == RevocationReason.KEY_COMPROMISE)) { -+ updateRevocation = false; -+ if ((recRevReason == RevocationReason.SUPERSEDED) || -+ (rec.isCertOnHold())) { -+ updateRevocation = true; -+ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) -+ + " has been revoked, but reason is changed"); -+ } else { -+ alreadyRevokedCertFound = true; -+ CMS.debug("Certificate 0x" + xcert.getSerialNumber().toString(16) + " has been revoked."); -+ } -+ } -+ if (updateRevocation) { - oldCertsV.addElement(xcert); - -- RevokedCertImpl revCertImpl = -- new RevokedCertImpl(xcert.getSerialNumber(), -- CMS.getCurrentDate(), entryExtn); -+ RevokedCertImpl revCertImpl = new RevokedCertImpl(xcert.getSerialNumber(), -+ CMS.getCurrentDate(), entryExtn); - - revCertImplsV.addElement(revCertImpl); -- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " is going to be revoked."); -+ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) -+ + " is going to be revoked."); - count++; - } - } else { -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 5e51440..ff432b6 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -119,7 +119,9 @@ CMSCORE_CA_STORE_SERIAL=CA stored signed certificate serial number 0x{0} - CMSCORE_CA_MARK_SERIAL=CA marked certificate serial number 0x{0} as renewed with serial number 0x{1} - CMSCORE_CA_NO_STORE_SERIAL=Could not store certificate serial number 0x{0} - CMSCORE_CA_CERT_NOT_FOUND=Cannot find certificate serial number 0x{0} -+CMSCORE_CA_MISSING_REV_REASON=Missing revocation reason for revocation request on serial number 0x{0} - CMSCORE_CA_CERT_REVOKED=Revoked certificate serial number 0x{0} -+CMSCORE_CA_CERT_REVO_INFO_UPDATE=Revocation reason changed from {0} to {1} Certificate serial number 0x{2} - CMSCORE_CA_ERROR_REVOCATION=Error revoking certificate {0}. Error {1} - CMSCORE_CA_CERT_ON_HOLD=Certificate {0} has to be on-hold. - CMSCORE_CA_CERT_UNREVOKED=Unrevoked certificate serial number 0x{0} -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index ed2a620..4d1b755 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -397,6 +397,7 @@ CMS_CA_CERT4CRL_FAILED=One or more revoked certificates could not be recorded by - CMS_CA_UNCERT4CRL_FAILED=One or more revoked certificates could not be removed by the CLA - CMS_CA_RENEW_FAILED=One or more certificates could not be renewed - CMS_CA_CANT_FIND_CERT_SERIAL=Cannot find certificate with serial number {0} -+CMS_CA_MISSING_REV_REASON=Missing revocation reason for revocatoin request on serial number {0} - CMS_CA_TOKEN_NOT_FOUND=Token {0} not found - CMS_CA_CERT_OBJECT_NOT_FOUND=Certificate object not found - CMS_CA_TOKEN_ERROR=Token Error -diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java -index a79f7a3..d4f3c03 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java -@@ -23,12 +23,6 @@ import java.util.Date; - import java.util.Enumeration; - import java.util.Vector; - --import netscape.security.x509.CRLExtensions; --import netscape.security.x509.CRLReasonExtension; --import netscape.security.x509.RevocationReason; --import netscape.security.x509.X509CertImpl; --import netscape.security.x509.X509ExtensionException; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.MetaInfo; -@@ -37,6 +31,12 @@ import com.netscape.certsrv.dbs.IDBObj; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.IRevocationInfo; - -+import netscape.security.x509.CRLExtensions; -+import netscape.security.x509.CRLReasonExtension; -+import netscape.security.x509.RevocationReason; -+import netscape.security.x509.X509CertImpl; -+import netscape.security.x509.X509ExtensionException; -+ - /** - * A class represents a serializable certificate record. - *

    -@@ -274,27 +274,50 @@ public class CertRecord implements IDBObj, ICertRecord { - return mModifyTime; - } - -+ /* -+ * getRevReason - -+ * @returns RevocationReason if cert is revoked; null if not -+ * it throws exceptions if anything failed -+ */ -+ public RevocationReason getRevReason() -+ throws EBaseException, X509ExtensionException { -+ String method = "CertRecord.getRevReason:"; -+ String msg = ""; -+ //CMS.debug(method + " checking for cert serial: " -+ // + getSerialNumber().toString()); -+ IRevocationInfo revInfo = getRevocationInfo(); -+ if (revInfo == null) { -+ msg = "revInfo null for" + getSerialNumber().toString(); -+ CMS.debug(method + msg); -+ return null; -+ } -+ -+ CRLExtensions crlExts = revInfo.getCRLEntryExtensions(); -+ if (crlExts == null) -+ throw new X509ExtensionException("crlExts null"); -+ -+ CRLReasonExtension reasonExt = null; -+ reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME); -+ if (reasonExt == null) -+ throw new EBaseException("reasonExt null"); -+ -+ return reasonExt.getReason(); -+ } -+ - public boolean isCertOnHold() { - String method = "CertRecord.isCertOnHold:"; - CMS.debug(method + " checking for cert serial: " -- + getSerialNumber().toString()); -- IRevocationInfo revInfo = getRevocationInfo(); -- if (revInfo != null) { -- CRLExtensions crlExts = revInfo.getCRLEntryExtensions(); -- if (crlExts == null) return false; -- CRLReasonExtension reasonExt = null; -- try { -- reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME); -- } catch (X509ExtensionException e) { -- CMS.debug(method + " returning false:" + e.toString()); -- return false; -- } -- if (reasonExt.getReason() == RevocationReason.CERTIFICATE_HOLD) { -- CMS.debug(method + " returning true"); -+ + getSerialNumber().toString()); -+ try { -+ RevocationReason revReason = getRevReason(); -+ if (revReason == RevocationReason.CERTIFICATE_HOLD) { -+ CMS.debug(method + "for " + getSerialNumber().toString() + " returning true"); - return true; - } -+ } catch (Exception e) { -+ CMS.debug(method + e); - } -- CMS.debug(method + " returning false"); -+ CMS.debug(method + "for " + getSerialNumber().toString() + " returning false"); - return false; - } - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java -index 9a333fe..367917f 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java -@@ -1110,19 +1110,21 @@ public class CertificateRepository extends Repository - - /** - * Marks certificate as revoked. -- * isAlreadyOnHold - boolean to indicate that the cert was revoked onHold -- * When a cert was originally onHold, some of the ldap attributes -- * already exist, so "MOD_REPLACE" is needed instead of "MOD_ADD" -+ * isAlreadyRevoked - boolean to indicate that the cert was revoked -+ * ( possibly onHold ) -+ * When a cert was originally revoked (possibly onHold), -+ * some of the ldap attributes already exist, -+ * so "MOD_REPLACE" is needed instead of "MOD_ADD" - */ - public void markAsRevoked(BigInteger id, IRevocationInfo info) - throws EBaseException { - markAsRevoked(id, info, false); - } -- public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyOnHold) -+ -+ public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyRevoked) - throws EBaseException { -- String method = "CertificateRepository.markAsRevoked:"; - ModificationSet mods = new ModificationSet(); -- if (isAlreadyOnHold) { -+ if (isAlreadyRevoked) { - mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_REPLACE, info); - } else { - mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_ADD, info); -@@ -1134,30 +1136,30 @@ public class CertificateRepository extends Repository - * When already revoked onHold, the fields already existing in record - * can only be replaced instead of added - */ -- if (isAlreadyOnHold) { -+ if (isAlreadyRevoked) { - if (uid == null) { - mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE, -- "system"); -+ "system"); - } else { - mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE, -- uid); -+ uid); - } - mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_REPLACE, -- CMS.getCurrentDate()); -+ CMS.getCurrentDate()); - } else { - if (uid == null) { - mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD, -- "system"); -+ "system"); - } else { - mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD, -- uid); -+ uid); - } - mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_ADD, -- CMS.getCurrentDate()); -+ CMS.getCurrentDate()); -+ mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE, -+ CertRecord.STATUS_REVOKED); - } - -- mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE, -- CertRecord.STATUS_REVOKED); - modifyCertificateRecord(id, mods); - } - --- -1.8.3.1 diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 16a703b..6d16a7a 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -2,10 +2,10 @@ %{!?__python2: %global __python2 /usr/bin/python2} %{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -%if 0%{?rhel} || 0%{?fedora} < 24 -%global with_python3 0 -%else +%if 0%{?fedora} || 0%{?rhel} > 7 %global with_python3 1 +%else +%global with_python3 0 %endif %if 0%{?rhel} @@ -13,7 +13,7 @@ %global package_rhel_packages 1 # Package RHCS-specific RPMS Only %global package_rhcs_packages 0 -%define pki_core_rhel_version 10.4.1 +%define pki_core_rhel_version 10.5.1 %else # 0%{?fedora} # Fedora always packages all RPMS @@ -24,27 +24,21 @@ %define java_home /usr/lib/jvm/jre-1.8.0-openjdk # Tomcat -%if 0%{?fedora} >= 23 +%if 0%{?fedora} || 0%{?rhel} > 7 %define with_tomcat7 0 %define with_tomcat8 1 %else -# 0%{?rhel} || 0%{?fedora} <= 22 %define with_tomcat7 1 %define with_tomcat8 0 %endif # RESTEasy -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 %define jaxrs_api_jar /usr/share/java/resteasy-base/jaxrs-api.jar %define resteasy_lib /usr/share/java/resteasy-base %else -%if 0%{?fedora} >= 24 %define jaxrs_api_jar /usr/share/java/jboss-jaxrs-2.0-api.jar %define resteasy_lib /usr/share/java/resteasy -%else -%define jaxrs_api_jar /usr/share/java/resteasy/jaxrs-api.jar -%define resteasy_lib /usr/share/java/resteasy -%endif %endif # Dogtag @@ -63,15 +57,33 @@ %define pki_gid 17 %define pki_homedir /usr/share/pki +# Optionally fetch the release from the environment variable 'PKI_RELEASE' +%define use_pki_release %{getenv:USE_PKI_RELEASE} +%if 0%{?use_pki_release} +%define pki_release %{getenv:PKI_RELEASE} +%endif + Name: pki-core %if 0%{?rhel} -Version: 10.4.1 -#Release: 18%{?dist} -Release: 18.el7_4 +Version: 10.5.1 +%define redhat_release 13.1 +%define redhat_stage 0 +#%define default_release %{redhat_release}.%{redhat_stage} +%define default_release %{redhat_release} +%else +Version: 10.5.9 +%define fedora_release 1 +%define fedora_stage 0 +#%define default_release %{fedora_release}.%{fedora_stage} +%define default_release %{fedora_release} +%endif + +%if 0%{?use_pki_release} +Release: %{pki_release}%{?dist} %else -Version: 10.4.8 -Release: 8%{?dist} +Release: %{default_release}%{?dist} %endif + Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -84,31 +96,23 @@ BuildRequires: gcc-c++ BuildRequires: zip BuildRequires: java-1.8.0-openjdk-devel BuildRequires: redhat-rpm-config -BuildRequires: ldapjdk +BuildRequires: ldapjdk >= 4.19-5 BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io BuildRequires: apache-commons-lang BuildRequires: jakarta-commons-httpclient BuildRequires: slf4j -%if ! 0%{?rhel} +%if 0%{?fedora} || 0%{?rhel} > 7 BuildRequires: slf4j-jdk14 %endif BuildRequires: nspr-devel -%if 0%{?rhel} -BuildRequires: nss-devel >= 3.28.3 -%else -%if 0%{?fedora} >= 25 BuildRequires: nss-devel >= 3.28.3 -%else -BuildRequires: nss-devel >= 3.27.0 -%endif -%endif -%if 0%{?rhel} -BuildRequires: nuxwdog-client-java >= 1.0.3-5.1 +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: nuxwdog-client-java >= 1.0.3-7 %else -BuildRequires: nuxwdog-client-java >= 1.0.3 +BuildRequires: nuxwdog-client-java >= 1.0.3-13 %endif BuildRequires: openldap-devel @@ -120,10 +124,10 @@ BuildRequires: velocity BuildRequires: xalan-j2 BuildRequires: xerces-j2 -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 # 'resteasy-base' is a subset of the complete set of # 'resteasy' packages and consists of what is needed to -# support the PKI Restful interface on RHEL platforms +# support the PKI Restful interface on certain RHEL platforms BuildRequires: resteasy-base-atom-provider >= 3.0.6-1 BuildRequires: resteasy-base-client >= 3.0.6-1 BuildRequires: resteasy-base-jaxb-provider >= 3.0.6-1 @@ -131,7 +135,6 @@ BuildRequires: resteasy-base-jaxrs >= 3.0.6-1 BuildRequires: resteasy-base-jaxrs-api >= 3.0.6-1 BuildRequires: resteasy-base-jackson-provider >= 3.0.6-1 %else -%if 0%{?fedora} >= 24 BuildRequires: jboss-annotations-1.2-api BuildRequires: jboss-jaxrs-2.0-api BuildRequires: jboss-logging @@ -140,35 +143,16 @@ BuildRequires: resteasy-client >= 3.0.17-1 BuildRequires: resteasy-jaxb-provider >= 3.0.17-1 BuildRequires: resteasy-core >= 3.0.17-1 BuildRequires: resteasy-jackson-provider >= 3.0.17-1 -%else -%if 0%{?fedora} >= 22 -# Starting from Fedora 22, resteasy packages were split into -# subpackages. -BuildRequires: resteasy-atom-provider >= 3.0.6-7 -BuildRequires: resteasy-client >= 3.0.6-7 -BuildRequires: resteasy-jaxb-provider >= 3.0.6-7 -BuildRequires: resteasy-core >= 3.0.6-7 -BuildRequires: resteasy-jaxrs-api >= 3.0.6-7 -BuildRequires: resteasy-jackson-provider >= 3.0.6-7 -%else -BuildRequires: resteasy >= 3.0.6-2 -%endif -%endif %endif -%if ! 0%{?rhel} +%if 0%{?fedora} || 0%{?rhel} > 7 BuildRequires: pylint -%if 0%{?fedora} >= 24 BuildRequires: python-flake8 >= 2.5.4 BuildRequires: python3-flake8 >= 2.5.4 # python-flake8 2.5.4 package should require pyflakes >= 1.2.3 BuildRequires: pyflakes >= 1.2.3 # python3-flake8 2.5.4 package should require python3-pyflakes >= 1.2.3 BuildRequires: python3-pyflakes >= 1.2.3 -%else -BuildRequires: python-flake8 -BuildRequires: python3-flake8 -%endif %endif BuildRequires: python2-cryptography @@ -177,31 +161,20 @@ BuildRequires: python-requests >= 2.6.0 BuildRequires: python-six BuildRequires: libselinux-python BuildRequires: policycoreutils-python -%if 0%{?fedora} >= 23 +%if 0%{?fedora} || 0%{?rhel} > 7 BuildRequires: policycoreutils-python-utils %endif BuildRequires: python-ldap BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} -BuildRequires: jss >= 4.4.0-8 -%else -%if 0%{?fedora} >= 25 -BuildRequires: jss >= 4.4.2-5 -%else -BuildRequires: jss >= 4.2.6-44 -%endif -%endif -BuildRequires: systemd-units -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: jss >= 4.4.0-12 BuildRequires: tomcatjss >= 7.2.1-4 %else -%if 0%{?fedora} >= 25 +BuildRequires: jss >= 4.4.2-10 BuildRequires: tomcatjss >= 7.2.3 -%else -BuildRequires: tomcatjss >= 7.1.3 -%endif %endif +BuildRequires: systemd-units %if 0%{?with_python3} BuildRequires: python3-cryptography @@ -223,7 +196,6 @@ BuildRequires: httpd-devel >= 2.4.2 BuildRequires: pcre-devel BuildRequires: python BuildRequires: systemd -BuildRequires: svrcore-devel BuildRequires: zlib BuildRequires: zlib-devel @@ -236,108 +208,17 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz %endif -####################### -## pki-core-10.4.1-2 -####################### -Patch0: pki-core-alpha.patch -####################### -## pki-core-10.4.1-3 -####################### -Patch1: pki-core-beta.patch -####################### -## pki-core-10.4.1-4 -####################### -Patch2: pki-core-post-beta.patch -####################### -## pki-core-10.4.1-5 -####################### -Patch3: pki-core-snapshot-1.patch -####################### -## pki-core-10.4.1-6 -####################### -Patch4: pki-core-Always-check-FIPS-mode-at-installation-time.patch -####################### -## pki-core-10.4.1-7 -####################### -Patch5: pki-core-snapshot-2.patch -####################### -## pki-core-10.4.1-8 -####################### -Patch6: pki-core-snapshot-3.patch -Patch7: pki-core-SecurityDataRecoveryService.patch -####################### -## pki-core-10.4.1-9 -####################### -Patch8: pki-core-snapshot-4.patch -####################### -## pki-core-10.4.1-10 -## (pki-core-snapshot-5.patch) -####################### -Patch9: pki-core-Fix-3DES-archival.patch -Patch10: pki-core-Fix-token-enrollment-and-recovery-ivs.patch -Patch11: pki-core-CMC-check-HTTPS-client-authentication-cert.patch -Patch12: pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch -####################### -## pki-core-10.4.1-11 -## (pki-core 0-day patch) -####################### -Patch13: pki-core-cmc-plugin-default-change.patch -####################### -## pki-core-10.4.1-12 -####################### -## RHEL 7.4 Batch Update 1 -Patch14: pki-core-server-access-banner-validation.patch -Patch15: pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch -Patch16: pki-core-platform-dependent-python-import.patch -Patch17: pki-core-CMC-id-cmc-statusInfoV2.patch -Patch18: pki-core-subsystem-cert-update-CLI-cert-option.patch -Patch19: pki-core-HSM-key-changeover-SCP03-support.patch -Patch20: pki-core-system-cert-CMC-enroll-profile.patch -####################### -## pki-core-10.4.1-13 -####################### -## RHEL 7.4 Batch Update 1 -Patch21: pki-core-server-access-banner-retrieval-validation.patch -####################### -## pki-core-10.4.1-14 -####################### -## RHEL 7.4 Batch Update 2 -Patch22: pki-core-Fix-lightweight-CA-replication-NPE-failure.patch -Patch23: pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch -Patch24: pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch -Patch25: pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch -Patch26: pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch -Patch27: pki-core-Fix-JSON-encoding-in-Python-3.patch -## RHCS 9.2 Batch Update 2 -#Patch28: pki-core-Fix-tokenOrigin-and-tokenType-attrs-in-recovered-certs.patch -#Patch29: pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI.patch -####################### -## pki-core-10.4.1-15 -####################### -Patch30: pki-core-Make-PKCS12-files-compatible-with-PBES2.patch -####################### -## pki-core-10.4.1-16 -####################### -## RHCS 9.2 Batch Update 3 -#Patch31: pki-core-externalRegRecover-multiple-KRA.patch -#Patch32: pki-core-TPS-applet-protocol-determination.patch -#Patch33: pki-core-update-RHCS-cert-revocation-reasons.patch -## RHEL 7.4 Batch Update 3 -Patch34: pki-core-update-RHEL-cert-revocation-reasons.patch -Patch35: pki-core-fix-issuance-sans-subject-key-ID-ext.patch -Patch36: pki-core-fix-ipa-replica-install-timing-issue.patch -####################### -## pki-core-10.4.1-17 -####################### -## RHCS 9.2 Batch Update 3 -Patch37: pki-core-tps-externalReg-regression.patch -####################### -## pki-core-10.4.1-18 -####################### -## RHEL 7.4 Batch Update 6 -Patch38: pki-core-enable-non-pkiuser.patch - - +Patch0: pki-core-10.5.1-alpha.patch +Patch1: pki-core-10.5.1-beta.patch +Patch2: pki-core-10.5.1-snapshot-1.patch +Patch3: pki-core-10.5.1-snapshot-2.patch +Patch4: pki-core-10.5.1-snapshot-3.patch +Patch5: pki-core-10.5.1-snapshot-4.patch +Patch6: pki-core-10.5.1-snapshot-5.patch +Patch7: pki-core-10.5.1-batch-1.0.patch +Patch8: pki-core-10.5.1-batch-1.1.patch +Patch9: pki-core-10.5.1-batch-2.0.patch +Patch10: pki-core-10.5.1-batch-2.1.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -436,31 +317,19 @@ Summary: Symmetric Key JNI Package Group: System Environment/Libraries Requires: java-1.8.0-openjdk-headless -%if 0%{?rhel} -Requires: nss >= 3.28.3 -%else -%if 0%{?fedora} >= 25 -Requires: nss >= 3.28.3 -%else -Requires: nss >= 3.27.0 -%endif -%endif Requires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} -Requires: jss >= 4.4.0-8 -%else -%if 0%{?fedora} >= 25 -Requires: jss >= 4.4.2-5 +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: jss >= 4.4.0-12 %else -Requires: jss >= 4.2.6-44 -%endif +Requires: jss >= 4.4.2-10 %endif +Requires: nss >= 3.28.3 Provides: symkey = %{version}-%{release} Obsoletes: symkey < %{version}-%{release} -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 ## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all ## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages: # pki-console @@ -501,15 +370,7 @@ Obsoletes: pki-util < %{version}-%{release} Conflicts: freeipa-server < 3.0.0 -%if 0%{?rhel} Requires: nss >= 3.28.3 -%else -%if 0%{?fedora} >= 25 -Requires: nss >= 3.28.3 -%else -Requires: nss >= 3.27.0 -%endif -%endif Requires: python2-cryptography Requires: python-nss Requires: python-requests >= 2.6.0 @@ -535,27 +396,23 @@ Requires: apache-commons-lang Requires: apache-commons-logging Requires: jakarta-commons-httpclient Requires: slf4j -%if ! 0%{?rhel} +%if 0%{?fedora} || 0%{?rhel} > 7 Requires: slf4j-jdk14 %endif Requires: javassist Requires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} -Requires: jss >= 4.4.0-8 +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: jss >= 4.4.0-12 %else -%if 0%{?fedora} >= 25 -Requires: jss >= 4.4.2-5 -%else -Requires: jss >= 4.2.6-44 -%endif +Requires: jss >= 4.4.2-10 %endif -Requires: ldapjdk +Requires: ldapjdk >= 4.19-5 Requires: pki-base = %{version}-%{release} -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 # 'resteasy-base' is a subset of the complete set of # 'resteasy' packages and consists of what is needed to -# support the PKI Restful interface on RHEL platforms +# support the PKI Restful interface on certain RHEL platforms Requires: resteasy-base-atom-provider >= 3.0.6-1 Requires: resteasy-base-client >= 3.0.6-1 Requires: resteasy-base-jaxb-provider >= 3.0.6-1 @@ -563,26 +420,11 @@ Requires: resteasy-base-jaxrs >= 3.0.6-1 Requires: resteasy-base-jaxrs-api >= 3.0.6-1 Requires: resteasy-base-jackson-provider >= 3.0.6-1 %else -%if 0%{?fedora} >= 24 Requires: resteasy-atom-provider >= 3.0.17-1 Requires: resteasy-client >= 3.0.17-1 Requires: resteasy-jaxb-provider >= 3.0.17-1 Requires: resteasy-core >= 3.0.17-1 Requires: resteasy-jackson-provider >= 3.0.17-1 -%else -%if 0%{?fedora} >= 22 -# Starting from Fedora 22, resteasy packages were split into -# subpackages. -Requires: resteasy-atom-provider >= 3.0.6-7 -Requires: resteasy-client >= 3.0.6-7 -Requires: resteasy-jaxb-provider >= 3.0.6-7 -Requires: resteasy-core >= 3.0.6-7 -Requires: resteasy-jaxrs-api >= 3.0.6-7 -Requires: resteasy-jackson-provider >= 3.0.6-7 -%else -Requires: resteasy >= 3.0.6-2 -%endif -%endif %endif Requires: xalan-j2 @@ -635,25 +477,13 @@ Obsoletes: pki-native-tools < %{version}-%{release} Obsoletes: pki-java-tools < %{version}-%{release} Requires: openldap-clients -%if 0%{?rhel} Requires: nss-tools >= 3.28.3 -%else -%if 0%{?fedora} >= 25 -Requires: nss-tools >= 3.28.3 -%else -Requires: nss-tools >= 3.27.0 -%endif -%endif Requires: java-1.8.0-openjdk-headless Requires: pki-base = %{version}-%{release} Requires: pki-base-java = %{version}-%{release} Requires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?fedora} >= 23 +%if 0%{?fedora} || 0%{?rhel} > 7 Requires: tomcat-servlet-3.1-api -%else -%if 0%{?fedora} >= 22 -Requires: tomcat-servlet-3.0-api >= 7.0.68 -%endif %endif %description -n pki-tools @@ -685,16 +515,20 @@ Requires: java-1.8.0-openjdk-headless Requires: hostname Requires: net-tools -%if 0%{?rhel} -Requires: nuxwdog-client-java >= 1.0.3-5.1 +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: nuxwdog-client-java >= 1.0.3-7 %else -Requires: nuxwdog-client-java >= 1.0.3 +Requires: nuxwdog-client-java >= 1.0.3-13 %endif Requires: policycoreutils Requires: procps-ng Requires: openldap-clients +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: openssl >= 1.0.2k-11 +%else Requires: openssl +%endif Requires: pki-base = %{version}-%{release} Requires: pki-base-java = %{version}-%{release} Requires: pki-tools = %{version}-%{release} @@ -702,26 +536,20 @@ Requires: python-ldap Requires: python-lxml Requires: libselinux-python Requires: policycoreutils-python -%if 0%{?fedora} >= 23 +%if 0%{?fedora} || 0%{?rhel} > 7 Requires: policycoreutils-python-utils %endif Requires: selinux-policy-targeted >= 3.13.1-159 Obsoletes: pki-selinux -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 Requires: tomcat >= 7.0.69 %else Requires: tomcat >= 7.0.68 -%if 0%{?fedora} >= 23 Requires: tomcat-el-3.0-api Requires: tomcat-jsp-2.3-api Requires: tomcat-servlet-3.1-api -%else -Requires: tomcat-el-2.2-api >= 7.0.68 -Requires: tomcat-jsp-2.2-api >= 7.0.68 -Requires: tomcat-servlet-3.0-api >= 7.0.68 -%endif %endif Requires: velocity @@ -729,17 +557,13 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 Requires: tomcatjss >= 7.2.1-4 %else -%if 0%{?fedora} >= 25 Requires: tomcatjss >= 7.2.3 -%else -Requires: tomcatjss >= 7.1.3 -%endif %endif -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 ## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all ## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages: # pki-console @@ -937,15 +761,7 @@ Requires(postun): systemd-units # additional runtime requirements needed to run native 'tpsclient' # REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app -%if 0%{?rhel} Requires: nss-tools >= 3.28.3 -%else -%if 0%{?fedora} >= 25 -Requires: nss-tools >= 3.28.3 -%else -Requires: nss-tools >= 3.27.0 -%endif -%endif Requires: openldap-clients %if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} Requires: pki-symkey = %{version}-%{release} @@ -1014,34 +830,6 @@ This package is a part of the PKI Core used by the Certificate System. %patch8 -p1 %patch9 -p1 %patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -#%patch28 -p1 -#%patch29 -p1 -%patch30 -p1 -#%patch31 -p1 -#%patch32 -p1 -#%patch33 -p1 -%patch34 -p1 -%patch35 -p1 -%patch36 -p1 -#%patch37 -p1 -%patch38 -p1 %clean %{__rm} -rf %{buildroot} @@ -1076,8 +864,7 @@ cd build -DWITH_JAVADOC:BOOL=OFF \ %endif .. -%{__make} VERBOSE=1 %{?_smp_mflags} all -# %{__make} VERBOSE=1 %{?_smp_mflags} unit-test +%{__make} VERBOSE=1 %{?_smp_mflags} -j 1 all unit-test %install @@ -1099,7 +886,7 @@ ln -s %{_datadir}/pki/java-tools/KRATool.cfg %{buildroot}%{_datadir}/pki/java-to ln -s %{_mandir}/man1/KRATool.1.gz %{buildroot}%{_mandir}/man1/DRMTool.1.gz # Customize system upgrade scripts in /usr/share/pki/upgrade -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 # merge newer upgrade scripts into 10.3.3 for RHEL /bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.4 @@ -1114,7 +901,7 @@ ln -s %{_mandir}/man1/KRATool.1.gz %{buildroot}%{_mandir}/man1/DRMTool.1.gz %endif # Customize client library links in /usr/share/pki/lib -%if 0%{?fedora} >= 24 +%if 0%{?fedora} || 0%{?rhel} > 7 rm -f %{buildroot}%{_datadir}/pki/lib/scannotation.jar rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-api.jar rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-jandex.jar @@ -1140,7 +927,7 @@ fi %if %{with server} # Customize server upgrade scripts in /usr/share/pki/server/upgrade -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 # merge newer upgrade scripts into 10.3.3 for RHEL mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/01-FixServerLibrary \ @@ -1163,10 +950,16 @@ mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout \ /bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.5 /bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6 +# merge newer upgrade script into 10.5.1 for RHEL +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.5.1/01-AddTPSExternalRegISEtokenParams + +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.5.5 + %endif # Customize server library links in /usr/share/pki/server/common/lib -%if 0%{?fedora} >= 24 +%if 0%{?fedora} || 0%{?rhel} > 7 rm -f %{buildroot}%{_datadir}/pki/server/common/lib/scannotation.jar rm -f %{buildroot}%{_datadir}/pki/server/common/lib/resteasy-jaxrs-api.jar ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar @@ -1194,7 +987,7 @@ fi %endif -%if ! 0%{?rhel} +%if 0%{?fedora} || 0%{?rhel} > 7 # Scanning the python code with pylint. %{__python2} ../pylint-build-scan.py rpm --prefix %{buildroot} if [ $? -ne 0 ]; then @@ -1229,7 +1022,7 @@ fi %{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki %{__mkdir_p} %{buildroot}%{_sharedstatedir}/pki -%if ! 0%{?rhel} +%if 0%{?fedora} || 0%{?rhel} > 7 %pretrans -n pki-base -p function test(a) if posix.stat(a) then @@ -1398,6 +1191,7 @@ fi %{_bindir}/CMCRequest %{_bindir}/CMCResponse %{_bindir}/CMCRevoke +%{_bindir}/CMCSharedToken %{_bindir}/CRMFPopClient %{_bindir}/DRMTool %{_bindir}/ExtJoiner @@ -1418,6 +1212,9 @@ fi %{_mandir}/man1/AuditVerify.1.gz %{_mandir}/man1/BtoA.1.gz %{_mandir}/man1/CMCEnroll.1.gz +%{_mandir}/man1/CMCRequest.1.gz +%{_mandir}/man1/CMCResponse.1.gz +%{_mandir}/man1/CMCSharedToken.1.gz %{_mandir}/man1/DRMTool.1.gz %{_mandir}/man1/KRATool.1.gz %{_mandir}/man1/PrettyPrintCert.1.gz @@ -1439,6 +1236,7 @@ fi %{_mandir}/man1/pki-user.1.gz %{_mandir}/man1/pki-user-cert.1.gz %{_mandir}/man1/pki-user-membership.1.gz +%{_mandir}/man1/PKCS10Client.1.gz %endif %if %{with server} @@ -1485,6 +1283,7 @@ fi %{_mandir}/man8/pki-server-subsystem.8.gz %{_mandir}/man8/pki-server-nuxwdog.8.gz %{_mandir}/man8/pki-server-migrate.8.gz +%{_mandir}/man8/pki-server-cert.8.gz %{_datadir}/pki/setup/ %{_datadir}/pki/server/ @@ -1569,130 +1368,353 @@ fi %endif # %{with server} %changelog -* Wed Feb 14 2018 Dogtag Team 10.4.1-18 -- ########################################################################### -- ## RHEL 7.4 -- ########################################################################### -- Bugzilla Bug #1540091 - Unable to have non "pkiuser" owned CA instance - [rhel-7.4.z] (alee, mharmsen) - -* Fri Nov 10 2017 Dogtag Team 10.4.1-17 -- ########################################################################### -- ## RHCS 9.2 -- ########################################################################### -- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of - #the to determine applet loaded (jmagne) - -* Fri Oct 13 2017 Dogtag Team 10.4.1-16 -- ########################################################################### -- ## RHCS 9.2 -- ########################################################################### -- #Bugzilla Bug #1439228 - externalRegRecover does not support multiple - #KRA instances (cfu) -- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of - #the to determine applet loaded (jmagne) -- #Bugzilla Bug #1471996 - Certificate Revocation Reasons not being updated - #in some cases [RHCS 9] (cfu) -- ########################################################################### -- ## RHEL 7.4 -- ########################################################################### -- Bugzilla Bug #1500499 - Certificate Revocation Reasons not being updated - in some cases [rhel-7.4.z] (cfu) -- Bugzilla Bug #1502527 - CA cert without Subject Key Identifier causes - issuance failure [rhel-7.4.z] (ftweedal) -- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0 - [rhel-7.4.z] (ftweedal) - NOTE: Check-ins for #1492560 all reference the dogtagpki Pagure Issue - associated with Bugzilla Bug #1402280 - CA Cloning: Failed to - update number range in few cases (which is not yet fully resolved) +* Sat Jun 9 2018 Dogtag Team 10.5.1-13.1 +- Rebuild due to build system database problem + +* Fri Jun 8 2018 Dogtag Team 10.5.1-13 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1553068 - Using a Netmask produces an odd + entry in a certifcate [rhel-7.5.z] (ftweedal) +- Bugzilla Bug #1585945 - CMC CRMF requests result in + InvalidKeyFormatException when signing algorithm is ECC + [rhel-7.5.z] (cfu) +- Bugzilla Bug #1587826 - ExternalCA: Installation failed during + csr generation with ecc [rhel-7.5.z] (rrelyea, gkapoor) +- Bugzilla Bug #1588944 - Cert validation for installation with + external CA cert [rhel-7.5.z] (edewata) +- Bugzilla Bug #1588945 - CRMFPopClient tool - should allow + option to do no key archival (cfu) +- Bugzilla Bug #1589307 - CVE-2018-1080 pki-core: Mishandled + ACL configuration in AAclAuthz.java reverses rules that allow + and deny access [rhel-7.5.z] (ftweedal, cfu) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, + # and pki-console to 10.5.x in RHCS 9.3 + +* Tue May 22 2018 Dogtag Team 10.5.1-12 +- Updated "jss" build and runtime requirements (mharmsen) +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1571582 - [MAN] Missing Man pages for tools CMCRequest, + CMCResponse, CMCSharedToken (typos) [rhel-7.5.z] (cfu) +- Bugzilla Bug #1572548 - IPA install with external-CA is failing when + FIPS mode enabled. [rhel-7.5.z] (edewata) +- Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE + [rhel-7.5.z] (cfu) +- Bugzilla Bug #1575521 - subsystem -> subsystem SSL handshake issue + with TLS_ECDHE_RSA_* on Thales HSM [rhel-7.5.z] (cfu) +- Bugzilla Bug #1581134 - ECC installation for non CA subsystems needs + improvement [rhel-7.5.z] (jmagne) +- Bugzilla Bug #1581135 - SAN in internal SSL server certificate in + pkispawn configuration step [rhel-7.5.z] (cfu) +- Bugzilla Bug #1581167 - CC: CMC profiles: Some CMC profiles have wrong + input class_id [rhel-7.5.z] (cfu) +- Bugzilla Bug #1581382 - ECDSA Certificates Generated by Certificate System + 9.3 fail NIST validation test with parameter field. [rhel-7.5.z] (cfu) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, + # and pki-console to 10.5.x in RHCS 9.3 + +* Mon Apr 9 2018 Dogtag Team 10.5.1-11 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for + standard conformance [rhel-7.5.z] (cfu) +- Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools + CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1560233 - libtps does not directly depend on libz + # (build failure with nss-3.35) [rhcs-9.3.z] (ftweedal) + +* Fri Mar 23 2018 Dogtag Team 10.5.1-10 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1550581 - CMCAuth throws + org.mozilla.jss.crypto.TokenException: Unable to insert certificate into + temporary database [rhel-7.5.z] (cfu) +- Bugzilla Bug #1551067 - [MAN] Add --skip-configuration + and --skip-installation into pkispawn man page. [rhel-7.5.z] (edewata) +- Bugzilla Bug #1552241 - Make sslget aware of TLSv1_2 ciphers + [rhel-7.5.z] (cheimes, mharmsen) +- Bugzilla Bug #1553068 - Using a Netmask produces an odd entry + in a certifcate [rhel-7.5.z] (ftweedal) +- Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for + standard conformance [rhel-7.5.z] (cfu) +- Bugzilla Bug #1554727 - Permit additional FIPS ciphers to be enabled + by default for RSA . . . [rhel-7.5.z] (mharmsen, cfu) +- Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools + CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) +- Bugzilla Bug #1557883 - Console: Adding ACL from pki-console gives + StringIndexOutOfBoundsException [rhel-7.5.z] (ftweedal) +- Bugzilla Bug #1558919 - Not able to generate certificate request + with ECC using pki client-cert-request [rhel-7.5.z] (akahat) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1560233 - libtps does not directly depend on libz + # (build failure with nss-3.35) [rhcs-9.3.z] (ftweedal) + +* Mon Feb 19 2018 Dogtag Team 10.5.1-9 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + # (RHEL) +- Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event + set (RHEL) (edewata) +- Bugzilla Bug #1532867 - Inconsistent key ID encoding (edewata) +- Bugzilla Bug #1540687 - CC: External OCSP Installation failure with HSM + and FIPS (edewata) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, + # and pki-console to 10.5.x in RHCS 9.3 +- # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit event + # set (RHCS) (edewata) + +* Mon Feb 12 2018 Dogtag Team 10.5.1-8 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + # (RHEL) +- Bugzilla Bug #1542210 - pki console configurations that involves ldap + passwords leave the plain text password in debug logs (jmagne) +- Bugzilla Bug #1543242 - Regression in lightweight CA key replication + (ftweedal) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, + # and pki-console to 10.5.x in RHCS 9.3 + +* Mon Feb 5 2018 Dogtag Team 10.5.1-7 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + # (RHEL) +- Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event + set (RHEL) (edewata) +- Bugzilla Bug #1522938 - CC: Missing faillure resumption detection and + audit event logging at startup (jmagne) +- Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance + (alee) +- Bugzilla Bug #1525306 - CC: missing CMC request and response record + (cfu) +- Bugzilla Bug #1532933 - Installing subsystems with external CMC + certificates in HSM environment shows import error (edewata) +- Bugzilla Bug #1535797 - ExternalCA: Failures when installed with hsm + (edewata) +- Bugzilla Bug #1539125 - restrict default cipher suite to those ciphers + permitted in fips mode (mharmsen) +- Bugzilla Bug #1539198 - Inconsistent CERT_REQUEST_PROCESSED + outcomes. (edewata) +- Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in + SharedToken scenario's (cfu) +- Bugzilla Bug #1541526 - CMC: Revocation works with an unknown + revRequest.issuer (cfu) +- Bugzilla Bug #1541853 - ProfileService: config values with + backslashes have backslashes removed (ftweedal) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, + # and pki-console to 10.5.x in RHCS 9.3 +- # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit + # event set (RHCS) (edewata) +- # Bugzilla Bug #1501436 - TPS CS.cfg should be reflected with the + # changes after an in-place upgrade. (jmagne) + +* Tue Jan 23 2018 Dogtag Team 10.5.1-6 +- Updated jss, nuxwdog, and openssl dependencies +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + (RHEL) +- Bugzilla Bug #1402280 - CA Cloning: Failed to update number range in + few cases (ftweedal) +- Bugzilla Bug #1428021 - CC: shared token storage and retrieval + mechanism (cfu) +- Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false + would cause error (cfu) +- Bugzilla Bug #1498957 - pkidestroy does not work with nuxwdog + (alee) +- Bugzilla Bug #1520277 - PR_FILE_NOT_FOUND_ERROR during + pkispawn (alee) +- Bugzilla Bug #1520526 - p12 admin certificate is missing when + certificate is signed Externally (edewata) +- Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA + instance (alee) +- Bugzilla Bug #1523443 - HAProxy rejects OCSP responses due to + missing nextupdate field (ftweedal) +- Bugzilla Bug #1526881 - Not able to setup CA with ECC (mharmsen) +- Bugzilla Bug #1532759 - pkispawn seems to be leaving our passwords + in several different files after installation completes (alee) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, + # and pki-console to 10.5.x in RHCS 9.3 + +* Mon Dec 11 2017 Dogtag Team 10.5.1-5 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + (RHEL) +- Bugzilla Bug #1466066 - CC: Secure removal of secret data storage + (jmagne) +- Bugzilla Bug #1518096 - ExternalCA: Failures in ExternalCA when tried to + setup with CMC signed certificates (cfu) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + # pki-console to 10.5.x in RHCS 9.3 + +* Mon Nov 27 2017 Dogtag Team 10.5.1-4 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + (RHEL) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + #pki-console to 10.5.x in RHCS 9.3 + +* Tue Nov 14 2017 Troy Dawson - 10.5.1-3 +- dogtagpki Pagure Issue #2853 - Cleanup spec file conditionals + +* Wed Nov 8 2017 Dogtag Team 10.5.1-2 +- Patch applying check-ins since 10.5.1-1 + +* Thu Nov 2 2017 Dogtag Team 10.5.1-1 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + (RHEL) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + #pki-console to 10.5.x in RHCS 9.3 + +* Thu Oct 19 2017 Dogtag Team 10.5.0-1 +- ########################################################################## +- # RHEL 7.5: +- ########################################################################## +- Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release + (RHEL) +- ########################################################################## +- # RHCS 9.3: +- ########################################################################## +- #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + #pki-console to 10.5.x in RHCS 9.3 * Mon Sep 18 2017 Dogtag Team 10.4.1-15 -- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0 - [rhel-7.4.z] (ftweedal) +- #Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0 + #[rhel-7.4.z] (ftweedal) * Tue Sep 12 2017 Dogtag Team 10.4.1-14 -- Require "jss >= 4.4.0-8" as a build and runtime requirement -- ########################################################################## -- RHEL 7.4: -- ########################################################################## -- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 -- Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) - [RHEL 7.4.z] (ftweedal) -- Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error - in cmc user-signed [rhel-7.4.z] (cfu) -- Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from - RHEL 7.1 [rhel-7.4.z] (ftweedal) -- Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) - [rhel-7.4.z] (ftweedal) -- Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin - for token certificates on TPS UI Server [rhel-7.4.z] (edewata) -- dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: - TypeError: ... is not JSON serializable (ftweedal) -- ########################################################################## -- RHCS 9.2: -- ########################################################################## -- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 -- Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and - "tokenType" certificate attribute for recovered certificates. (cfu) -- Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin - for token certificates on TPS UI (edewata) +- #Require "jss >= 4.4.0-8" as a build and runtime requirement +- ########################################################################## +- # RHEL 7.4: +- ########################################################################## +- # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 +- # Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) + # [RHEL 7.4.z] (ftweedal) +- # Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error + # in cmc user-signed [rhel-7.4.z] (cfu) +- # Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from + # RHEL 7.1 [rhel-7.4.z] (ftweedal) +- # Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) + # [rhel-7.4.z] (ftweedal) +- # Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin + # for token certificates on TPS UI Server [rhel-7.4.z] (edewata) +- # dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: + # TypeError: ... is not JSON serializable (ftweedal) +- ########################################################################## +- # RHCS 9.2: +- ########################################################################## +- # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 +- # Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and + # "tokenType" certificate attribute for recovered certificates. (cfu) +- # Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin + # for token certificates on TPS UI (edewata) * Mon Aug 21 2017 Dogtag Team 10.4.1-13 - Resolves: rhbz #1463350 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## -- Bugzilla Bug #1463350 - Access banner validation (edewata) - [pki-core-server-access-banner-retrieval-validation.patch] +- # Bugzilla Bug #1463350 - Access banner validation (edewata) + # [pki-core-server-access-banner-retrieval-validation.patch] * Wed Jul 19 2017 Dogtag Team 10.4.1-12 -- Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446 +- # Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## -- Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing - certificate requests (cfu) - [PREVIOUS PATCH: pki-core-beta.patch] - [PREVIOUS PATCH: pki-core-snapshot-4.patch] -- Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause - error (cfu) - [PREVIOUS PATCH: pki-core-post-beta.patch] -- Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert - against CMC signer (cfu) - [PREVIOUS PATCH: pki-core-CMC-check-HTTPS-client-authentication-cert.patch] -- Bugzilla Bug #1463350 - Access banner validation (edewata) - [pki-core-server-access-banner-validation.patch] -- Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal - non-signing cert requests (cfu) - [PREVIOUS PATCH: pki-core-snapshot-1.patch] - [pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch] -- Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen) - [pki-core-platform-dependent-python-import.patch] -- Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with - id-cmc-statusInfoV2 (cfu) - [pki-core-CMC-id-cmc-statusInfoV2.patch] -- Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option - (dmoluguw) - [pki-core-subsystem-cert-update-CLI-cert-option.patch] -- Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03 - (jmagne) - [pki-core-HSM-key-changeover-SCP03-support.patch] -- Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system - certificates (cfu) - [pki-core-system-cert-CMC-enroll-profile.patch] +- # Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing + # certificate requests (cfu) + # [PREVIOUS PATCH: pki-core-beta.patch] + # [PREVIOUS PATCH: pki-core-snapshot-4.patch] +- # Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause + # error (cfu) + # [PREVIOUS PATCH: pki-core-post-beta.patch] +- # Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert + # against CMC signer (cfu) + # [PREVIOUS PATCH: pki-core-CMC-check-HTTPS-client-authentication-cert.patch] +- # Bugzilla Bug #1463350 - Access banner validation (edewata) + # [pki-core-server-access-banner-validation.patch] +- # Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal + # non-signing cert requests (cfu) + # [PREVIOUS PATCH: pki-core-snapshot-1.patch] + # [pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch] +- # Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen) + # [pki-core-platform-dependent-python-import.patch] +- # Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with + # id-cmc-statusInfoV2 (cfu) + # [pki-core-CMC-id-cmc-statusInfoV2.patch] +- # Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option + # (dmoluguw) + # [pki-core-subsystem-cert-update-CLI-cert-option.patch] +- # Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03 + # (jmagne) + # [pki-core-HSM-key-changeover-SCP03-support.patch] +- # Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system + # certificates (cfu) + # [pki-core-system-cert-CMC-enroll-profile.patch] * Mon Jul 17 2017 Dogtag Team 10.4.1-11 -- Resolves: rhbz #1469432 +- # Resolves: rhbz #1469432 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## -- Bugzilla Bug #1469432 - CMC plugin default change -- Resolves CVE-2017-7537 -- Fixes BZ #1470948 +- # Bugzilla Bug #1469432 - CMC plugin default change +- # Resolves CVE-2017-7537 +- # Fixes BZ #1470948 * Mon Jun 19 2017 Dogtag Team 10.4.1-10 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1458043 - Key recovery on token fails with invalid public key error on KRA (alee) @@ -1703,7 +1725,7 @@ fi * Mon Jun 12 2017 Dogtag Team 10.4.1-9 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) @@ -1722,7 +1744,7 @@ fi - Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement - Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) @@ -1742,13 +1764,13 @@ fi - Bugzilla Bug #1458429 - client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C" (edewata) - ########################################################################## -- RHCS 9.2: +- # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) * Tue May 30 2017 Dogtag Team 10.4.1-7 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) @@ -1767,7 +1789,7 @@ fi * Mon May 22 2017 Dogtag Team 10.4.1-5 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal non-signing cert requests (cfu) @@ -1787,7 +1809,7 @@ fi * Tue May 9 2017 Dogtag Team 10.4.1-4 - ########################################################################## -- RHEL 7.4: +- # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1386303 - cannot extract generated private key from KRA when HSM is used. (alee) @@ -1802,13 +1824,13 @@ fi thales hsm (alee) - Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## -- RHCS 9.2: +- # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) * Mon May 1 2017 Dogtag Team 10.4.1-3 - ############################################################################ -- RHEL 7.4: +- # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in conjuction with FreeIPA (ftweedal) @@ -1825,14 +1847,14 @@ fi pki CLI terminates SSL connection (edewata) - Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata) - ############################################################################ -- RHCS 9.2: +- # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption) (RHCS) (alee) * Mon Apr 17 2017 Dogtag Team 10.4.1-2 - ############################################################################ -- RHEL 7.4: +- # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1282504 - Installing pki-server in container reports scriptlet failed, exit status 1 (jpazdziora) @@ -1845,12 +1867,12 @@ fi - Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a request (edewata) - ############################################################################ -- RHCS 9.2: +- # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1274086 - [RFE] Add SCP03 support for sc 7 g & d cards (RHCS) (jmagne) - ############################################################################ -- Common Criteria +- # Common Criteria - ############################################################################ - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) @@ -1869,13 +1891,13 @@ fi - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ -- RHEL 7.4: +- # RHEL 7.4: - ############################################################################ - ############################################################################ -- RHCS 9.2: +- # RHCS 9.2: - ############################################################################ - ############################################################################ -- Common Criteria +- # Common Criteria - ############################################################################ - Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature implementation (cfu) @@ -1894,7 +1916,7 @@ fi - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ -- RHEL 7.4: +- # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1222557 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) @@ -1958,7 +1980,7 @@ fi - Bugzilla Bug #1413136 - Problem with default AJP hostname in IPv6 environment. (edewata) - ############################################################################ -- RHCS 9.2: +- # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1 (cfu) - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) @@ -2955,7 +2977,7 @@ fi to be open in the FW (alee) - 'pki-silent' -* Wed Aug 10 2011 Matthew Harmsen 9.0.12 +* Wed Aug 10 2011 Matthew Harmsen 9.0.11-1 - 'pki-setup' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee)