diff --git a/SOURCES/pki-core-10.5.9-batch-1.0.patch b/SOURCES/pki-core-10.5.9-batch-1.0.patch new file mode 100644 index 0000000..d17d9e5 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-batch-1.0.patch @@ -0,0 +1,3161 @@ +From ae472954d4b1a62b368acf044ac5e7c15ef8d0e4 Mon Sep 17 00:00:00 2001 +From: John Magne +Date: Fri, 19 Oct 2018 19:23:37 -0400 +Subject: [PATCH 03/19] Resolves: Bug 1624097 - CC: Identify version/release of + pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely. + +--- + .../netscape/cms/servlet/csadmin/GetStatus.java | 48 ++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +index 1d2d0e6..338e26b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +@@ -18,6 +18,7 @@ + package com.netscape.cms.servlet.csadmin; + + import java.io.IOException; ++import java.io.FileInputStream; + import java.util.Locale; + + import javax.servlet.ServletConfig; +@@ -34,6 +35,8 @@ import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.base.UserInfo; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cmsutil.xml.XMLObject; ++import org.apache.commons.io.IOUtils; ++import org.apache.commons.lang.StringUtils; + + public class GetStatus extends CMSServlet { + +@@ -41,6 +44,8 @@ public class GetStatus extends CMSServlet { + * + */ + private static final long serialVersionUID = -2852842030221659847L; ++ // File below will be a member of a pki theme package. ++ private static final String productVersionFILE = "/usr/share/pki/CS_SERVER_VERSION"; + + public GetStatus() { + super(); +@@ -80,6 +85,13 @@ public class GetStatus extends CMSServlet { + xmlObj.addItemToContainer(root, "Type", type); + xmlObj.addItemToContainer(root, "Status", status); + xmlObj.addItemToContainer(root, "Version", version); ++ // File below will be a member of a pki theme package. ++ String productVersion = getProductVersion(productVersionFILE); ++ ++ if(!StringUtils.isEmpty(productVersion)) { ++ xmlObj.addItemToContainer(root,"ProductVersion", productVersion); ++ } ++ + byte[] cb = xmlObj.toByteArray(); + + outputResult(httpResp, "application/xml", cb); +@@ -108,4 +120,40 @@ public class GetStatus extends CMSServlet { + return locale; + } + ++ /** ++ * Return the product version if the file: /usr/share/pki/CS_SERVER_VERSION ++ * exists. ++ * ++ * Caller only cares if there is a string or not, exceptions handled here. ++ */ ++ private String getProductVersion(String versionFilePathName) { ++ String version = null; ++ FileInputStream inputStream = null; ++ ++ if(StringUtils.isEmpty(versionFilePathName)) { ++ CMS.debug("Missing product version file path!"); ++ return null; ++ } ++ ++ try { ++ inputStream = new FileInputStream(versionFilePathName); ++ String contents = IOUtils.toString(inputStream); ++ ++ if(contents != null) { ++ CMS.debug("Returning product version: " + version); ++ version = contents.trim(); ++ } ++ } catch (Exception e) { ++ CMS.debug("Failed to read product version String. " + e); ++ } ++ finally { ++ if(inputStream != null) { ++ try { ++ inputStream.close(); ++ } catch (IOException e) { ++ } ++ } ++ } ++ return version; ++ } + } +-- +1.8.3.1 + + +From 28452a131f11d6372beb6bc262b7c26bb4cb1961 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Fri, 14 Sep 2018 19:19:23 -0600 +Subject: [PATCH 04/19] Ticket 2865 X500Name.directoryStringEncodingOrder + overridden by CSR encoding + +https://pagure.io/dogtagpki/issue/2865 coverity fixes +(cherry picked from commit b375305e00dedc4127e5aa1b97e11dcc26a68f72) +--- + .../netscape/cms/profile/def/UserSubjectNameDefault.java | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +index 636b045..459735e 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +@@ -105,7 +105,13 @@ public class UserSubjectNameDefault extends EnrollDefault { + * keep the old name so that the attribute + * encodings are preserved. */ + X500Name oldX500name = oldName.getX500Name(); +- if (x500name.toString().equals(oldX500name.toString())) { ++ if (x500name == null) { ++ CMS.debug( method ++ + "new Subject DN is null; " ++ + "retaining current value." ++ ); ++ x500name = oldX500name; ++ } else if (x500name.toString().equals(oldX500name.toString())) { + CMS.debug( method + + "new Subject DN has same string representation " + + "as current value; retaining current value." +@@ -196,6 +202,12 @@ public class UserSubjectNameDefault extends EnrollDefault { + // to the certinfo + CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName( + IEnrollProfile.REQUEST_SUBJECT_NAME); ++ if (req_sbj == null) { ++ // failed to retrieve subject name ++ CMS.debug("UserSubjectNameDefault: populate req_sbj is null"); ++ throw new EProfileException(CMS.getUserMessage(getLocale(request), ++ "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); ++ } + try { + info.set(X509CertInfo.SUBJECT, req_sbj); + +-- +1.8.3.1 + + +From 2180a832fa531120c9fe2dead72b58e615ef4744 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 22 Aug 2018 18:12:06 -0700 +Subject: [PATCH 07/19] ticket #2879 audit events for CA acting as TLS client + +This patch provides code for ticket 2879, adding audit events for CS when + acting as a TLS client. + +For a running CS system, there are two cases when this happens: +1. When one CS subsystem is talking to another CS subsystem + In this case: HttpClient is used +2. When a CS subsystem is talking to an ldap syste + In this case: PKISocketFactory is used + +Events added are: + - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE + - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS + - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED + +https://pagure.io/dogtagpki/issue/2879 + +Change-Id: Ib8e4c27c57cb2b13b461c36f37f52dc6a13956f8 +(cherry picked from commit add6813cb15673d604f05173585101a6e56745ca) +--- + base/ca/shared/conf/CS.cfg | 4 +- + .../event/ClientAccessSessionEstablishEvent.java | 74 +++++++ + .../event/ClientAccessSessionTerminatedEvent.java | 53 +++++ + base/kra/shared/conf/CS.cfg | 4 +- + base/ocsp/shared/conf/CS.cfg | 4 +- + .../cms/publish/publishers/OCSPPublisher.java | 4 + + .../dogtagpki/server/PKIClientSocketListener.java | 230 +++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 20 ++ + .../cmscore/connector/HttpConnFactory.java | 6 + + .../netscape/cmscore/connector/HttpConnection.java | 42 ++++ + .../netscape/cmscore/connector/HttpConnector.java | 10 + + .../com/netscape/cmscore/connector/Resender.java | 8 +- + .../cmscore/ldapconn/PKISocketFactory.java | 9 +- + base/tks/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/cmsutil/http/HttpClient.java | 14 ++ + .../netscape/cmsutil/http/JssSSLSocketFactory.java | 8 + + 16 files changed, 484 insertions(+), 10 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java + create mode 100644 base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 92504ff..4cef240 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG + log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java +new file mode 100644 +index 0000000..f54641a +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java +@@ -0,0 +1,74 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++ ++public class ClientAccessSessionEstablishEvent extends SignedAuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"; ++ ++ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE = ++ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"; ++ ++ public ClientAccessSessionEstablishEvent(String messageID) { ++ super(messageID); ++ } ++ ++ public static ClientAccessSessionEstablishEvent createSuccessEvent( ++ String clientHost, ++ String serverHost, ++ String serverPort, ++ String subjectID) { ++ ++ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( ++ CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS); ++ ++ event.setAttribute("ClientHost", clientHost); ++ event.setAttribute("ServerHost", serverHost); ++ event.setAttribute("ServerPort", serverPort); ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.SUCCESS); ++ ++ return event; ++ } ++ ++ public static ClientAccessSessionEstablishEvent createFailureEvent( ++ String clientHost, ++ String serverHost, ++ String serverPort, ++ String subjectID, ++ String info) { ++ ++ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( ++ CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE); ++ ++ event.setAttribute("ClientHost", clientHost); ++ event.setAttribute("ServerHost", serverHost); ++ event.setAttribute("ServerPort", serverPort); ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.FAILURE); ++ event.setAttribute("Info", info); ++ ++ return event; ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java +new file mode 100644 +index 0000000..cad0c97 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java +@@ -0,0 +1,53 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++ ++public class ClientAccessSessionTerminatedEvent extends SignedAuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String CLIENT_ACCESS_SESSION_TERMINATED = ++ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED"; ++ ++ public ClientAccessSessionTerminatedEvent(String messageID) { ++ super(messageID); ++ } ++ ++ public static ClientAccessSessionTerminatedEvent createEvent( ++ String clientHost, ++ String serverHost, ++ String serverPort, ++ String subjectID, ++ String info) { ++ ++ ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent( ++ CLIENT_ACCESS_SESSION_TERMINATED); ++ ++ event.setAttribute("ClientHost", clientHost); ++ event.setAttribute("ServerHost", serverHost); ++ event.setAttribute("ServerPort", serverPort); ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.SUCCESS); ++ event.setAttribute("Info", info); ++ ++ return event; ++ } ++} +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 878e5f8..6108576 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL + log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) + log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) + log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) +diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg +index b412e5e..d2e5256 100644 +--- a/base/ocsp/shared/conf/CS.cfg ++++ b/base/ocsp/shared/conf/CS.cfg +@@ -216,11 +216,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 +diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java +index 11d44b8..d15523e 100644 +--- a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java ++++ b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java +@@ -42,6 +42,8 @@ import com.netscape.cmsutil.http.HttpRequest; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + import com.netscape.cmsutil.util.Utils; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + import netscape.ldap.LDAPConnection; + + /** +@@ -247,12 +249,14 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo { + + Socket socket = null; + JssSSLSocketFactory factory; ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); + + if (mClientAuthEnabled) { + factory = new JssSSLSocketFactory(mNickname); + } else { + factory = new JssSSLSocketFactory(); + } ++ factory.addSocketListener(sockListener); + + if (mHost != null && mHost.indexOf(' ') != -1) { + // support failover hosts configuration +diff --git a/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java +new file mode 100644 +index 0000000..dc49908 +--- /dev/null ++++ b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java +@@ -0,0 +1,230 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package org.dogtagpki.server; ++ ++import java.lang.Integer; ++import java.net.InetAddress; ++import java.security.Principal; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.WeakHashMap; ++ ++import org.mozilla.jss.crypto.X509Certificate; ++import org.mozilla.jss.ssl.SSLAlertDescription; ++import org.mozilla.jss.ssl.SSLAlertEvent; ++import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; ++import org.mozilla.jss.ssl.SSLSecurityStatus; ++import org.mozilla.jss.ssl.SSLSocket; ++import org.mozilla.jss.ssl.SSLSocketListener; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; ++import com.netscape.certsrv.logging.event.ClientAccessSessionTerminatedEvent; ++import com.netscape.cms.logging.SignedAuditLogger; ++import com.netscape.certsrv.apps.CMS; ++ ++public class PKIClientSocketListener implements SSLSocketListener { ++ ++ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); ++ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); ++ ++ /** ++ * The socketInfos map is a storage for socket information that may not be available ++ * after the socket has been closed such as client IP address and subject ID. The ++ * WeakHashMap is used here to allow the map key (i.e. the socket object) to be ++ * garbage-collected since there is no guarantee that socket will be closed with an ++ * SSL alert for a proper map entry removal. ++ */ ++ Map> socketInfos = new WeakHashMap<>(); ++ ++ @Override ++ public void alertReceived(SSLAlertEvent event) { ++ String method = "PKIClientSocketListener.alertReceived: "; ++CMS.debug(method + "begins"); ++ try { ++ SSLSocket socket = event.getSocket(); ++ ++ InetAddress serverAddress = socket.getInetAddress(); ++ InetAddress clientAddress = socket.getLocalAddress(); ++ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ String serverPort = Integer.toString(socket.getPort()); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++/* ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ String subjectID = subjectDN == null ? "" : subjectDN.toString(); ++*/ ++String subjectID = "SYSTEM"; ++ ++ int description = event.getDescription(); ++ String reason = SSLAlertDescription.valueOf(description).toString(); ++ ++ logger.debug("SSL alert received:"); ++ logger.debug(" - reason: " + reason); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ ++ signedAuditLogger.log(ClientAccessSessionTerminatedEvent.createEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID, ++ reason)); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); ++CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); ++ ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++ ++ @Override ++ public void alertSent(SSLAlertEvent event) { ++ String method = "PKIClientSocketListener.alertSent: "; ++CMS.debug(method + "begins"); ++ try { ++ SSLSocket socket = event.getSocket(); ++ ++ int description = event.getDescription(); ++CMS.debug(method + "got description:"+ description); ++ String reason = SSLAlertDescription.valueOf(description).toString(); ++CMS.debug(method + "got reason:"+ reason); ++ ++ SignedAuditEvent auditEvent; ++ String clientIP; ++ String serverIP; ++ String serverPort; ++ String subjectID; ++ ++ if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { ++ ++ // get socket info from socketInfos map since socket has been closed ++ Map info = socketInfos.get(socket); ++ clientIP = (String)info.get("clientIP"); ++ serverIP = (String)info.get("serverIP"); ++ serverPort = (String)info.get("serverPort"); ++ subjectID = (String)info.get("subjectID"); ++ ++ auditEvent = ClientAccessSessionTerminatedEvent.createEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID, ++ reason); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); ++ CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP+ " serverPort=" + serverPort + " reason=" + reason); ++ ++ } else { ++ ++ // get socket info from the socket itself ++ InetAddress serverAddress = socket.getInetAddress(); ++ InetAddress clientAddress = socket.getLocalAddress(); ++ ++ clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ serverPort = Integer.toString(socket.getPort()); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++/* ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ subjectID = subjectDN == null ? "" : subjectDN.toString(); ++*/ ++subjectID = "SYSTEM"; ++ ++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID, ++ reason); ++ ++ } ++ ++ logger.debug("SSL alert sent:"); ++ logger.debug(" - reason: " + reason); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ signedAuditLogger.log(auditEvent); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"); ++CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); ++ ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++ ++ @Override ++ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { ++ String method = "PKIClientSocketListener.handshakeCompleted: "; ++CMS.debug(method + "begins"); ++ try { ++ SSLSocket socket = event.getSocket(); ++ ++ InetAddress serverAddress = socket.getInetAddress(); ++ InetAddress clientAddress = socket.getLocalAddress(); ++ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ String serverPort = Integer.toString(socket.getPort()); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++/* ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ String subjectID = subjectDN == null ? "" : subjectDN.toString(); ++*/ ++String subjectID = "SYSTEM"; ++ ++ logger.debug("Handshake completed:"); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ // store socket info in socketInfos map ++ Map info = new HashMap<>(); ++ info.put("clientIP", clientIP); ++ info.put("serverIP", serverIP); ++ info.put("serverPort", serverPort); ++ info.put("subjectID", subjectID); ++ socketInfos.put(socket, info); ++ ++ signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID)); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"); ++CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort); ++ ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index d534506..a8a8deb 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2775,6 +2775,26 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ + LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ + :[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated + ++# ++# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE ++# access session failed to establish when Certificate System acts as client ++# ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client ++# ++# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS ++# - used when access session was established successfully when ++# Certificate System acts as client ++# ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client ++# ++# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED ++# - used when access session was terminated when Certificate System acts as client ++# ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client ++ + + ########################### + #Unselectable signedAudit Events +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java +index 47f5e61..e4f92b4 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java +@@ -27,6 +27,8 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + import com.netscape.cmsutil.net.ISocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + /** + * Factory for getting HTTP Connections to a HTTPO server + */ +@@ -127,6 +129,10 @@ public class HttpConnFactory { + + try { + ISocketFactory tFactory = new JssSSLSocketFactory(mNickname, mClientCiphers); ++ PKIClientSocketListener sockListener = new PKIClientSocketListener() ++; ++ JssSSLSocketFactory factory = (JssSSLSocketFactory) tFactory; ++ factory.addSocketListener(sockListener); + + if (mTimeout == 0) { + retConn = CMS.getHttpConnection(mDest, tFactory); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java +index fbd3268..649fa80 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java +@@ -18,7 +18,10 @@ + package com.netscape.cmscore.connector; + + import java.io.IOException; ++import java.lang.Integer; + import java.net.InetSocketAddress; ++import java.net.InetAddress; ++import java.net.UnknownHostException; + import java.util.ArrayList; + import java.util.List; + +@@ -28,14 +31,24 @@ import com.netscape.certsrv.connector.IHttpConnection; + import com.netscape.certsrv.connector.IPKIMessage; + import com.netscape.certsrv.connector.IRemoteAuthority; + import com.netscape.certsrv.connector.IRequestEncoder; ++import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.cms.logging.SignedAuditLogger; + import com.netscape.cmscore.util.Debug; + import com.netscape.cmsutil.http.HttpClient; + import com.netscape.cmsutil.http.HttpRequest; + import com.netscape.cmsutil.http.HttpResponse; + import com.netscape.cmsutil.net.ISocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ + public class HttpConnection implements IHttpConnection { + ++ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); ++ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); ++ + protected IRemoteAuthority mDest = null; + protected HttpRequest mHttpreq = new HttpRequest(); + protected IRequestEncoder mReqEncoder = null; +@@ -43,12 +56,18 @@ public class HttpConnection implements IHttpConnection { + + int timeout = 0; + List targets; ++ String localIP = "localhost"; + + public HttpConnection(IRemoteAuthority dest, ISocketFactory factory, + int timeout // seconds + ) { + + CMS.debug("HttpConnection: Creating HttpConnection with timeout=" + timeout); ++ try { ++ localIP = InetAddress.getLocalHost().getHostAddress(); ++ } catch (UnknownHostException e) { ++ // default to "localhost"; ++ } + + mDest = dest; + mReqEncoder = new HttpRequestEncoder(); +@@ -118,6 +137,7 @@ public class HttpConnection implements IHttpConnection { + void connect() throws IOException { + + IOException exception = null; ++ SignedAuditEvent auditEvent; + + // try all targets + for (InetSocketAddress target : targets) { +@@ -136,6 +156,14 @@ public class HttpConnection implements IHttpConnection { + } catch (IOException e) { + exception = e; + CMS.debug("HttpConnection: Unable to connect to " + hostname + ":" + port + ": " + e); ++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( ++ localIP, ++ hostname, ++ Integer.toString(port), ++ "SYSTEM", ++ "connect:" +e.toString()); ++ signedAuditLogger.log(auditEvent); ++ + // try the next target immediately + } + } +@@ -229,6 +257,13 @@ public class HttpConnection implements IHttpConnection { + + HttpResponse resp = null; + boolean reconnected = false; ++ SignedAuditEvent auditEvent; ++ String localIP = "localhost"; ++ try { ++ localIP = InetAddress.getLocalHost().getHostAddress(); ++ } catch (UnknownHostException e) { ++ // default to "localhost"; ++ } + + if (getRequestURI() == null) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "URI not set in HttpRequest")); +@@ -266,6 +301,13 @@ public class HttpConnection implements IHttpConnection { + resp = mHttpClient.send(mHttpreq); + + } catch (IOException e) { ++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( ++ localIP, ++ mHttpClient.getHost(), ++ mHttpClient.getPort(), ++ "SYSTEM", ++ "send:" +e.toString()); ++ signedAuditLogger.log(auditEvent); + + CMS.debug(e); + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java +index 398becc..0588bf4 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java +@@ -35,6 +35,8 @@ import com.netscape.cmsutil.http.HttpResponse; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + import com.netscape.cmsutil.net.ISocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + public class HttpConnector implements IConnector { + protected IAuthority mSource = null; + protected IRemoteAuthority mDest = null; +@@ -55,8 +57,12 @@ public class HttpConnector implements IConnector { + mTimeout = 0; + mSource = source; + mDest = dest; ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); + mFactory = new JssSSLSocketFactory(nickName, clientCiphers); + ++ JssSSLSocketFactory factory = (JssSSLSocketFactory)mFactory; ++ factory.addSocketListener(sockListener); ++ + int minConns = config.getInteger("minHttpConns", 1); + int maxConns = config.getInteger("maxHttpConns", 15); + +@@ -82,8 +88,12 @@ public class HttpConnector implements IConnector { + mSource = source; + mDest = dest; + mTimeout = timeout; ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); + mFactory = new JssSSLSocketFactory(nickName, clientCiphers); + ++ JssSSLSocketFactory factory = (JssSSLSocketFactory) mFactory; ++ factory.addSocketListener(sockListener); ++ + int minConns = config.getInteger("minHttpConns", 1); + int maxConns = config.getInteger("maxHttpConns", 15); + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java +index e6d9ced..cc73077 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java +@@ -39,6 +39,8 @@ import com.netscape.certsrv.request.RequestStatus; + import com.netscape.cmscore.util.Debug; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + /** + * Resend requests at intervals to the server to check if it's been completed. + * Default interval is 5 minutes. +@@ -127,7 +129,11 @@ public class Resender implements IResender { + + if (! connected) { + CMS.debug("Connecting ..."); +- mConn = new HttpConnection(mDest, new JssSSLSocketFactory(mNickName, mClientCiphers)); ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); ++ JssSSLSocketFactory factory = new JssSSLSocketFactory(mNickName, mClientCiphers); ++ factory.addSocketListener(sockListener); ++ ++ mConn = new HttpConnection(mDest, factory); + initRequests(); + connected = true; + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java +index d0c23ed..e9f28c9 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java +@@ -35,6 +35,8 @@ import com.netscape.certsrv.base.IConfigStore; + import netscape.ldap.LDAPException; + import netscape.ldap.LDAPSSLSocketFactoryExt; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + /** + * Uses HCL ssl socket. + * +@@ -46,6 +48,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + private String mClientAuthCertNickname; + private boolean mClientAuth; + private boolean keepAlive; ++ PKIClientSocketListener sockListener = null; + + public PKISocketFactory() { + init(); +@@ -67,6 +70,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + IConfigStore cs = CMS.getConfigStore(); + keepAlive = cs.getBoolean("tcp.keepAlive", true); + CMS.debug("TCP Keep-Alive: " + keepAlive); ++ sockListener = new PKIClientSocketListener(); + + } catch (Exception e) { + CMS.debug(e); +@@ -75,6 +79,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + } + + public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException { ++ String method = "ldapconn/PKISocketFactory.makeSSLSocket: "; ++ CMS.debug(method + "begins"); + + /* + * let inherit TLS range and cipher settings +@@ -100,6 +106,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + s.setUseClientMode(true); + s.enableV2CompatibleHello(false); + ++ s.addSocketListener(sockListener); ++ + SSLHandshakeCompletedListener listener = null; + + listener = new ClientHandshakeCB(this); +@@ -119,7 +127,6 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + } + + public Socket makeSocket(String host, int port) throws LDAPException { +- + Socket s = null; + + try { +diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg +index e9bf03e..60a3355 100644 +--- a/base/tks/shared/conf/CS.cfg ++++ b/base/tks/shared/conf/CS.cfg +@@ -208,11 +208,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 +diff --git a/base/util/src/com/netscape/cmsutil/http/HttpClient.java b/base/util/src/com/netscape/cmsutil/http/HttpClient.java +index db042a7..2204e19 100644 +--- a/base/util/src/com/netscape/cmsutil/http/HttpClient.java ++++ b/base/util/src/com/netscape/cmsutil/http/HttpClient.java +@@ -46,6 +46,9 @@ public class HttpClient { + protected BufferedReader mBufferedReader = null; + protected SSLCertificateApprovalCallback mCertApprovalCallback = null; + protected boolean mConnected = false; ++ // for auditing purposes ++ protected String mHost; ++ protected String mPort; + + public HttpClient() { + } +@@ -63,6 +66,9 @@ public class HttpClient { + int timeout // milliseconds + ) throws IOException { + ++ mHost = host; ++ mPort = Integer.toString(port); ++ + if (mFactory != null) { + if (mCertApprovalCallback == null) { + mSocket = mFactory.makeSocket(host, port, timeout); +@@ -149,6 +155,14 @@ public class HttpClient { + return mSocket; + } + ++ public String getHost() { ++ return mHost; ++ } ++ ++ public String getPort() { ++ return mPort; ++ } ++ + /** + * unit test + */ +diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +index eaed821..0d176ad 100644 +--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java ++++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +@@ -27,6 +27,7 @@ import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback; + import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; + import org.mozilla.jss.ssl.SSLHandshakeCompletedListener; + import org.mozilla.jss.ssl.SSLSocket; ++import org.mozilla.jss.ssl.SSLSocketListener; + + import com.netscape.cmsutil.net.ISocketFactory; + import com.netscape.cmsutil.crypto.CryptoUtil; +@@ -40,6 +41,7 @@ public class JssSSLSocketFactory implements ISocketFactory { + private String mClientAuthCertNickname = null; + private String mClientCiphers = null; + private SSLSocket s = null; ++ private SSLSocketListener sockListener = null; + + public JssSSLSocketFactory() { + } +@@ -83,6 +85,8 @@ public class JssSSLSocketFactory implements ISocketFactory { + + listener = new ClientHandshakeCB(this); + s.addHandshakeCompletedListener(listener); ++ if (this.sockListener != null) ++ s.addSocketListener(this.sockListener); + + if (mClientAuthCertNickname != null) { + // 052799 setClientCertNickname does not +@@ -131,6 +135,10 @@ public class JssSSLSocketFactory implements ISocketFactory { + return s; + } + ++ public void addSocketListener(SSLSocketListener sl) { ++ this.sockListener = sl; ++ } ++ + public void log(int level, String msg) { + } + +-- +1.8.3.1 + + +From 44030bf381dc868e64c0e80d112bce72a626e8fb Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 31 Aug 2018 08:52:22 -0700 +Subject: [PATCH 09/19] Ticket2960 add SHA384 ciphers and cleanup profiles + +Note: this is a 2nd attempt as the first attempt was reverted due to +"breakage" of post-checkin-enablement of the IPA CI, which is +speculated to have used a server cert as a client cert which violated +one of the very essence of the "profile cleanup" part of the original +patch; As a compromise, the clientAuth bit was added back to all +non-CMC *server* profiles so the patch will pass the IPA CI. +The revised patch has been adquately tested in addition to passing +the IPA CI. + +This patch adds SHA384 ciphers to the cipher lists (RSA & EC) + +CryptoUtil.java contains changes to clientECCiphers: + - RSA ciphers comemented out + - SHA384 ciphers are added but RSA ones commented out + +Also added SHA384withRSA to ca.profiles.defaultSigningAlgsAllowed. + +In addition, a few cleanups are done: +- all MD2, MD5 from allowed signing key algs from profiles +- server profiles: + * removed clientAuth oid 1.3.6.1.5.5.7.3.2 from cmc server profiles + * fixed a couple KU's (RSA vs EC) that had true/false flipped +- caCMCkraStorageCert.cfg + * removed EKU (funny it had clientAuth) +- caCMCkraTransportCert.cfg + * removed EKU (funny it had clientAuth) +- base/ca/shared/conf/eccServerCert.profile + * added the missing CommonNameToSANDefault + +Tested with the following: +- installation of an RSA CA and a KRA (strip down to only SHA384 ciphers) + * performed successful agent access + * tested key archival +- installation of an EC CA (strip down to only SHA384 ciphers) + * performed successful agent access + * tested an agent-signed CMC request and submitted/issued successfully + using HttpClient + +The above tests showed: +- The SHA384 ciphers work out of box +- The TLS server and client profiles changes did not break any TLS connections. +- The KRA storage and transport profile changes did not break anything. + +fixes https://pagure.io/dogtagpki/issue/2960 + +Change-Id: Ia41dfbcec972cb18752b50056f29edf61cb3ce61 +(cherry picked from commit 97e290663f29d5b2c5afab18e4a7c90af05c874c) +--- + base/ca/shared/conf/CS.cfg | 2 +- + base/ca/shared/conf/eccAdminCert.profile | 2 +- + base/ca/shared/conf/eccServerCert.profile | 4 +++- + base/ca/shared/conf/rsaAdminCert.profile | 2 +- + base/ca/shared/profiles/ca/AdminCert.cfg | 6 +++--- + base/ca/shared/profiles/ca/ECAdminCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caAdminCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caAgentFileSigning.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 8 +------- + base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 8 +------- + base/ca/shared/profiles/ca/caCMCserverCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCrossSignedCACert.cfg | 2 +- + base/ca/shared/profiles/ca/caDirBasedDualCert.cfg | 8 ++++---- + base/ca/shared/profiles/ca/caDirPinUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caDualCert.cfg | 6 +++--- + base/ca/shared/profiles/ca/caDualRAuserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caECAdminCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECDirUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECDualCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg | 2 +- + base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caEncUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caIPAserviceCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInstallCACert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg | 2 +- + base/ca/shared/profiles/ca/caJarSigningCert.cfg | 2 +- + base/ca/shared/profiles/ca/caOtherCert.cfg | 2 +- + base/ca/shared/profiles/ca/caRACert.cfg | 2 +- + base/ca/shared/profiles/ca/caRARouterCert.cfg | 2 +- + base/ca/shared/profiles/ca/caRAagentCert.cfg | 2 +- + base/ca/shared/profiles/ca/caRAserverCert.cfg | 12 ++++++++---- + base/ca/shared/profiles/ca/caRouterCert.cfg | 2 +- + base/ca/shared/profiles/ca/caSigningUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caStorageCert.cfg | 10 ++-------- + base/ca/shared/profiles/ca/caTPSCert.cfg | 2 +- + base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg | 2 +- + base/ca/shared/profiles/ca/caUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg | 2 +- + .../netscape/cms/profile/common/CACertCAEnrollProfile.java | 2 +- + .../src/com/netscape/cms/profile/def/SigningAlgDefault.java | 2 +- + base/server/python/pki/server/deployment/pkiparser.py | 10 ++++++++-- + base/server/share/conf/ciphers.info | 4 ++-- + base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 ++++++++++-- + 56 files changed, 103 insertions(+), 102 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 6b39b0a..4cef240 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail= + ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME] + ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA + ca.ocsp_signing.tokenname=internal +-ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC ++ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC + ca.publish.createOwnDNEntry=false + ca.publish.queue.enable=true + ca.publish.queue.maxNumberOfThreads=3 +diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile +index 46d157a..219944a 100644 +--- a/base/ca/shared/conf/eccAdminCert.profile ++++ b/base/ca/shared/conf/eccAdminCert.profile +@@ -26,7 +26,7 @@ list=2,4,5,6,7 + 6.default.params.keyUsageCritical=true + 6.default.params.keyUsageDigitalSignature=true + 6.default.params.keyUsageNonRepudiation=true +-6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageDataEncipherment=false + 6.default.params.keyUsageKeyEncipherment=false + 6.default.params.keyUsageKeyAgreement=true + 6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile +index 8c679f7..d990e77 100644 +--- a/base/ca/shared/conf/eccServerCert.profile ++++ b/base/ca/shared/conf/eccServerCert.profile +@@ -6,7 +6,7 @@ name=All Purpose SSL server cert with ECC keys Profile + description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers + profileIDMapping=caECServerCert + profileSetIDMapping=serverCertSet +-list=2,4,5,6,7 ++list=2,4,5,6,7,8 + 2.default.class=com.netscape.cms.profile.def.ValidityDefault + 2.default.name=Validity Default + 2.default.params.range=720 +@@ -37,3 +37,5 @@ list=2,4,5,6,7 + 7.default.name=Extended Key Usage Extension Default + 7.default.params.exKeyUsageCritical=false + 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 ++8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault ++8.default.name=copy CN to SAN Default +diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile +index 5e84d74..7b3668c 100644 +--- a/base/ca/shared/conf/rsaAdminCert.profile ++++ b/base/ca/shared/conf/rsaAdminCert.profile +@@ -26,7 +26,7 @@ list=2,4,5,6,7 + 6.default.params.keyUsageCritical=true + 6.default.params.keyUsageDigitalSignature=true + 6.default.params.keyUsageNonRepudiation=true +-6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageDataEncipherment=false + 6.default.params.keyUsageKeyEncipherment=true + 6.default.params.keyUsageKeyAgreement=false + 6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg +index 7879614..18cbc2f 100644 +--- a/base/ca/shared/profiles/ca/AdminCert.cfg ++++ b/base/ca/shared/profiles/ca/AdminCert.cfg +@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +@@ -80,7 +80,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false + policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.adminCertSet.8.constraint.name=No Constraint +-policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.adminCertSet.8.default.name=Signing Alg + policyset.adminCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg +index e00022e..38562a6 100644 +--- a/base/ca/shared/profiles/ca/ECAdminCert.cfg ++++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg +@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg +index 86a3b11..6598677 100644 +--- a/base/ca/shared/profiles/ca/caAdminCert.cfg ++++ b/base/ca/shared/profiles/ca/caAdminCert.cfg +@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg +index 5608373..cc65afc 100644 +--- a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg ++++ b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg +@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +index b7b4881..226c05c 100644 +--- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +index 53b0c4d..68c59fb 100644 +--- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +index df47758..657b98e 100644 +--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +index 1c2630d..908f584 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=drmStorageCertSet +-policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 ++policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 + policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint + policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* +@@ -71,12 +71,6 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl +-policyset.drmStorageCertSet.7.constraint.name=No Constraint +-policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false +-policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.drmStorageCertSet.9.constraint.name=No Constraint + policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +index 3d00408..628253d 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=transportCertSet +-policyset.transportCertSet.list=1,2,3,4,5,6,7,8 ++policyset.transportCertSet.list=1,2,3,4,5,6,8 + policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.transportCertSet.1.constraint.name=Subject Name Constraint + policyset.transportCertSet.1.constraint.params.pattern=CN=.* +@@ -71,12 +71,6 @@ policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.transportCertSet.6.default.params.keyUsageCrlSign=false + policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.transportCertSet.7.constraint.class_id=noConstraintImpl +-policyset.transportCertSet.7.constraint.name=No Constraint +-policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.transportCertSet.7.default.params.exKeyUsageCritical=false +-policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.transportCertSet.8.constraint.name=No Constraint + policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +index 9ad9fac..628fc50 100644 +--- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg +index 8fafbdf..efc35a3 100644 +--- a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg ++++ b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg +@@ -76,7 +76,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default + policyset.caCertSet.8.default.params.critical=false + policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.caCertSet.9.constraint.name=No Constraint +-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.caCertSet.9.default.name=Signing Alg + policyset.caCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg +index 3f34684..ac761c9 100644 +--- a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg +@@ -1,6 +1,6 @@ + desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. + visible=true +-enable=true ++enable=false + enableBy=admin + name=Directory-authenticated User Signing & Encryption Certificates Enrollment + auth.instance_id=UserDirEnrollment +@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg +index af2b5e5..f9e24b9 100644 +--- a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg +@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg +index 0b7f6b7..2e90d97 100644 +--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg +@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg +index 87036d1..c5cf168 100644 +--- a/base/ca/shared/profiles/ca/caDualCert.cfg ++++ b/base/ca/shared/profiles/ca/caDualCert.cfg +@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg +index 7d61b36..e25b4bb 100644 +--- a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg +@@ -88,7 +88,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg +index d57bae1..84cab82 100644 +--- a/base/ca/shared/profiles/ca/caECAdminCert.cfg ++++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg +@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg +index 4143102..7b33de6 100644 +--- a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg +@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +index b65999e..11eafa7 100644 +--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg +index 0a56caf..663aa13 100644 +--- a/base/ca/shared/profiles/ca/caECDualCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDualCert.cfg +@@ -161,8 +161,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +index 48e6499..b3cc471 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +@@ -48,7 +48,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -60,7 +60,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +index b24cb03..822e96b 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +@@ -51,7 +51,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -63,7 +63,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +index e7b60ee..5a817df 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +@@ -59,7 +59,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -71,7 +71,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +index 8580544..24d61ca 100644 +--- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +index 8df3576..3d072a2 100644 +--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg +index a6bf04a..dda7282 100644 +--- a/base/ca/shared/profiles/ca/caECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECUserCert.cfg +@@ -59,7 +59,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -71,7 +71,7 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caEncUserCert.cfg b/base/ca/shared/profiles/ca/caEncUserCert.cfg +index 07e78f9..c166b28 100644 +--- a/base/ca/shared/profiles/ca/caEncUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caEncUserCert.cfg +@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg +index 9603758..42d802e 100644 +--- a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg ++++ b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg +index 7bdb180..ba942d7 100644 +--- a/base/ca/shared/profiles/ca/caInstallCACert.cfg ++++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg +@@ -80,7 +80,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default + policyset.caCertSet.8.default.params.critical=false + policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.caCertSet.9.constraint.name=No Constraint +-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.caCertSet.9.default.name=Signing Alg + policyset.caCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg +index 5acc174..60d560d 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg +@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false + policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.drmStorageCertSet.9.constraint.name=No Constraint +-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.drmStorageCertSet.9.default.name=Signing Alg + policyset.drmStorageCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg +index 8788f94..982c868 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg +@@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension + policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false + policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.ocspCertSet.9.constraint.name=No Constraint +-policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.ocspCertSet.9.default.name=Signing Alg + policyset.ocspCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +index de3c2a5..25538e7 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg +index 9f7680a..bdc69bc 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg +@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false + policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.transportCertSet.8.constraint.name=No Constraint +-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.transportCertSet.8.default.name=Signing Alg + policyset.transportCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caJarSigningCert.cfg b/base/ca/shared/profiles/ca/caJarSigningCert.cfg +index f5f5e62..8aea48d 100644 +--- a/base/ca/shared/profiles/ca/caJarSigningCert.cfg ++++ b/base/ca/shared/profiles/ca/caJarSigningCert.cfg +@@ -80,7 +80,7 @@ policyset.caJarSigningSet.5.default.params.nsCertSSLClient=false + policyset.caJarSigningSet.5.default.params.nsCertSSLServer=false + policyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl + policyset.caJarSigningSet.6.constraint.name=No Constraint +-policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl + policyset.caJarSigningSet.6.default.name=Signing Alg + policyset.caJarSigningSet.6.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caOtherCert.cfg b/base/ca/shared/profiles/ca/caOtherCert.cfg +index e5cf627..5b8f50e 100644 +--- a/base/ca/shared/profiles/ca/caOtherCert.cfg ++++ b/base/ca/shared/profiles/ca/caOtherCert.cfg +@@ -79,7 +79,7 @@ policyset.otherCertSet.7.default.params.exKeyUsageCritical=false + policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.otherCertSet.8.constraint.name=No Constraint +-policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.otherCertSet.8.default.name=Signing Alg + policyset.otherCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRACert.cfg b/base/ca/shared/profiles/ca/caRACert.cfg +index 9774566..fb1199e 100644 +--- a/base/ca/shared/profiles/ca/caRACert.cfg ++++ b/base/ca/shared/profiles/ca/caRACert.cfg +@@ -79,7 +79,7 @@ policyset.raCertSet.7.default.params.exKeyUsageCritical=false + policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.raCertSet.8.constraint.name=No Constraint +-policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.raCertSet.8.default.name=Signing Alg + policyset.raCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRARouterCert.cfg b/base/ca/shared/profiles/ca/caRARouterCert.cfg +index 05b3a72..c504285 100644 +--- a/base/ca/shared/profiles/ca/caRARouterCert.cfg ++++ b/base/ca/shared/profiles/ca/caRARouterCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRAagentCert.cfg b/base/ca/shared/profiles/ca/caRAagentCert.cfg +index 2199b26..db22f90 100644 +--- a/base/ca/shared/profiles/ca/caRAagentCert.cfg ++++ b/base/ca/shared/profiles/ca/caRAagentCert.cfg +@@ -89,7 +89,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRAserverCert.cfg b/base/ca/shared/profiles/ca/caRAserverCert.cfg +index 3a6cefa..e2406b4 100644 +--- a/base/ca/shared/profiles/ca/caRAserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caRAserverCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=CN=.* +@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -79,7 +79,11 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.9.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.9.constraint.name=No Constraint ++policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.9.default.name=copy CN to SAN Default +diff --git a/base/ca/shared/profiles/ca/caRouterCert.cfg b/base/ca/shared/profiles/ca/caRouterCert.cfg +index 3364675..b306102 100644 +--- a/base/ca/shared/profiles/ca/caRouterCert.cfg ++++ b/base/ca/shared/profiles/ca/caRouterCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg +index f197ffa..7fac691 100644 +--- a/base/ca/shared/profiles/ca/caSigningUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg +@@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +index a55873f..6987061 100644 +--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg +index c8e7205..62d6968 100644 +--- a/base/ca/shared/profiles/ca/caStorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caStorageCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=drmStorageCertSet +-policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 ++policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 + policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint + policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* +@@ -71,15 +71,9 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl +-policyset.drmStorageCertSet.7.constraint.name=No Constraint +-policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false +-policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.drmStorageCertSet.9.constraint.name=No Constraint +-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.drmStorageCertSet.9.default.name=Signing Alg + policyset.drmStorageCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caTPSCert.cfg b/base/ca/shared/profiles/ca/caTPSCert.cfg +index 82a217a..4f98512 100644 +--- a/base/ca/shared/profiles/ca/caTPSCert.cfg ++++ b/base/ca/shared/profiles/ca/caTPSCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg +index 43caf26..ef8ab5f 100644 +--- a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg ++++ b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg +@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 + policyset.userCertSet.8.default.params.subjAltNameNumGNs=2 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg +index 9164dac..62bc40c 100644 +--- a/base/ca/shared/profiles/ca/caUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caUserCert.cfg +@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg +index 43b6e85..81fc027 100644 +--- a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg ++++ b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg +@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java +index 1ae2f08..c4f2d6b 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java +@@ -76,7 +76,7 @@ public class CACertCAEnrollProfile extends CAEnrollProfile + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg", "-"); + defConfig4.putString("params.signingAlgsAllowed", +- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); ++ "SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); + + // extensions + IProfilePolicy policy5 = +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java +index 81ad58c..97f221e 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java +@@ -46,7 +46,7 @@ public class SigningAlgDefault extends EnrollDefault { + + public static final String VAL_ALGORITHM = "signingAlg"; + public static final String DEF_CONFIG_ALGORITHMS = +- "-,MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA"; ++ "-,SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA"; + + public SigningAlgDefault() { + super(); +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 53296fc..3e0c9d2 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -1152,7 +1152,9 @@ class PKIConfigParser: + "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ +- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ++ "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + else: + self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ +@@ -1186,7 +1188,11 @@ class PKIConfigParser: + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA" ++ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ ++ "-TLS_RSA_WITH_AES_256_GCM_SHA384" + + if self.deployer.architecture == 64: + self.mdict['NUXWDOG_JNI_PATH_SLOT'] = ( +diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info +index 44c6e4b..e51bffd 100644 +--- a/base/server/share/conf/ciphers.info ++++ b/base/server/share/conf/ciphers.info +@@ -123,8 +123,8 @@ + # + ## + # For RSA servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" + # + # + # For ECC servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index d3036f3..c1688e4 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -188,13 +188,21 @@ public class CryptoUtil { + public static final int LINE_COUNT = 76; + + static public final Integer[] clientECCiphers = { ++/* + SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, ++*/ + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +- SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ++// SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, ++/* ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ++*/ + }; + static public List clientECCipherList = new ArrayList(Arrays.asList(clientECCiphers)); + +-- +1.8.3.1 + + +From 992d97189bbcfff3427b1dcc752f6588da25e496 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 31 Aug 2018 17:08:30 -0700 +Subject: [PATCH 10/19] Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS + mode + +This patch disables the TLS_RSA_* ciphers by default because they do not work +with HSMs in FIPS mode. +ciphers.info is also updated to reflect the changes. + +fixes https://pagure.io/dogtagpki/issue/3027 + +Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172 +(cherry picked from commit 908514da63dd9364df0f17810d9d41bfb5c596d5) +--- + .../python/pki/server/deployment/pkiparser.py | 12 ++-- + base/server/share/conf/ciphers.info | 70 ++++++++-------------- + 2 files changed, 31 insertions(+), 51 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 3e0c9d2..2397f43 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -1130,7 +1130,7 @@ class PKIConfigParser: + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +@@ -1146,7 +1146,7 @@ class PKIConfigParser: + "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ +@@ -1183,12 +1183,12 @@ class PKIConfigParser: + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ +diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info +index e51bffd..bbb3cf1 100644 +--- a/base/server/share/conf/ciphers.info ++++ b/base/server/share/conf/ciphers.info +@@ -26,17 +26,6 @@ + # suited for the type of the server installed. Changes can be made to + # suit each site's needs. + # +-# Although TLS1.2 ciphers (SHA256) are preferred, many older clients +-# do not support them. For example, the following "preferred modern" +-# ciphers are on by default, and by simply limiting the +-# sslVersionRange* parameters, they can be turned off. +-# +-# TLS_RSA_WITH_AES_128_CBC_SHA256, +-# TLS_RSA_WITH_AES_256_CBC_SHA256, +-# TLS_RSA_WITH_AES_128_GCM_SHA256, +-# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +-# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +-# + # The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy, + # which, while provide added security to the already secure and adequate + # TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions. +@@ -62,25 +51,6 @@ + # TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + # TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + # +-# The following somewhat weaker ciphers (in CBC mode), though +-# adequate for the CS operations, can be turned off if so desired: +-# +-# TLS_RSA_WITH_AES_128_CBC_SHA, +-# TLS_RSA_WITH_AES_256_CBC_SHA, +-# +-# Note: In an EC CS server setup, you will see by default that the +-# following RSA ciphers are left on. Those are used for +-# installation where the actual systems certs have not yet been +-# created, and a temporary RSA ssl server cert is at play. +-# +-# Those can be turned off manually by sites. +-# +-# TLS_RSA_WITH_AES_256_CBC_SHA256, +-# TLS_RSA_WITH_AES_128_GCM_SHA256 +-# +-# These ciphers might be removed by the installation script in +-# some future release. +-# + # For RHEL 7.5 or greater: + # + # * all '3DES' ciphers have been disabled, +@@ -98,33 +68,43 @@ + # +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + # +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + # +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ++# +TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + # +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +-# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +-# +TLS_RSA_WITH_AES_128_CBC_SHA256, +-# +TLS_RSA_WITH_AES_256_CBC_SHA256, +-# +TLS_RSA_WITH_AES_128_CBC_SHA, +-# +TLS_RSA_WITH_AES_256_CBC_SHA +-# +-# NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA, +-# and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain +-# enabled in order to talk to the LDAP server +-# during pkispawn installation/configuration. ++# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, ++# +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + # + # Default ciphers enabled for ECC servers: + # + # +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +-# +TLS_RSA_WITH_AES_256_CBC_SHA, + # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +-# +TLS_RSA_WITH_AES_256_CBC_SHA256, + # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +-# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ++# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++# +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ++# ++# For RHEL 7.6 or greater: ++# ++# The following ciphers do not work with HSM in FIPS mode, and ++# are therefore disabled by default. ++# ++# TLS_RSA_WITH_AES_256_CBC_SHA, ++# TLS_RSA_WITH_AES_128_CBC_SHA, ++# TLS_RSA_WITH_AES_128_CBC_SHA256, ++# TLS_RSA_WITH_AES_256_CBC_SHA256, ++# TLS_RSA_WITH_AES_128_GCM_SHA256, ++# TLS_RSA_WITH_AES_256_GCM_SHA384 ++# ++# note: ++# * They are currently not preferred in TLS 1.2 ++# * They are deprecated in TLS 1.3 + # + ## + # For RSA servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" + # + # + # For ECC servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" +-- +1.8.3.1 + + +From 5385791f72c5fab901aa38cbc31fd2fd9af269bf Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 18 Sep 2018 16:13:29 -0700 +Subject: [PATCH 11/19] Bug1628410 CMC: add config to allow non-clientAuth + +This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg +to allow agents to bypass clientAuth requirement in CMCAuth. +Default value for cmc.bypassClientAuth is false. + +In addition, CMC enrollment profile caCMCUserCert "visible" value is +set to false. + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410 + +Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc +(cherry picked from commit 19120d14941b5964a728ab06b0406be3ddeff5d4) +--- + base/ca/shared/profiles/ca/caCMCUserCert.cfg | 2 +- + .../com/netscape/cms/authentication/CMCAuth.java | 50 +++++++++++++--------- + 2 files changed, 30 insertions(+), 22 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +index 657b98e..1f990f2 100644 +--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +@@ -1,5 +1,5 @@ + desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +-visible=true ++visible=false + enable=true + enableBy=admin + auth.instance_id=CMCAuth +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 9b6a819..98d5e29 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -127,6 +127,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + /* authentication plug-in configuration store */ + private IConfigStore mConfig; ++ private boolean mBypassClientAuth = false; + private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; + private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; + public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; +@@ -213,6 +214,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + mName = name; + mImplName = implName; + mConfig = config; ++ mBypassClientAuth = ++ CMS.getConfigStore().getBoolean("cmc.bypassClientAuth", false); + + log(ILogger.LL_INFO, "Initialization complete!"); + } +@@ -882,28 +885,33 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + if (clientCert == null) { +- // createAuditSubjectFromCert(auditContext, x509Certs[0]); +- msg = "missing SSL client authentication certificate;"; +- CMS.debug(method + msg); +- s.close(); +- throw new EMissingCredential( +- CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); +- } +- netscape.security.x509.X500Name clientPrincipal = +- (X500Name) clientCert.getSubjectDN(); +- +- netscape.security.x509.X500Name cmcPrincipal = +- (X500Name) x509Certs[0].getSubjectDN(); +- +- // check ssl client cert against cmc signer +- if (!clientPrincipal.equals(cmcPrincipal)) { +- msg = "SSL client authentication certificate and CMC signer do not match"; +- CMS.debug(method + msg); +- s.close(); +- throw new EInvalidCredentials( +- CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); ++ if (mBypassClientAuth) { ++ msg = "missing SSL client authentication certificate; allowed"; ++ CMS.debug(method + msg); ++ } else { ++ msg = "missing SSL client authentication certificate;"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EMissingCredential( ++ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); ++ } + } else { +- CMS.debug(method + "ssl client cert principal and cmc signer principal match"); ++ netscape.security.x509.X500Name clientPrincipal = ++ (X500Name) clientCert.getSubjectDN(); ++ ++ netscape.security.x509.X500Name cmcPrincipal = ++ (X500Name) x509Certs[0].getSubjectDN(); ++ ++ // check ssl client cert against cmc signer ++ if (!clientPrincipal.equals(cmcPrincipal)) { ++ msg = "SSL client authentication certificate and CMC signer do not match"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EInvalidCredentials( ++ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); ++ } else { ++ CMS.debug(method + "ssl client cert principal and cmc signer principal match"); ++ } + } + + PublicKey signKey = cert.getPublicKey(); +-- +1.8.3.1 + + +From b53d4f5f135432d6bc25b4bc0def1ea4b44705a4 Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Mon, 1 Oct 2018 16:25:08 -0400 +Subject: [PATCH 12/19] Fixes password leak of Auth plugins to Audit Logs (#57) + +* Auth plugin adds `(sensitive)` instead of plain passwords +to AuditLogs +* Added generic `isSensitive()` to identify Passwords before logging + +Signed-off-by: Dinesh Prasanth M K + +(cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1) +--- + base/common/src/com/netscape/certsrv/apps/CMS.java | 30 ++++++++++++++++++++++ + .../netscape/cms/servlet/admin/AdminServlet.java | 18 ++----------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 21 +-------------- + .../netscape/cms/servlet/csadmin/BaseServlet.java | 15 +---------- + .../cms/servlet/processors/CAProcessor.java | 16 +----------- + .../servlet/profile/ProfileSubmitCMCServlet.java | 17 ++---------- + 6 files changed, 37 insertions(+), 80 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index d04223f..0bf186e 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -1672,6 +1672,36 @@ public final class CMS { + } + + /** ++ * Check whether the string is contains password ++ * ++ * @param name key string ++ * @return whether key is a password or not ++ */ ++ public static boolean isSensitive(String name) { ++ return (name.startsWith("__") || ++ name.endsWith("password") || ++ name.endsWith("passwd") || ++ name.endsWith("pwd") || ++ name.equalsIgnoreCase("admin_password_again") || ++ name.equalsIgnoreCase("directoryManagerPwd") || ++ name.equalsIgnoreCase("bindpassword") || ++ name.equalsIgnoreCase("bindpwd") || ++ name.equalsIgnoreCase("passwd") || ++ name.equalsIgnoreCase("password") || ++ name.equalsIgnoreCase("pin") || ++ name.equalsIgnoreCase("pwd") || ++ name.equalsIgnoreCase("pwdagain") || ++ name.equalsIgnoreCase("uPasswd") || ++ name.equalsIgnoreCase("PASSWORD_CACHE_ADD") || ++ name.startsWith("p12Password") || ++ name.equalsIgnoreCase("host_challenge") || ++ name.equalsIgnoreCase("card_challenge") || ++ name.equalsIgnoreCase("card_cryptogram") || ++ name.equalsIgnoreCase("drm_trans_desKey") || ++ name.equalsIgnoreCase("cert_request")); ++ } ++ ++ /** + * Main driver to start CMS. + */ + public static void main(String[] args) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index 2b8cec7..ed5393b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -203,21 +203,7 @@ public class AdminServlet extends HttpServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (pn.startsWith("__") || +- pn.endsWith("password") || +- pn.endsWith("passwd") || +- pn.endsWith("pwd") || +- pn.equalsIgnoreCase("admin_password_again") || +- pn.equalsIgnoreCase("directoryManagerPwd") || +- pn.equalsIgnoreCase("bindpassword") || +- pn.equalsIgnoreCase("bindpwd") || +- pn.equalsIgnoreCase("passwd") || +- pn.equalsIgnoreCase("password") || +- pn.equalsIgnoreCase("pin") || +- pn.equalsIgnoreCase("pwd") || +- pn.equalsIgnoreCase("pwdagain") || +- pn.equalsIgnoreCase("uPasswd") || +- pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) { ++ if (CMS.isSensitive(pn)) { + CMS.debug("AdminServlet::service() param name='" + pn + + "' value='(sensitive)'"); + } else { +@@ -992,7 +978,7 @@ public class AdminServlet extends HttpServlet { + if (name.equals(Constants.RS_ID)) continue; + + String value = null; +- if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) ++ if (CMS.isSensitive(name)) + value = "(sensitive)"; + else + value = req.getParameter(name); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index f18db1a..0c65702 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -403,26 +403,7 @@ public abstract class CMSServlet extends HttpServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (pn.startsWith("__") || +- pn.endsWith("password") || +- pn.endsWith("passwd") || +- pn.endsWith("pwd") || +- pn.equalsIgnoreCase("admin_password_again") || +- pn.equalsIgnoreCase("directoryManagerPwd") || +- pn.equalsIgnoreCase("bindpassword") || +- pn.equalsIgnoreCase("bindpwd") || +- pn.equalsIgnoreCase("passwd") || +- pn.equalsIgnoreCase("password") || +- pn.equalsIgnoreCase("pin") || +- pn.equalsIgnoreCase("pwd") || +- pn.equalsIgnoreCase("pwdagain") || +- pn.startsWith("p12Password") || +- pn.equalsIgnoreCase("uPasswd") || +- pn.equalsIgnoreCase("host_challenge") || +- pn.equalsIgnoreCase("card_challenge") || +- pn.equalsIgnoreCase("card_cryptogram") || +- pn.equalsIgnoreCase("drm_trans_desKey") || +- pn.equalsIgnoreCase("cert_request")) { ++ if (CMS.isSensitive(pn)) { + CMS.debug("CMSServlet::service() param name='" + pn + + "' value='(sensitive)'"); + } else { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java +index 3b3ae40..70922dc 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java +@@ -70,20 +70,7 @@ public class BaseServlet extends VelocityServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (pn.startsWith("__") || +- pn.endsWith("password") || +- pn.endsWith("passwd") || +- pn.endsWith("pwd") || +- pn.equalsIgnoreCase("admin_password_again") || +- pn.equalsIgnoreCase("directoryManagerPwd") || +- pn.equalsIgnoreCase("bindpassword") || +- pn.equalsIgnoreCase("bindpwd") || +- pn.equalsIgnoreCase("passwd") || +- pn.equalsIgnoreCase("password") || +- pn.equalsIgnoreCase("pin") || +- pn.equalsIgnoreCase("pwd") || +- pn.equalsIgnoreCase("pwdagain") || +- pn.equalsIgnoreCase("uPasswd")) { ++ if (CMS.isSensitive(pn)) { + CMS.debug("BaseServlet::service() param name='" + pn + + "' value='(sensitive)'"); + } else { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 62b4242..f732c4d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -258,21 +258,7 @@ public class CAProcessor extends Processor { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (paramName.startsWith("__") || +- paramName.endsWith("password") || +- paramName.endsWith("passwd") || +- paramName.endsWith("pwd") || +- paramName.equalsIgnoreCase("admin_password_again") || +- paramName.equalsIgnoreCase("directoryManagerPwd") || +- paramName.equalsIgnoreCase("bindpassword") || +- paramName.equalsIgnoreCase("bindpwd") || +- paramName.equalsIgnoreCase("passwd") || +- paramName.equalsIgnoreCase("password") || +- paramName.equalsIgnoreCase("pin") || +- paramName.equalsIgnoreCase("pwd") || +- paramName.equalsIgnoreCase("pwdagain") || +- paramName.equalsIgnoreCase("uPasswd") || +- paramName.equalsIgnoreCase("cert_request")) { ++ if (CMS.isSensitive(paramName)) { + CMS.debug("CAProcessor: - " + paramName + ": (sensitive)"); + } else { + CMS.debug("CAProcessor: - " + paramName + ": " + entry.getValue()); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 03e94a8..81a2f2a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -47,9 +47,9 @@ import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthEvent; + import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; +-import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.ECMCBadIdentityException; + import com.netscape.certsrv.profile.ECMCBadMessageCheckException; + import com.netscape.certsrv.profile.ECMCBadRequestException; +@@ -306,20 +306,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (paramName.startsWith("__") || +- paramName.endsWith("password") || +- paramName.endsWith("passwd") || +- paramName.endsWith("pwd") || +- paramName.equalsIgnoreCase("admin_password_again") || +- paramName.equalsIgnoreCase("directoryManagerPwd") || +- paramName.equalsIgnoreCase("bindpassword") || +- paramName.equalsIgnoreCase("bindpwd") || +- paramName.equalsIgnoreCase("passwd") || +- paramName.equalsIgnoreCase("password") || +- paramName.equalsIgnoreCase("pin") || +- paramName.equalsIgnoreCase("pwd") || +- paramName.equalsIgnoreCase("pwdagain") || +- paramName.equalsIgnoreCase("uPasswd")) { ++ if (CMS.isSensitive(paramName)) { + CMS.debug("ProfileSubmitCMCServlet Input Parameter " + + paramName + "='(sensitive)'"); + } else { +-- +1.8.3.1 + + +From 4041f30e683307eb96140c8b81e48e62c2e7c34a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 28 Aug 2018 23:08:13 +0200 +Subject: [PATCH 13/19] Fixed CA signing cert importation + +The pki_ca_signing_cert_path param has been modified to have +an empty value by default. + +The import_ca_signing_cert() has been modified such that if +the param is not specified, it will return silently. If the +param contains an invalid path, the method will fail. If the +param contains a valid path to the CA signing cert, the cert +will be imported into the NSS database. + +https://pagure.io/dogtagpki/issue/3040 + +Change-Id: Idde1850744391162495599067c840c47ef47de69 +(cherry picked from commit a4f5b17ee96adf79391f9def6e04bb239a779cbe) +--- + base/server/etc/default.cfg | 2 +- + base/server/man/man5/pki_default.cfg.5 | 2 +- + .../pki/server/deployment/scriptlets/configuration.py | 19 ++++++++++--------- + 3 files changed, 12 insertions(+), 11 deletions(-) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 0f348ee..b92cca7 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -94,7 +94,7 @@ pki_ca_port=%(pki_security_domain_https_port)s + pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA + + # DEPRECATED: Use 'pki_ca_signing_cert_path' instead. +-pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert ++pki_external_ca_cert_path= + pki_ca_signing_cert_path=%(pki_external_ca_cert_path)s + + pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 +diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 +index fe3cdc7..afdcbfb 100644 +--- a/base/server/man/man5/pki_default.cfg.5 ++++ b/base/server/man/man5/pki_default.cfg.5 +@@ -413,7 +413,7 @@ Required for the second step of a stand-alone PKI process. This is the location + .PP + .B pki_ca_signing_cert_path + .IP +-Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/external_ca_chain.cert'. ++Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to empty. + .PP + .B pki_external_admin_cert_path + .IP +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index fd043a8..1b62445 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -395,15 +395,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + self.import_system_cert_request(deployer, subsystem, 'subsystem') + self.import_system_cert_request(deployer, subsystem, 'sslserver') + +- def import_ca_signing_cert(self, deployer, nssdb, subsystem): ++ def import_ca_signing_cert(self, deployer, nssdb): + + param = 'pki_ca_signing_cert_path' + cert_file = deployer.mdict.get(param) +- if not cert_file or not os.path.exists(cert_file): +- if subsystem.name == 'ca': +- raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) +- else: +- return ++ ++ if not cert_file: ++ return ++ ++ if not os.path.exists(cert_file): ++ raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) + + nickname = deployer.mdict['pki_ca_signing_nickname'] + +@@ -593,14 +594,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + def import_system_certs(self, deployer, nssdb, subsystem): + + if subsystem.name == 'ca': +- self.import_ca_signing_cert(deployer, nssdb, subsystem) ++ self.import_ca_signing_cert(deployer, nssdb) + self.import_ca_ocsp_signing_cert(deployer, nssdb) + + if subsystem.name == 'kra': + # Always import cert chain into internal token. + internal_nssdb = subsystem.instance.open_nssdb() + try: +- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) ++ self.import_ca_signing_cert(deployer, internal_nssdb) + finally: + internal_nssdb.close() + +@@ -612,7 +613,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # Always import cert chain into internal token. + internal_nssdb = subsystem.instance.open_nssdb() + try: +- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) ++ self.import_ca_signing_cert(deployer, internal_nssdb) + finally: + internal_nssdb.close() + +-- +1.8.3.1 + + +From 6fbffb076caea906381e47bc1b6cae9da9892ae4 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 23 Oct 2018 03:31:33 +0200 +Subject: [PATCH 14/19] Fixed password prompt in pki CLI + +The pki CLI has been modified not to throw an exception when the +user specifies a username without any password. The CLI will then +prompt for a password. + +https://pagure.io/dogtagpki/issue/2840 +(cherry picked from commit b1bda0a1e7baca575561c08e78d93ae7c7160738) +--- + base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 711625a..50e5b75 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -378,9 +378,6 @@ public class MainCLI extends CLI { + + if (passwordFile != null && password != null) { + throw new Exception("The '-W' and '-w' options are mutually exclusive."); +- +- } else if (passwordFile == null && password == null) { +- throw new Exception("Missing user password."); + } + } + +-- +1.8.3.1 + + +From 60ad482668db175f297e55a947f55021871ce348 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 Oct 2018 18:21:52 +0200 +Subject: [PATCH 16/19] Added CMSEngine.disableSubsystem() + +The code that calls pki-server subsystem-disable in +SelfTestSubsystem has been moved into CMSEngine.disableSubsystem(). + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit d5b119cdf3693680d5d1518b4b21b436d442708b) +--- + base/common/src/com/netscape/certsrv/apps/CMS.java | 4 ++++ + .../src/com/netscape/cmscore/apps/CMSEngine.java | 24 +++++++++++++++++++++ + .../cmscore/selftests/SelfTestSubsystem.java | 25 +++++----------------- + 3 files changed, 33 insertions(+), 20 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index 0bf186e..b6b74e6 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -145,6 +145,10 @@ public final class CMS { + _engine = engine; + } + ++ public static ICMSEngine getCMSEngine() { ++ return _engine; ++ } ++ + /** + * This method is used for unit tests. It allows the underlying _engine + * to be stubbed out. +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index eaf57fa..2c953cc 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -2042,6 +2042,30 @@ public class CMSEngine implements ICMSEngine { + + } + ++ public void disableSubsystem() { ++ ++ String name = mConfig.get("cs.type"); ++ String subsystemID = name.toLowerCase(); ++ ++ CMS.debug("CMSEngine: Disabling " + name + " subsystem"); ++ ++ try { ++ ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceId, subsystemID); ++ CMS.debug("Command: " + String.join(" ", pb.command())); ++ ++ Process process = pb.inheritIO().start(); ++ int rc = process.waitFor(); ++ ++ if (rc != 0) { ++ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem. RC: " + rc); ++ } ++ ++ } catch (Exception e) { ++ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem: " + e.getMessage()); ++ CMS.debug(e); ++ } ++ } ++ + /** + * shuts down a subsystem list in reverse order. + */ +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index 98b53c7..9ed4f8a 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -50,6 +50,7 @@ import com.netscape.certsrv.selftests.ISelfTest; + import com.netscape.certsrv.selftests.ISelfTestSubsystem; + import com.netscape.cms.logging.Logger; + import com.netscape.cms.logging.SignedAuditLogger; ++import com.netscape.cmscore.apps.CMSEngine; + + ////////////////////// + // class definition // +@@ -1832,29 +1833,13 @@ public class SelfTestSubsystem + + audit(auditMessage); + +- CMS.debug("SelfTestSubsystem.startup(): shutdown server"); ++ CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); ++ CMS.debug(e); + +- // shutdown the system gracefully + CMS.shutdown(); + +- IConfigStore cs = CMS.getConfigStore(); +- String instanceID = cs.get("instanceId"); +- String subsystemID = cs.get("cs.type").toLowerCase(); +- +- System.out.println("SelfTestSubsystem: Disabling \"" + subsystemID + "\" subsystem due to selftest failure."); +- +- try { +- ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceID, subsystemID); +- Process process = pb.inheritIO().start(); +- int rc = process.waitFor(); +- +- if (rc != 0) { +- System.out.println("SelfTestSubsystem: Unable to disable \"" + subsystemID + "\". RC: " + rc); +- } +- +- } catch (Exception e2) { +- e.printStackTrace(); +- } ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + } + } + +-- +1.8.3.1 + + +From 83e911b75bb887bc4f3bf36fc9709401e54b7443 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 Oct 2018 18:22:24 +0200 +Subject: [PATCH 17/19] Fixed subsystem shutdown on selftest failures + +The code that handles selftest failures have been modified +to call CMSEngine.disableSubsystem() to undeploy the web +application. Once undeployed, the web application will no +longer accept client requests, then Tomcat will execute +CMSStartServlet.destroy() which will eventually shutdown +the subsystem. + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit 7c3711c786ba90fe29b7450530dd8372d5839fcd) +--- + .../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java | 7 ++++--- + .../src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 9 ++++----- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index 59a5d62..633b13d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -73,6 +73,7 @@ import com.netscape.certsrv.selftests.ESelfTestException; + import com.netscape.certsrv.selftests.ISelfTest; + import com.netscape.certsrv.selftests.ISelfTestSubsystem; + import com.netscape.certsrv.tks.ITKSAuthority; ++import com.netscape.cmscore.apps.CMSEngine; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; + import com.netscape.cmsutil.util.Utils; +@@ -3194,10 +3195,10 @@ public final class CMSAdminServlet extends AdminServlet { + + "\n"; + sendResponse(ERROR, content, null, resp); + +- CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server"); ++ CMS.debug("CMSAdminServlet: Disabling subsystem due to selftest failure: " + e.getMessage()); + +- // shutdown the system gracefully +- CMS.shutdown(); ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + + return; + } else { +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index 9ed4f8a..8ce9a58 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -537,10 +537,11 @@ public class SelfTestSubsystem + "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED", + instanceFullName)); + +- CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server"); ++ CMS.debug("SelfTestSubsystem: Disabling subsystem due to selftest failure: " + e.getMessage()); ++ CMS.debug(e); + +- // shutdown the system gracefully +- CMS.shutdown(); ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + + return; + } +@@ -1836,8 +1837,6 @@ public class SelfTestSubsystem + CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); + CMS.debug(e); + +- CMS.shutdown(); +- + CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); + engine.disableSubsystem(); + } +-- +1.8.3.1 + + +From 81710f32fb9c269f2795b3272b3765a542299eb6 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 Oct 2018 18:23:09 +0200 +Subject: [PATCH 18/19] Fixed signed audit logging failure handling + +The code that handles signed audit logging failures has been +modified to call CMSEngine.disableSubsystem() to undeploy the +web application. Once undeployed, the web application will no +longer accept client requests, then Tomcat will execute +CMSStartServlet.destroy() which will eventually shutdown the +subsystem. + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit 5e7d7b972f14d65781909f6dfee4ad1e7ecb801a) +--- + .../cms/src/com/netscape/cms/logging/LogFile.java | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index b04f70d..a4a691b 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -79,6 +79,7 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.LogSource; + import com.netscape.certsrv.logging.SignedAuditEvent; + import com.netscape.certsrv.logging.SystemEvent; ++import com.netscape.cmscore.apps.CMSEngine; + import com.netscape.cmsutil.util.Utils; + + import netscape.ldap.client.JDAPAVA; +@@ -422,20 +423,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + // synchronized. We just want to avoid an infinite loop. + mInSignedAuditLogFailureMode = true; + +- // Block all new incoming requests +- if (CMS.areRequestsDisabled() == false) { +- // XXX is this a race condition? +- CMS.disableRequests(); +- } +- +- // Terminate all requests in process +- CMS.terminateRequests(); +- +- // Call graceful shutdown of the CMS server +- // Call force shutdown to get added functionality of +- // making sure to kill the web server. ++ CMS.debug("LogFile: Disabling subsystem due to signed logging failure"); + +- CMS.forceShutdown(); ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + } + } + +-- +1.8.3.1 + + +From bd2b3117334ce0e638bf309a591a0eeb6390253f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 Oct 2018 04:03:49 +0200 +Subject: [PATCH 19/19] Added doc on signed audit logging failures + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit 54c1b9b04625de6f3493e5d28979a740b31e63b3) +--- + docs/admin/Signed_Audit_Logging_Failures.md | 88 +++++++++++++++++++++++++++++ + 1 file changed, 88 insertions(+) + create mode 100644 docs/admin/Signed_Audit_Logging_Failures.md + +diff --git a/docs/admin/Signed_Audit_Logging_Failures.md b/docs/admin/Signed_Audit_Logging_Failures.md +new file mode 100644 +index 0000000..17cc3bd +--- /dev/null ++++ b/docs/admin/Signed_Audit_Logging_Failures.md +@@ -0,0 +1,88 @@ ++Signed Audit Logging Failures ++============================= ++ ++## Overview ++ ++If a PKI subsystem is unable to write signed audit log to disk, ++the subsystem will automatically shutdown to prevent it from ++receiving and executing additional operations that cannot be ++logged. ++ ++This situation may happen when the disk is full. In that case ++the admin will need to provide additional disk space, then restart ++the subsystem. ++ ++Note: auto-shutdown will only work if audit signing is enabled. ++ ++## Verifying Auto-Shutdown ++ ++To verify auto-shutdown on a CA instance, prepare a small ++partition and assign the proper permissions: ++ ++``` ++$ mkdir -p /tmp/audit ++$ mount -t tmpfs -o size=2M,mode=0755 tmpfs /tmp/audit ++$ chown pkiuser:pkiuser /tmp/audit ++$ semanage fcontext -a -t pki_tomcat_log_t /tmp/audit ++$ restorecon -vR /tmp/audit ++``` ++ ++Edit /etc/pki/pki-tomcat/ca/CS.cfg to enable audit signing ++and configure it to store the logs in the above partition: ++ ++``` ++log.instance.SignedAudit.logSigning=true ++log.instance.SignedAudit.fileName=/tmp/audit/ca_audit ++``` ++ ++Restart the server: ++ ++``` ++$ systemctl restart pki-tomcatd@pki-tomcat.service ++``` ++ ++Create a big file to fill up the partition: ++ ++``` ++$ dd if=/dev/zero of=/tmp/audit/bigfile bs=1M count=2 ++``` ++ ++Execute some operations to generate audit logs, for example: ++ ++``` ++$ pki ca-cert-find ++``` ++ ++When the partition becomes full, the server will no longer able ++to write the signed audit log into the partition, so it will ++generate the following message in console or systemd journal ++(assuming the journal is stored in a different partition that ++is not full): ++ ++``` ++Failed to flush log "/tmp/audit/ca_audit", error: No space left on device ++``` ++ ++Then the CA subsystem will shutdown automatically. The server itself ++will still be running and accepting connections, but all requests ++going to the CA subsystem will fail. ++ ++To resolve the issue, create more space in the partition by ++removing the big file: ++ ++``` ++$ rm -f /tmp/audit/bigfile ++``` ++ ++Then re-enable the CA subsystem with the following command: ++ ++``` ++$ pki-server subsystem-enable -i pki-tomcat ca ++``` ++ ++or by restarting the server: ++ ++``` ++$ systemctl restart pki-tomcatd@pki-tomcat.service ++``` ++ +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.9-batch-2.0.patch b/SOURCES/pki-core-10.5.9-batch-2.0.patch new file mode 100644 index 0000000..31837d3 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-batch-2.0.patch @@ -0,0 +1,3528 @@ +From 9c24a655511c911c8acc724a45f79b3ea4986b9f Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Thu, 1 Nov 2018 16:29:11 -0400 +Subject: [PATCH 01/13] Add --force flag to pki-destroy + +Resolves: Bug 1372056 +Ticket: https://pagure.io/dogtagpki/issue/1172 + +List of changes with this commit: +- Adds new flag `--force` to pkidestroy to force remove a subsystem +- Use `os.path.join()` instead of appending '/' between path names +- Remove the `pki_database_path` dir instead of removing contents of the dir + - This is moved to `security_database.py` instead of `configuration.py` +- pkidestroy and pkispawn logs are owned by `root` instead of configured pkiuser + +Signed-off-by: Dinesh Prasanth M K +(cherry picked from commit 926c26e10db1b3fde8f24802d7a77419d0f2f28d) +--- + .../python/pki/server/deployment/pkihelper.py | 6 +- + .../server/deployment/scriptlets/configuration.py | 7 +- + .../server/deployment/scriptlets/finalization.py | 5 +- + .../server/deployment/scriptlets/initialization.py | 92 ++++++++++++---------- + .../deployment/scriptlets/security_databases.py | 8 +- + .../deployment/scriptlets/webapp_deployment.py | 2 +- + base/server/sbin/pkidestroy | 44 ++++++++--- + 7 files changed, 96 insertions(+), 68 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 79f1e57..e1b9a02 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -947,8 +947,10 @@ class Instance: + rv = [] + try: + for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: +- path = self.mdict['pki_instance_path'] + \ +- "/" + subsystem.lower() ++ path = os.path.join( ++ self.mdict['pki_instance_path'], ++ subsystem.lower() ++ ) + if os.path.exists(path) and os.path.isdir(path): + rv.append(subsystem) + except OSError as exc: +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 1b62445..7bc0023 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -1274,9 +1274,4 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + raise RuntimeError("server failed to restart") + + def destroy(self, deployer): +- +- config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, +- extra=config.PKI_INDENTATION_LEVEL_1) +- if len(deployer.instance.tomcat_instance_subsystems()) == 1: +- if deployer.directory.exists(deployer.mdict['pki_client_dir']): +- deployer.directory.delete(deployer.mdict['pki_client_dir']) ++ pass +diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py +index e62051f..3c7e118 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py +@@ -68,19 +68,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_subsystem'], + deployer.mdict['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) +- deployer.file.modify(deployer.mdict['pki_spawn_log'], silent=True) + + def destroy(self, deployer): + + config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) +- deployer.file.modify(deployer.mdict['pki_destroy_log'], silent=True) + # If this is the last remaining PKI instance, ALWAYS remove the + # link to start configured PKI instances upon system reboot + if deployer.mdict['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + deployer.instance.pki_instance_subsystems() == 0: + deployer.systemd.disable() +- # Start this Tomcat PKI Process ++ ++ # Start this Tomcat PKI Process back if there are any subsystems still existing + if len(deployer.instance.tomcat_instance_subsystems()) >= 1: + deployer.systemd.start() + config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index 9528ec5..efd1536 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -86,45 +86,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.configuration_file.verify_ds_secure_connection_data() + + def destroy(self, deployer): +- +- # begin official logging +- config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, +- deployer.mdict['pki_subsystem'], +- deployer.mdict['pki_instance_name'], +- extra=config.PKI_INDENTATION_LEVEL_0) +- config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, +- extra=config.PKI_INDENTATION_LEVEL_1) +- # verify that this type of "subsystem" currently EXISTS +- # for this "instance" +- deployer.instance.verify_subsystem_exists() +- # verify that the command-line parameters match the values +- # that are present in the corresponding configuration file +- deployer.configuration_file.verify_command_matches_configuration_file() +- # establish 'uid' and 'gid' +- deployer.identity.set_uid(deployer.mdict['pki_user']) +- deployer.identity.set_gid(deployer.mdict['pki_group']) +- # get ports to remove selinux context +- deployer.configuration_file.populate_non_default_ports() +- +- # remove kra connector from CA if this is a KRA +- deployer.kra_connector.deregister() +- +- # remove tps connector from TKS if this is a TPS +- deployer.tps_connector.deregister() +- +- # de-register instance from its Security Domain +- # +- # NOTE: Since the security domain of an instance must be up +- # and running in order to be de-registered, this step +- # must be done PRIOR to instance shutdown because this +- # instance's security domain may be a part of a +- # tightly-coupled shared instance. +- # +- +- # Previously we obtained the token through a command line interface +- # no longer supported. Thus we assume no token and the deregister op will +- # take place without the token using an alternate method. +- +- deployer.security_domain.deregister(None) +- # ALWAYS Stop this Tomcat PKI Process +- deployer.systemd.stop() ++ try: ++ # begin official logging ++ config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, ++ deployer.mdict['pki_subsystem'], ++ deployer.mdict['pki_instance_name'], ++ extra=config.PKI_INDENTATION_LEVEL_0) ++ config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, ++ extra=config.PKI_INDENTATION_LEVEL_1) ++ # verify that this type of "subsystem" currently EXISTS ++ # for this "instance" ++ deployer.instance.verify_subsystem_exists() ++ # verify that the command-line parameters match the values ++ # that are present in the corresponding configuration file ++ deployer.configuration_file.verify_command_matches_configuration_file() ++ # establish 'uid' and 'gid' ++ deployer.identity.set_uid(deployer.mdict['pki_user']) ++ deployer.identity.set_gid(deployer.mdict['pki_group']) ++ # get ports to remove selinux context ++ deployer.configuration_file.populate_non_default_ports() ++ ++ # remove kra connector from CA if this is a KRA ++ deployer.kra_connector.deregister() ++ ++ # remove tps connector from TKS if this is a TPS ++ deployer.tps_connector.deregister() ++ ++ # de-register instance from its Security Domain ++ # ++ # NOTE: Since the security domain of an instance must be up ++ # and running in order to be de-registered, this step ++ # must be done PRIOR to instance shutdown because this ++ # instance's security domain may be a part of a ++ # tightly-coupled shared instance. ++ # ++ ++ # Previously we obtained the token through a command line interface ++ # no longer supported. Thus we assume no token and the deregister op will ++ # take place without the token using an alternate method. ++ ++ deployer.security_domain.deregister(None) ++ ++ except Exception as e: # pylint: disable=broad-except ++ config.pki_log.error(str(e)) ++ # If it is a normal destroy, pass any exception ++ if not deployer.mdict['pki_force_destroy']: ++ raise ++ ++ finally: ++ # ALWAYS Stop this Tomcat PKI Process ++ deployer.systemd.stop() +diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +index b8550ad..02f4713 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py ++++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +@@ -259,7 +259,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if len(deployer.instance.tomcat_instance_subsystems()) == 0: +- deployer.file.delete(deployer.mdict['pki_cert_database']) +- deployer.file.delete(deployer.mdict['pki_key_database']) +- deployer.file.delete(deployer.mdict['pki_secmod_database']) ++ ++ if deployer.directory.exists(deployer.mdict['pki_client_dir']): ++ deployer.directory.delete(deployer.mdict['pki_client_dir']) ++ ++ deployer.directory.delete(deployer.mdict['pki_database_path']) + deployer.file.delete(deployer.mdict['pki_shared_password_conf']) +diff --git a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py +index bfa3c32..8957d9d 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py ++++ b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py +@@ -70,7 +70,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + +- # Delete /conf/Catalina/localhost/.xml ++ # Delete /Catalina/localhost/.xml + deployer.file.delete( + os.path.join( + deployer.mdict['pki_instance_configuration_path'], +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 58f0541..4692e36 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -95,6 +95,13 @@ def main(argv): + nargs=1, metavar='', + help='security domain password file path') + ++ parser.optional.add_argument( ++ '--force', ++ dest='pki_force_destroy', ++ action='store_true', ++ help='force removal of subsystem' ++ ) ++ + args = parser.process_command_line_arguments() + + interactive = False +@@ -155,20 +162,26 @@ def main(argv): + pwd_file: + config.pki_secdomain_pass = pwd_file.readline().strip('\n') + ++ # '--force' ++ force_destroy = args.pki_force_destroy ++ + # verify that previously deployed instance exists +- deployed_pki_instance_path = \ +- config.pki_root_prefix + config.PKI_DEPLOYMENT_BASE_ROOT + "/" + \ +- config.pki_deployed_instance_name +- if not os.path.exists(deployed_pki_instance_path): ++ deployed_pki_instance_path = os.path.join( ++ config.PKI_DEPLOYMENT_BASE_ROOT, config.pki_deployed_instance_name ++ ) ++ ++ if not os.path.exists(deployed_pki_instance_path) and not force_destroy: + print("ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 % + deployed_pki_instance_path) + print() + parser.arg_parser.exit(-1) + + # verify that previously deployed subsystem for this instance exists +- deployed_pki_subsystem_path = \ +- deployed_pki_instance_path + "/" + deployer.subsystem_name.lower() +- if not os.path.exists(deployed_pki_subsystem_path): ++ deployed_pki_subsystem_path = os.path.join( ++ deployed_pki_instance_path, deployer.subsystem_name.lower() ++ ) ++ ++ if not os.path.exists(deployed_pki_subsystem_path) and not force_destroy: + print("ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 % + (deployer.subsystem_name, deployed_pki_instance_path)) + print() +@@ -178,11 +191,16 @@ def main(argv): + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + + # establish complete path to previously deployed configuration file +- config.user_deployment_cfg =\ +- deployed_pki_subsystem_path + "/" +\ +- "registry" + "/" +\ +- deployer.subsystem_name.lower() + "/" +\ ++ config.user_deployment_cfg = os.path.join( ++ deployed_pki_subsystem_path, ++ "registry", ++ deployer.subsystem_name.lower(), + config.USER_DEPLOYMENT_CONFIGURATION ++ ) ++ ++ if force_destroy and not os.path.exists(config.user_deployment_cfg): ++ # During force destroy, try to load the file. If file doesn't exist, we ignore it ++ config.user_deployment_cfg = None + + parser.validate() + parser.init_config() +@@ -213,6 +231,10 @@ def main(argv): + parser.compose_pki_master_dictionary() + parser.mdict['pki_destroy_log'] = \ + config.pki_log_dir + "/" + config.pki_log_name ++ ++ # Add force_destroy to master dictionary ++ parser.mdict['pki_force_destroy'] = force_destroy ++ + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.log_format(parser.mdict), +-- +1.8.3.1 + + +From 7f0af3958605c9826c5bb71fcb43cfccb3056d90 Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Thu, 1 Nov 2018 16:43:36 -0400 +Subject: [PATCH 02/13] Add --remove-logs flag to pki-destroy + +Partially resolves: Bug 1372056 + +List of changes by this commit: + +- Logs are preserved by default (comment #1 in BZ) +- Add `--remove-flags` flag to pkidestroy to remove logs + +Signed-off-by: Dinesh Prasanth M K +(cherry picked from commit 9e2cdb0b2f5df552ef50ba7883b4c686adec41b3) +--- + .../server/deployment/scriptlets/instance_layout.py | 7 +++++-- + .../server/deployment/scriptlets/subsystem_layout.py | 19 +++++++++++-------- + base/server/sbin/pkidestroy | 13 +++++++++++++ + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index 2095212..568c0a0 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -199,8 +199,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + # remove Tomcat instance base + deployer.directory.delete(deployer.mdict['pki_instance_path']) +- # remove Tomcat instance logs +- deployer.directory.delete(deployer.mdict['pki_instance_log_path']) ++ ++ # remove Tomcat instance logs only if --remove-logs is specified ++ if deployer.mdict['pki_remove_logs']: ++ deployer.directory.delete(deployer.mdict['pki_instance_log_path']) ++ + # remove shared NSS security database path for this instance + deployer.directory.delete(deployer.mdict['pki_database_path']) + # remove Tomcat instance configuration +diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +index a0e4658..fb9f754 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +@@ -124,15 +124,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.directory.delete( + deployer.mdict['pki_subsystem_profiles_path']) + deployer.directory.delete(deployer.mdict['pki_subsystem_path']) +- # remove instance-based subsystem logs +- if deployer.mdict['pki_subsystem'] in \ +- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: ++ ++ # remove instance-based subsystem logs only if --remove-logs flag is specified ++ if deployer.mdict['pki_remove_logs']: ++ if deployer.mdict['pki_subsystem'] in \ ++ config.PKI_SIGNED_AUDIT_SUBSYSTEMS: ++ deployer.directory.delete( ++ deployer.mdict['pki_subsystem_signed_audit_log_path']) + deployer.directory.delete( +- deployer.mdict['pki_subsystem_signed_audit_log_path']) +- deployer.directory.delete( +- deployer.mdict['pki_subsystem_archive_log_path']) +- deployer.directory.delete( +- deployer.mdict['pki_subsystem_log_path']) ++ deployer.mdict['pki_subsystem_archive_log_path']) ++ deployer.directory.delete( ++ deployer.mdict['pki_subsystem_log_path']) ++ + # remove instance-based subsystem configuration + deployer.directory.delete( + deployer.mdict['pki_subsystem_configuration_path']) +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 4692e36..4095d13 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -102,6 +102,13 @@ def main(argv): + help='force removal of subsystem' + ) + ++ parser.optional.add_argument( ++ '--remove-logs', ++ dest='pki_remove_logs', ++ action='store_true', ++ help='remove subsystem logs' ++ ) ++ + args = parser.process_command_line_arguments() + + interactive = False +@@ -165,6 +172,9 @@ def main(argv): + # '--force' + force_destroy = args.pki_force_destroy + ++ # '--remove-logs' ++ remove_logs = args.pki_remove_logs ++ + # verify that previously deployed instance exists + deployed_pki_instance_path = os.path.join( + config.PKI_DEPLOYMENT_BASE_ROOT, config.pki_deployed_instance_name +@@ -235,6 +245,9 @@ def main(argv): + # Add force_destroy to master dictionary + parser.mdict['pki_force_destroy'] = force_destroy + ++ # Add remove logs to master dictionary ++ parser.mdict['pki_remove_logs'] = remove_logs ++ + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.log_format(parser.mdict), +-- +1.8.3.1 + + +From 24405fac463e59250ccf42507bba7fb811e3a2fb Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Thu, 1 Nov 2018 17:02:03 -0400 +Subject: [PATCH 03/13] Reuse same instance log dirs (if exists) + +Resolves: Bug 1644769 +Ticket: https://pagure.io/dogtagpki/issue/3077 + +- `pkidestroy` behaviour was chagned to preserve the logs by default. + When `pkispawn` is run, it throws a name space collision error. +- This patch reuses the log dir and appends logs to the same log dir + structure (if exists) and logs it accordingly. + +`Signed-off-by: Dinesh Prasanth M K ` + +(cherry picked from commit c6c6757b4c566d10d25fe220fa9f59539c7a55ee) +--- + base/server/python/pki/server/deployment/pkihelper.py | 12 +++++------- + base/server/python/pki/server/deployment/pkimessages.py | 2 ++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index e1b9a02..3b55f78 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -345,18 +345,16 @@ class Namespace: + log.PKIHELPER_NAMESPACE_COLLISION_2 % ( + self.mdict['pki_instance_name'], + self.mdict['pki_cgroup_cpu_systemd_service_path'])) ++ + if os.path.exists(self.mdict['pki_instance_log_path']) and\ + os.path.exists(self.mdict['pki_subsystem_log_path']): +- # Top-Level PKI log path collision +- config.pki_log.error( +- log.PKIHELPER_NAMESPACE_COLLISION_2, ++ # Check if logs already exist. If so, append to it. Log it as info ++ config.pki_log.info( ++ log.PKIHELPER_LOG_REUSE, + self.mdict['pki_instance_name'], + self.mdict['pki_instance_log_path'], + extra=config.PKI_INDENTATION_LEVEL_2) +- raise Exception( +- log.PKIHELPER_NAMESPACE_COLLISION_2 % ( +- self.mdict['pki_instance_name'], +- self.mdict['pki_instance_log_path'])) ++ + if os.path.exists(self.mdict['pki_instance_configuration_path']) and\ + os.path.exists(self.mdict['pki_subsystem_configuration_path']): + # Top-Level PKI configuration path collision +diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py +index 7bb79ca..6539295 100644 +--- a/base/server/python/pki/server/deployment/pkimessages.py ++++ b/base/server/python/pki/server/deployment/pkimessages.py +@@ -277,6 +277,8 @@ PKIHELPER_NAMESPACE_COLLISION_2 = \ + "PKI instance '%s' would produce a namespace collision with '%s'!" + PKIHELPER_NAMESPACE_RESERVED_NAME_2 = \ + "PKI instance '%s' is already a reserved name under '%s'!" ++PKIHELPER_LOG_REUSE = \ ++ "previous logs of PKI instance '%s' already exist. Appending logs to '%s'" + PKIHELPER_NCIPHER_RESTART_1 = "executing '%s'" + PKIHELPER_NOISE_FILE_2 = \ + "generating noise file called '%s' and filling it with '%d' random bytes" +-- +1.8.3.1 + + +From 2a0d9c8c8ee7333198a8f5cb09c988eeeb3d528f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 22 Aug 2018 00:02:03 +0200 +Subject: [PATCH 04/13] Updated pki.nssdb to support multiple CSR delimiters + types + +The pki.nssdb module has been modified to support both standard +and legacy CSR delimiters as defined in RFC 7468. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7 +(cherry picked from commit 8bf25507886c446594fa1bd82e3040ab79b271b3) +--- + base/common/python/pki/nssdb.py | 46 ++++++++++++++++++++++++++++++++++------- + 1 file changed, 39 insertions(+), 7 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index f350255..d4ae804 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -34,8 +34,11 @@ from cryptography.hazmat.backends import default_backend + + import pki + +-CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' +-CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' ++CSR_HEADER = '-----BEGIN CERTIFICATE REQUEST-----' ++CSR_FOOTER = '-----END CERTIFICATE REQUEST-----' ++ ++LEGACY_CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' ++LEGACY_CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' + + CERT_HEADER = '-----BEGIN CERTIFICATE-----' + CERT_FOOTER = '-----END CERTIFICATE-----' +@@ -51,10 +54,18 @@ logger = logging.LoggerAdapter( + extra={'indent': ''}) + + +-def convert_data(data, input_format, output_format, header=None, footer=None): ++def convert_data(data, input_format, output_format, ++ header=None, footer=None, ++ headers=None, footers=None): ++ ''' ++ This method converts a PEM file to base-64 and vice versa. ++ It supports CSR, certificate, and PKCS #7 certificate chain. ++ ''' ++ + if input_format == output_format: + return data + ++ # converting from base-64 to PEM + if input_format == 'base64' and output_format == 'pem': + + # join base-64 data into a single line +@@ -66,16 +77,30 @@ def convert_data(data, input_format, output_format, header=None, footer=None): + # add header and footer + return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer) + ++ # converting from PEM to base-64 + if input_format == 'pem' and output_format == 'base64': + ++ # initialize list of headers if not provided ++ if not headers: ++ headers = [header] ++ ++ # initialize list of footers if not provided ++ if not footers: ++ footers = [footer] ++ + # join multiple lines into a single line + lines = [] + for line in data.splitlines(): + line = line.rstrip('\r\n') +- if line == header: ++ ++ # if the line is a header, skip ++ if line in headers: + continue +- if line == footer: ++ ++ # if the line is a footer, skip ++ if line in footers: + continue ++ + lines.append(line) + + return ''.join(lines) +@@ -86,7 +111,9 @@ def convert_data(data, input_format, output_format, header=None, footer=None): + + def convert_csr(csr_data, input_format, output_format): + return convert_data(csr_data, input_format, output_format, +- CSR_HEADER, CSR_FOOTER) ++ CSR_HEADER, CSR_FOOTER, ++ headers=[CSR_HEADER, LEGACY_CSR_HEADER], ++ footers=[CSR_FOOTER, LEGACY_CSR_FOOTER]) + + + def convert_cert(cert_data, input_format, output_format): +@@ -100,10 +127,15 @@ def convert_pkcs7(pkcs7_data, input_format, output_format): + + + def get_file_type(filename): ++ ''' ++ This method detects the content of a PEM file. It supports ++ CSR, certificate, PKCS #7 certificate chain. ++ ''' ++ + with open(filename, 'r') as f: + data = f.read() + +- if data.startswith(CSR_HEADER): ++ if data.startswith(CSR_HEADER) or data.startswith(LEGACY_CSR_HEADER): + return 'csr' + + if data.startswith(CERT_HEADER): +-- +1.8.3.1 + + +From b9867142f4971a98b6c79ba16788db8829dfd79d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 20 Aug 2018 23:14:25 +0200 +Subject: [PATCH 05/13] Removed default CSR paths + +The default.cfg has been modified to remove default CSR paths. + +The verify_predefined_configuration_file_data() has been modified +to no longer require CSR path parameters in the first step of +external CA scenario. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2 +(cherry picked from commit f3dc6c79370d8b57362272c40bd9f67aaf791710) +--- + base/server/etc/default.cfg | 24 ++++++++-------- + .../python/pki/server/deployment/pkihelper.py | 32 +--------------------- + 2 files changed, 13 insertions(+), 43 deletions(-) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index b92cca7..2c0430a 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -330,7 +330,7 @@ pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=% + pki_ca_signing_token= + + # DEPRECATED: Use 'pki_ca_signing_csr_path' instead. +-pki_external_csr_path=%(pki_instance_configuration_path)s/external_ca.csr ++pki_external_csr_path= + pki_ca_signing_csr_path=%(pki_external_csr_path)s + + pki_ocsp_signing_csr_path= +@@ -442,12 +442,12 @@ pki_kra_ephemeral_requests=False + + # DEPRECATED + # Use 'pki_*_csr_path' instead. +-pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr +-pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr +-pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr +-pki_external_storage_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.csr +-pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr +-pki_external_transport_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.csr ++pki_external_admin_csr_path= ++pki_external_audit_signing_csr_path= ++pki_external_sslserver_csr_path= ++pki_external_storage_csr_path= ++pki_external_subsystem_csr_path= ++pki_external_transport_csr_path= + + pki_admin_csr_path=%(pki_external_admin_csr_path)s + pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s +@@ -527,11 +527,11 @@ pki_standalone=False + + # DEPRECATED + # Use 'pki_*_csr_path' instead. +-pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr +-pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr +-pki_external_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.csr +-pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr +-pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr ++pki_external_admin_csr_path= ++pki_external_audit_signing_csr_path= ++pki_external_signing_csr_path= ++pki_external_sslserver_csr_path= ++pki_external_subsystem_csr_path= + + pki_admin_csr_path=%(pki_external_admin_csr_path)s + pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 3b55f78..b3c3ccb 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -712,39 +712,9 @@ class ConfigurationFile: + # pki_ca_signing_cert_path are optional. + pass + elif not self.skip_configuration and self.standalone: +- if not self.external_step_two: +- +- # Stand-alone PKI Admin CSR (Step 1) +- self.confirm_data_exists("pki_admin_csr_path") +- +- # Stand-alone PKI Audit Signing CSR (Step 1) +- self.confirm_data_exists( +- "pki_audit_signing_csr_path") + +- # Stand-alone PKI SSL Server CSR (Step 1) +- self.confirm_data_exists("pki_sslserver_csr_path") ++ if self.external_step_two: + +- # Stand-alone PKI Subsystem CSR (Step 1) +- self.confirm_data_exists("pki_subsystem_csr_path") +- +- # Stand-alone PKI KRA CSRs +- if self.subsystem == "KRA": +- +- # Stand-alone PKI KRA Storage CSR (Step 1) +- self.confirm_data_exists( +- "pki_storage_csr_path") +- +- # Stand-alone PKI KRA Transport CSR (Step 1) +- self.confirm_data_exists( +- "pki_transport_csr_path") +- +- # Stand-alone PKI OCSP CSRs +- if self.subsystem == "OCSP": +- # Stand-alone PKI OCSP OCSP Signing CSR (Step 1) +- self.confirm_data_exists( +- "pki_ocsp_signing_csr_path") +- +- else: + # Stand-alone PKI External CA Certificate (Step 2) + # The pki_ca_signing_cert_path is optional. + +-- +1.8.3.1 + + +From e2563b186203e5e89d281ff5c39ca182f62cfefa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 21 Aug 2018 01:03:11 +0200 +Subject: [PATCH 06/13] Added support for installation with custom CSRs + +The installation code has been modified to import custom +CSRs for KRA and OCSP system certicates if provided. The +CA installation already supports this functionality. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188 +(cherry picked from commit 88271a9b3d829669fb997ee6158081da18faed97) +--- + .../netscape/cms/servlet/csadmin/ConfigurationUtils.java | 11 +++-------- + .../pki/server/deployment/scriptlets/configuration.py | 16 ++++++++++++---- + 2 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index d8b4965..7398891 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -2986,14 +2986,9 @@ public class ConfigurationUtils { + + CMS.debug("ConfigurationUtils.loadCertRequest(" + tag + ")"); + +- try { +- String certreq = config.getString(subsystem + "." + tag + ".certreq"); +- return CryptoUtil.base64Decode(certreq); +- +- } catch (EPropertyNotFound e) { +- // The CSR is optional for existing CA case. +- return null; +- } ++ // the CSR must exist in the second step of external CA scenario ++ String certreq = config.getString(subsystem + "." + tag + ".certreq"); ++ return CryptoUtil.base64Decode(certreq); + } + + public static void generateCertRequest(IConfigStore config, String certTag, Cert cert) throws Exception { +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 7bc0023..cf02205 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -368,7 +368,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + csr_data = f.read() + + b64_csr = pki.nssdb.convert_csr(csr_data, 'pem', 'base64') +- subsystem.config['ca.%s.certreq' % tag] = b64_csr ++ subsystem.config['%s.%s.certreq' % (subsystem.name, tag)] = b64_csr + + def import_ca_signing_csr(self, deployer, subsystem): + +@@ -391,9 +391,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if subsystem.name == 'ca': + self.import_ca_signing_csr(deployer, subsystem) + self.import_system_cert_request(deployer, subsystem, 'ocsp_signing') +- self.import_system_cert_request(deployer, subsystem, 'audit_signing') +- self.import_system_cert_request(deployer, subsystem, 'subsystem') +- self.import_system_cert_request(deployer, subsystem, 'sslserver') ++ ++ if subsystem.name == 'kra': ++ self.import_system_cert_request(deployer, subsystem, 'storage') ++ self.import_system_cert_request(deployer, subsystem, 'transport') ++ ++ if subsystem.name == 'ocsp': ++ self.import_system_cert_request(deployer, subsystem, 'signing') ++ ++ self.import_system_cert_request(deployer, subsystem, 'audit_signing') ++ self.import_system_cert_request(deployer, subsystem, 'subsystem') ++ self.import_system_cert_request(deployer, subsystem, 'sslserver') + + def import_ca_signing_cert(self, deployer, nssdb): + +-- +1.8.3.1 + + +From e3b8099fb20b6806020bab1a1687340da643eacf Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 21 Aug 2018 20:01:30 +0200 +Subject: [PATCH 07/13] Fixed messages for installation with custom keys + +The pkispawn has been modified to display the proper message +for installation with custom keys where the CSRs will not be +generated. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c +(cherry picked from commit e50f3b0b6034c2c18a0775f2e91fd2e5ea21678f) +--- + base/server/sbin/pkispawn | 81 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 65 insertions(+), 16 deletions(-) + +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index ab94b8b..64c7a67 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -760,9 +760,17 @@ def print_external_ca_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" A CSR for the CA certificate has been generated at:\n" +- " %s" +- % mdict['pki_ca_signing_csr_path']) ++ print(" NSS database: %s" % mdict['pki_database_path']) ++ print() ++ ++ signing_csr = mdict['pki_ca_signing_csr_path'] ++ ++ if signing_csr: ++ print(" A CSR for the CA signing certificate has been generated in:") ++ print(" %s" % mdict['pki_ca_signing_csr_path']) ++ else: ++ print(" No CSR has been generated for CA signing certificate.") ++ + print(log.PKI_RUN_INSTALLATION_STEP_TWO) + print(log.PKI_SPAWN_INFORMATION_FOOTER) + +@@ -773,13 +781,35 @@ def print_kra_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" The CSRs for KRA certificates have been generated in:") +- print(" storage: %s" % mdict['pki_storage_csr_path']) +- print(" transport: %s" % mdict['pki_transport_csr_path']) +- print(" subsystem: %s" % mdict['pki_subsystem_csr_path']) +- print(" SSL server: %s" % mdict['pki_sslserver_csr_path']) +- print(" audit signing: %s" % mdict['pki_audit_signing_csr_path']) +- print(" admin: %s" % mdict['pki_admin_csr_path']) ++ print(" NSS database: %s" % mdict['pki_database_path']) ++ print() ++ ++ storage_csr = mdict['pki_storage_csr_path'] ++ transport_csr = mdict['pki_transport_csr_path'] ++ subsystem_csr = mdict['pki_subsystem_csr_path'] ++ sslserver_csr = mdict['pki_sslserver_csr_path'] ++ audit_csr = mdict['pki_audit_signing_csr_path'] ++ admin_csr = mdict['pki_admin_csr_path'] ++ ++ if storage_csr or transport_csr or subsystem_csr or sslserver_csr \ ++ or audit_csr or admin_csr: ++ print(" The CSRs for KRA certificates have been generated in:") ++ else: ++ print(" No CSRs have been generated for KRA certificates.") ++ ++ if storage_csr: ++ print(" storage: %s" % storage_csr) ++ if transport_csr: ++ print(" transport: %s" % transport_csr) ++ if subsystem_csr: ++ print(" subsystem: %s" % subsystem_csr) ++ if sslserver_csr: ++ print(" SSL server: %s" % sslserver_csr) ++ if audit_csr: ++ print(" audit signing: %s" % audit_csr) ++ if admin_csr: ++ print(" admin: %s" % admin_csr) ++ + print(log.PKI_RUN_INSTALLATION_STEP_TWO) + print(log.PKI_SPAWN_INFORMATION_FOOTER) + +@@ -790,12 +820,31 @@ def print_ocsp_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" The CSRs for OCSP certificates have been generated in:") +- print(" OCSP signing: %s" % mdict['pki_ocsp_signing_csr_path']) +- print(" subsystem: %s" % mdict['pki_subsystem_csr_path']) +- print(" SSL server: %s" % mdict['pki_sslserver_csr_path']) +- print(" audit signing: %s" % mdict['pki_audit_signing_csr_path']) +- print(" admin: %s" % mdict['pki_admin_csr_path']) ++ print(" NSS database: %s" % mdict['pki_database_path']) ++ print() ++ ++ signing_csr = mdict['pki_ocsp_signing_csr_path'] ++ subsystem_csr = mdict['pki_subsystem_csr_path'] ++ sslserver_csr = mdict['pki_sslserver_csr_path'] ++ audit_csr = mdict['pki_audit_signing_csr_path'] ++ admin_csr = mdict['pki_admin_csr_path'] ++ ++ if signing_csr or subsystem_csr or sslserver_csr or audit_csr or admin_csr: ++ print(" The CSRs for OCSP certificates have been generated in:") ++ else: ++ print(" No CSRs have been generated for OCSP certificates.") ++ ++ if signing_csr: ++ print(" OCSP signing: %s" % signing_csr) ++ if subsystem_csr: ++ print(" subsystem: %s" % subsystem_csr) ++ if sslserver_csr: ++ print(" SSL server: %s" % sslserver_csr) ++ if audit_csr: ++ print(" audit signing: %s" % audit_csr) ++ if admin_csr: ++ print(" admin: %s" % admin_csr) ++ + print(log.PKI_RUN_INSTALLATION_STEP_TWO) + print(log.PKI_SPAWN_INFORMATION_FOOTER) + +-- +1.8.3.1 + + +From 6c7079adf8878a2c799cd716c3df9ec75816accd Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 23 Aug 2018 06:10:44 +0200 +Subject: [PATCH 08/13] Fixed pki client-cert-import to accept PKCS #7 CA cert + chain + +The NSSDatabase.add_cert() has been modified to accept both single +certificates and PKCS #7 certificate chains in PEM format. + +The pki client-cert-import has been modified to support importing +CA cert chain in PKCS #7 format. + +The Cert.parseCertificate() has been modified to parse PKCS #7 +cert chain properly. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1 +(cherry picked from commit 9cef57869f01e89653331c0e22c9d3bacf7744ce) +--- + base/common/python/pki/nssdb.py | 2 ++ + .../com/netscape/cmstools/client/ClientCertImportCLI.java | 14 +++++++++++--- + base/util/src/com/netscape/cmsutil/util/Cert.java | 12 +++++++++--- + 3 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index d4ae804..05d2c62 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -223,6 +223,7 @@ class NSSDatabase(object): + '-P', self.token, + '-f', self.password_file, + '-n', nickname, ++ '-a', + '-i', cert_file, + '-t', '' + ] +@@ -242,6 +243,7 @@ class NSSDatabase(object): + '-d', self.directory, + '-f', self.internal_password_file, + '-n', nickname, ++ '-a', + '-i', cert_file, + '-t', trust_attributes + ] +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index 99b215e..62fd4d6 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -19,7 +19,6 @@ + package com.netscape.cmstools.client; + + import java.io.File; +-import java.io.FileOutputStream; + import java.io.FileWriter; + import java.io.PrintWriter; + import java.net.URI; +@@ -45,6 +44,7 @@ import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; ++import com.netscape.cmsutil.util.Utils; + + import netscape.security.pkcs.PKCS12; + import netscape.security.pkcs.PKCS7; +@@ -250,8 +250,11 @@ public class ClientCertImportCLI extends CLI { + File certFile = File.createTempFile("pki-client-cert-import-", ".crt"); + certFile.deleteOnExit(); + +- try (FileOutputStream out = new FileOutputStream(certFile)) { +- out.write(bytes); ++ try (FileWriter fw = new FileWriter(certFile); ++ PrintWriter out = new PrintWriter(fw)) { ++ out.println(PKCS7.HEADER); ++ out.print(Utils.base64encode(bytes, true)); ++ out.println(PKCS7.FOOTER); + } + + if (trustAttributes == null) +@@ -338,6 +341,9 @@ public class ClientCertImportCLI extends CLI { + command.add(dbPasswordFile.getAbsolutePath()); + } + ++ // accept PEM or PKCS #7 certificate ++ command.add("-a"); ++ + command.add("-i"); + command.add(certFile); + command.add("-n"); +@@ -362,10 +368,12 @@ public class ClientCertImportCLI extends CLI { + String trustAttributes) throws Exception { + + if (nickname != null) { ++ // import a single CA certificate with the provided nickname + importCert(dbPath, dbPasswordFile, certFile, nickname, trustAttributes); + return; + } + ++ // import CA certificate chain with auto-generated nicknames + String pemCert = new String(Files.readAllBytes(Paths.get(certFile))).trim(); + byte[] binCert = Cert.parseCertificate(pemCert); + +diff --git a/base/util/src/com/netscape/cmsutil/util/Cert.java b/base/util/src/com/netscape/cmsutil/util/Cert.java +index f084395..e6f2460 100644 +--- a/base/util/src/com/netscape/cmsutil/util/Cert.java ++++ b/base/util/src/com/netscape/cmsutil/util/Cert.java +@@ -33,6 +33,9 @@ public class Cert { + public static final String HEADER = "-----BEGIN CERTIFICATE-----"; + public static final String FOOTER = "-----END CERTIFICATE-----"; + ++ public static final String PKCS7_HEADER = "-----BEGIN PKCS7-----"; ++ public static final String PKCS7_FOOTER = "-----END PKCS7-----"; ++ + // From https://www.rfc-editor.org/rfc/rfc7468.txt + public static final String REQUEST_HEADER = "-----BEGIN CERTIFICATE REQUEST-----"; + public static final String REQUEST_FOOTER = "-----END CERTIFICATE REQUEST-----"; +@@ -68,9 +71,12 @@ public class Cert { + return s; + } + +- if ((s.startsWith(HEADER)) && +- (s.endsWith(FOOTER))) { +- return (s.substring(27, (s.length() - 25))); ++ if (s.startsWith(HEADER) && s.endsWith(FOOTER)) { ++ return s.substring(HEADER.length(), s.length() - FOOTER.length()); ++ } ++ ++ if (s.startsWith(PKCS7_HEADER) && s.endsWith(PKCS7_FOOTER)) { ++ return s.substring(PKCS7_HEADER.length(), s.length() - PKCS7_FOOTER.length()); + } + + // To support Thawte's header and footer +-- +1.8.3.1 + + +From ea9b582909d10d8f6c485860615319b6f6c31741 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 31 Aug 2018 00:32:44 +0200 +Subject: [PATCH 09/13] Renamed server NSS database parameters + +The following parameters have been renamed for consistency: +* pki_database_path -> pki_server_database_path +* pki_pin -> pki_server_database_password + +The old parameters are still usable but they have been +deprecated. + +The pki_client_pin is redundant so it has been removed. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: I243a01b360f573a16a160e9a415f786e38681603 +(cherry picked from commit 80defb1b7602eb59f5ee817a76acac86490ce853) +--- + base/server/etc/default.cfg | 10 ++++++- + .../python/pki/server/deployment/pkihelper.py | 10 +++---- + .../python/pki/server/deployment/pkiparser.py | 34 +++++++++++++--------- + .../server/deployment/scriptlets/configuration.py | 4 +-- + .../deployment/scriptlets/instance_layout.py | 6 ++-- + .../deployment/scriptlets/security_databases.py | 21 ++++++------- + .../server/deployment/scriptlets/selinux_setup.py | 8 ++--- + base/server/sbin/pkispawn | 6 ++-- + 8 files changed, 57 insertions(+), 42 deletions(-) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 2c0430a..0ae0764 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -31,6 +31,7 @@ sensitive_parameters= + pki_pin + pki_replication_password + pki_security_domain_password ++ pki_server_database_password + pki_server_pkcs12_password + pki_token_password + +@@ -173,6 +174,14 @@ pki_cert_chain_path=%(pki_external_ca_cert_chain_path)s + pki_external_ca_cert_chain_nickname=caSigningCert External CA + pki_cert_chain_nickname=%(pki_external_ca_cert_chain_nickname)s + ++# DEPRECATED: Use 'pki_server_database_path' instead. ++pki_database_path=%(pki_instance_configuration_path)s/alias ++pki_server_database_path=%(pki_database_path)s ++ ++# DEPRECATED: Use 'pki_server_database_password' instead. ++pki_pin= ++pki_server_database_password= ++ + pki_pkcs12_path= + pki_pkcs12_password= + +@@ -201,7 +210,6 @@ pki_registry_path=%(pki_root_prefix)s/etc/sysconfig/pki + pki_instance_path=%(pki_path)s/%(pki_instance_name)s + pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s + pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s +-pki_database_path=%(pki_instance_configuration_path)s/alias + pki_instance_database_link=%(pki_instance_path)s/alias + pki_instance_conf_link=%(pki_instance_path)s/conf + pki_instance_logs_link=%(pki_instance_path)s/logs +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index b3c3ccb..77594ec 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -3092,7 +3092,7 @@ class KRAConnector: + "-h", cahost, + "-n", subsystemnick, + "-P", "https", +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-c", token_pwd, + "ca-kraconnector-del", + "--host", krahost, +@@ -3125,7 +3125,7 @@ class KRAConnector: + command = ["/usr/bin/sslget", + "-n", subsystemnick, + "-p", token_pwd, +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-e", params, + "-v", + "-r", update_url, cahost + ":" + str(caport)] +@@ -3236,7 +3236,7 @@ class TPSConnector: + "-h", tkshost, + "-n", subsystemnick, + "-P", "https", +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-c", token_pwd, + "-t", "tks", + "tks-tpsconnector-del", +@@ -3336,7 +3336,7 @@ class SecurityDomain: + admin_update_url = "/ca/admin/ca/updateDomainXML" + command = ["/usr/bin/sslget", + "-p", str(123456), +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-e", params, + "-v", + "-r", admin_update_url, +@@ -3451,7 +3451,7 @@ class SecurityDomain: + command = ["/usr/bin/sslget", + "-n", subsystemnick, + "-p", token_pwd, +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-e", params, + "-v", + "-r", update_url, sechost + ":" + str(secagentport)] +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 2397f43..5b8cdd3 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -84,7 +84,11 @@ class PKIConfigParser: + (None, 'pki_ssl_server_subject_dn', + None, 'pki_sslserver_subject_dn'), + (None, 'pki_ssl_server_token', +- None, 'pki_sslserver_token') ++ None, 'pki_sslserver_token'), ++ (None, 'pki_database_path', ++ None, 'pki_server_database_path'), ++ (None, 'pki_pin', ++ None, 'pki_server_database_password'), + ] + + DEPRECATED_CA_PARAMS = [ +@@ -490,6 +494,7 @@ class PKIConfigParser: + 'pki_pin', + 'pki_replication_password', + 'pki_security_domain_password', ++ 'pki_server_database_password', + 'pki_server_pkcs12_password', + 'pki_token_password') + +@@ -766,17 +771,23 @@ class PKIConfigParser: + + # if instance already exists and has password, reuse the password + if internal_token in instance.passwords: +- self.mdict['pki_pin'] = instance.passwords.get(internal_token) ++ self.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) + + # otherwise, use user-provided password if specified +- elif 'pki_pin' in self.mdict: ++ elif self.mdict['pki_server_database_password']: + pass + ++ # otherwise, use user-provided pin if specified ++ elif self.mdict['pki_pin']: ++ self.mdict['pki_server_database_password'] = self.mdict['pki_pin'] ++ + # otherwise, generate a random password + else: +- self.mdict['pki_pin'] = pki.generate_password() ++ self.mdict['pki_server_database_password'] = pki.generate_password() + +- self.mdict['pki_client_pin'] = pki.generate_password() ++ # generate random password for client database if not specified ++ if not self.mdict['pki_client_database_password']: ++ self.mdict['pki_client_database_password'] = pki.generate_password() + + pkilogging.sensitive_parameters = \ + self.mdict['sensitive_parameters'].split() +@@ -1231,13 +1242,13 @@ class PKIConfigParser: + self.mdict['pki_instance_configuration_path'], + "password.conf") + self.mdict['pki_cert_database'] = \ +- os.path.join(self.mdict['pki_database_path'], ++ os.path.join(self.mdict['pki_server_database_path'], + "cert8.db") + self.mdict['pki_key_database'] = \ +- os.path.join(self.mdict['pki_database_path'], ++ os.path.join(self.mdict['pki_server_database_path'], + "key3.db") + self.mdict['pki_secmod_database'] = \ +- os.path.join(self.mdict['pki_database_path'], ++ os.path.join(self.mdict['pki_server_database_path'], + "secmod.db") + self.mdict['pki_self_signed_nickname'] = \ + self.mdict['pki_sslserver_nickname'] +@@ -1262,11 +1273,6 @@ class PKIConfigParser: + self.mdict['pki_subsystem_configuration_path'], + "password.conf") + +- if not len(self.mdict['pki_client_database_password']): +- # use randomly generated client 'pin' +- self.mdict['pki_client_database_password'] = \ +- str(self.mdict['pki_client_pin']) +- + # Configuration scriptlet + # 'Security Domain' Configuration name/value pairs + # 'Subsystem Name' Configuration name/value pairs +@@ -1393,7 +1399,7 @@ class PKIConfigParser: + # NOTE: ALWAYS store the PKCS #12 backup keys file + # in with the NSS "server" security databases + self.mdict['pki_backup_keys_p12'] = \ +- self.mdict['pki_database_path'] + "/" + \ ++ self.mdict['pki_server_database_path'] + "/" + \ + self.mdict['pki_subsystem'].lower() + "_" + \ + "backup" + "_" + "keys" + "." + "p12" + +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index cf02205..f085e80 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -865,7 +865,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + deployer.password.create_password_conf( + deployer.mdict['pki_shared_pfile'], +- deployer.mdict['pki_pin'], pin_sans_token=True) ++ deployer.mdict['pki_server_database_password'], pin_sans_token=True) + + # only create a self signed cert for a new instance + # +@@ -884,7 +884,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + f.write("not_so_random_data") + + deployer.certutil.generate_self_signed_certificate( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index 568c0a0..e5ce820 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -162,10 +162,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.systemd.daemon_reload() + + # establish shared NSS security databases for this instance +- deployer.directory.create(deployer.mdict['pki_database_path']) ++ deployer.directory.create(deployer.mdict['pki_server_database_path']) + # establish instance convenience symbolic links + deployer.symlink.create( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_instance_database_link']) + deployer.symlink.create( + deployer.mdict['pki_instance_configuration_path'], +@@ -205,7 +205,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.directory.delete(deployer.mdict['pki_instance_log_path']) + + # remove shared NSS security database path for this instance +- deployer.directory.delete(deployer.mdict['pki_database_path']) ++ deployer.directory.delete(deployer.mdict['pki_server_database_path']) + # remove Tomcat instance configuration + deployer.directory.delete( + deployer.mdict['pki_instance_configuration_path']) +diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +index 02f4713..7ce32a8 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py ++++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +@@ -54,12 +54,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if config.str2bool(deployer.mdict['pki_hsm_enable']): + deployer.password.create_hsm_password_conf( + deployer.mdict['pki_shared_password_conf'], +- deployer.mdict['pki_pin'], ++ deployer.mdict['pki_server_database_password'], + deployer.mdict['pki_token_password']) + else: + deployer.password.create_password_conf( + deployer.mdict['pki_shared_password_conf'], +- deployer.mdict['pki_pin']) ++ deployer.mdict['pki_server_database_password']) + + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' +@@ -67,11 +67,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # allowing 'certutil' to generate the security databases + deployer.password.create_password_conf( + deployer.mdict['pki_shared_pfile'], +- deployer.mdict['pki_pin'], pin_sans_token=True) ++ deployer.mdict['pki_server_database_password'], pin_sans_token=True) + deployer.file.modify(deployer.mdict['pki_shared_password_conf']) + + deployer.certutil.create_security_databases( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], +@@ -79,7 +79,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + if config.str2bool(deployer.mdict['pki_hsm_enable']): + deployer.modutil.register_security_module( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_hsm_modulename'], + deployer.mdict['pki_hsm_libfile']) + deployer.file.modify( +@@ -103,7 +103,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + raise Exception('Missing pki_server_pkcs12_password property.') + + nssdb = pki.nssdb.NSSDatabase( +- directory=deployer.mdict['pki_database_path'], ++ directory=deployer.mdict['pki_server_database_path'], + password_file=deployer.mdict['pki_shared_pfile']) + + try: +@@ -129,7 +129,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + raise Exception('Missing pki_clone_pkcs12_password property.') + + nssdb = pki.nssdb.NSSDatabase( +- directory=deployer.mdict['pki_database_path'], ++ directory=deployer.mdict['pki_server_database_path'], + password_file=deployer.mdict['pki_shared_pfile']) + + try: +@@ -162,7 +162,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname=deployer.mdict['pki_audit_signing_nickname'], + trust_attributes='u,u,Pu') + +- print('Imported certificates in %s:' % deployer.mdict['pki_database_path']) ++ print('Imported certificates into %s:' % ++ deployer.mdict['pki_server_database_path']) + + nssdb.show_certs() + +@@ -180,7 +181,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # the instance will utilize 'softokn' or an HSM + # + rv = deployer.certutil.verify_certificate_exists( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], +@@ -195,7 +196,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + 'pki_ds_secure_connection_ca_trustargs'], + deployer.mdict['pki_ds_secure_connection_ca_pem_file'], + password_file=deployer.mdict['pki_shared_pfile'], +- path=deployer.mdict['pki_database_path'], ++ path=deployer.mdict['pki_server_database_path'], + token=deployer.mdict['pki_self_signed_token']) + + # Always delete the temporary 'pfile' +diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py +index d5e4b0c..7d324d4 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py ++++ b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py +@@ -115,10 +115,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + config.pki_log.info( + "adding selinux fcontext \"%s\"", +- deployer.mdict['pki_database_path'] + self.suffix, ++ deployer.mdict['pki_server_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add( +- deployer.mdict['pki_database_path'] + self.suffix, ++ deployer.mdict['pki_server_database_path'] + self.suffix, + config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") + + port_records = seobject.portRecords(trans) +@@ -206,10 +206,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + config.pki_log.info( + "deleting selinux fcontext \"%s\"", +- deployer.mdict['pki_database_path'] + self.suffix, ++ deployer.mdict['pki_server_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete( +- deployer.mdict['pki_database_path'] + ++ deployer.mdict['pki_server_database_path'] + + self.suffix, "") + + port_records = seobject.portRecords(trans) +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 64c7a67..867a381 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -760,7 +760,7 @@ def print_external_ca_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" NSS database: %s" % mdict['pki_database_path']) ++ print(" NSS database: %s" % mdict['pki_server_database_path']) + print() + + signing_csr = mdict['pki_ca_signing_csr_path'] +@@ -781,7 +781,7 @@ def print_kra_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" NSS database: %s" % mdict['pki_database_path']) ++ print(" NSS database: %s" % mdict['pki_server_database_path']) + print() + + storage_csr = mdict['pki_storage_csr_path'] +@@ -820,7 +820,7 @@ def print_ocsp_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" NSS database: %s" % mdict['pki_database_path']) ++ print(" NSS database: %s" % mdict['pki_server_database_path']) + print() + + signing_csr = mdict['pki_ocsp_signing_csr_path'] +-- +1.8.3.1 + + +From a3d27ed43b9c119cfaff100573d89c2caa08e3b7 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 7 Sep 2018 16:32:47 +0200 +Subject: [PATCH 10/13] Fixed password generation in pkispawn + +Previously the NSS database passwords were generated in +pkiparser.py. Under certain scenarios the password may be +overwritten by a subsequent code in pkispawn. To avoid the +problem the code that generates the NSS database passwords +has been moved into the initialization scriptlet. + +https://pagure.io/dogtagpki/issue/3061 + +Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb +(cherry picked from commit 9a984ee0a709645fe9b6044367ed28076692ee86) +--- + .../python/pki/server/deployment/pkiparser.py | 25 -------------------- + .../server/deployment/scriptlets/initialization.py | 27 ++++++++++++++++++++++ + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 5b8cdd3..2ea7319 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -764,31 +764,6 @@ class PKIConfigParser: + + self.deployer.flatten_master_dict() + +- instance = pki.server.PKIInstance(self.mdict['pki_instance_name']) +- instance.load() +- +- internal_token = self.mdict['pki_self_signed_token'] +- +- # if instance already exists and has password, reuse the password +- if internal_token in instance.passwords: +- self.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) +- +- # otherwise, use user-provided password if specified +- elif self.mdict['pki_server_database_password']: +- pass +- +- # otherwise, use user-provided pin if specified +- elif self.mdict['pki_pin']: +- self.mdict['pki_server_database_password'] = self.mdict['pki_pin'] +- +- # otherwise, generate a random password +- else: +- self.mdict['pki_server_database_password'] = pki.generate_password() +- +- # generate random password for client database if not specified +- if not self.mdict['pki_client_database_password']: +- self.mdict['pki_client_database_password'] = pki.generate_password() +- + pkilogging.sensitive_parameters = \ + self.mdict['sensitive_parameters'].split() + +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index efd1536..4515b55 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -19,6 +19,7 @@ + # + + from __future__ import absolute_import ++import pki + + # PKI Deployment Imports + from .. import pkiconfig as config +@@ -36,6 +37,32 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_subsystem'], + deployer.mdict['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) ++ ++ instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) ++ instance.load() ++ ++ internal_token = deployer.mdict['pki_self_signed_token'] ++ ++ # if instance already exists and has password, reuse the password ++ if internal_token in instance.passwords: ++ deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) ++ ++ # otherwise, use user-provided password if specified ++ elif deployer.mdict['pki_server_database_password']: ++ pass ++ ++ # otherwise, use user-provided pin if specified ++ elif deployer.mdict['pki_pin']: ++ deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin'] ++ ++ # otherwise, generate a random password ++ else: ++ deployer.mdict['pki_server_database_password'] = pki.generate_password() ++ ++ # generate random password for client database if not specified ++ if not deployer.mdict['pki_client_database_password']: ++ deployer.mdict['pki_client_database_password'] = pki.generate_password() ++ + # ALWAYS initialize 'uid' and 'gid' + deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'], + deployer.mdict['pki_group']) +-- +1.8.3.1 + + +From 4886a7f4fa3678cd26c7c38c5140784dc53b76b5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 2 Oct 2018 18:11:43 +0200 +Subject: [PATCH 11/13] Updated pki-server subsystem-cert-validate output + +The pki-server subsystem-cert-validate CLI has been modified to +show the actual message generated by NSS if the validation fails. + +(cherry picked from commit eb8baf8b51e3c897caddbc16df2fd226308a0876) +--- + base/server/python/pki/server/cli/subsystem.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 57093d4..068d1db 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -1038,10 +1038,11 @@ class SubsystemCertValidateCLI(pki.cli.CLI): + return True + + except subprocess.CalledProcessError as e: +- if e.returncode == 1: +- print(' Status: INVALID') ++ if e.output: ++ status = e.output.decode('utf-8') + else: +- print(' Status: ERROR: %s' % e.output) ++ status = 'ERROR' ++ print(' Status: %s' % status) + return False + + finally: +-- +1.8.3.1 + + +From 0115c05727962dac2bdb3865388144315719a0b0 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 24 Aug 2018 03:36:15 +0200 +Subject: [PATCH 12/13] Added docs for installation with custom keys + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5 +(cherry picked from commit a8405a1f8bd4c3fd10213725a32da0419e622252) +--- + .../Installing_CA_with_Custom_CA_Signing_Key.md | 169 ++++++++++++++++++ + .../Installing_KRA_with_Custom_Keys.md | 190 +++++++++++++++++++++ + .../Installing_OCSP_with_Custom_Keys.md | 183 ++++++++++++++++++++ + 3 files changed, 542 insertions(+) + create mode 100644 docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md + create mode 100644 docs/installation/Installing_KRA_with_Custom_Keys.md + create mode 100644 docs/installation/Installing_OCSP_with_Custom_Keys.md + +diff --git a/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md b/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md +new file mode 100644 +index 0000000..5cdf786 +--- /dev/null ++++ b/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md +@@ -0,0 +1,169 @@ ++Installing CA with Custom CA Signing Key ++======================================== ++ ++Overview ++-------- ++ ++This page describes the process to install a CA subsystem with a custom CA signing key, CSR, and certificate. ++ ++Starting CA Subsystem Installation ++---------------------------------- ++ ++Prepare a file (e.g. ca-step1.cfg) that contains the deployment configuration step 1, for example: ++ ++``` ++[DEFAULT] ++pki_server_database_password=Secret.123 ++ ++[CA] ++pki_admin_email=caadmin@example.com ++pki_admin_name=caadmin ++pki_admin_nickname=caadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=caadmin ++ ++pki_client_database_password=Secret.123 ++pki_client_database_purge=False ++pki_client_pkcs12_password=Secret.123 ++ ++pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com ++pki_ds_database=ca ++pki_ds_password=Secret.123 ++ ++pki_security_domain_name=EXAMPLE ++ ++pki_ca_signing_nickname=ca_signing ++pki_ocsp_signing_nickname=ca_ocsp_signing ++pki_audit_signing_nickname=ca_audit_signing ++pki_sslserver_nickname=sslserver ++pki_subsystem_nickname=subsystem ++ ++pki_external=True ++pki_external_step_two=False ++``` ++ ++Then execute the following command: ++ ++``` ++$ pkispawn -f ca-step1.cfg -s CA ++``` ++ ++It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: ++* server NSS database: /etc/pki/pki-tomcat/alias ++* admin NSS database: ~/.dogtag/pki-tomcat/ca/alias ++ ++Since there is no CSR path parameter specified, it will not generate the CA signing key by default. ++ ++Generating CA Signing Key, CSR, and Certificate ++----------------------------------------------- ++ ++Generate a custom CA signing key in the server NSS database, then generate a CSR and store it in a file (e.g. ca_signing.csr). ++ ++Use the CSR to issue the CA signing certificate: ++* for root CA installation, generate a self-signed CA signing certificate ++* for subordinate CA installation, submit the CSR to an external CA to issue the CA signing certificate ++ ++Store the CA signing certificate in a file (e.g. ca_signing.crt). The CA signing certificate can be specified as a single certificate or a PKCS #7 certificate chain in PEM format. ++ ++If the CA signing certificate was issued by an external CA, store the external CA certificate chain in a file (e.g. external.crt). The certificate chain can be specified as a single certificate or a PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the CA signing certificate, but it should not include the CA signing certificate itself. ++ ++See also: ++* [Generating CA Signing Certificate](http://www.dogtagpki.org/wiki/Generating_CA_Signing_Certificate) ++ ++Finishing CA Subsystem Installation ++----------------------------------- ++ ++Prepare another file (e.g. ca-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ca-step1.cfg) with additional changes below. ++ ++Specify step 2 with the following parameter: ++ ++``` ++pki_external_step_two=True ++``` ++ ++Specify the custom CA signing CSR with the following parameter: ++ ++``` ++pki_ca_signing_csr_path=ca_signing.csr ++``` ++ ++Specify the custom CA signing certificate with the following parameter: ++ ++``` ++pki_ca_signing_cert_path=ca_signing.crt ++``` ++ ++If the CA signing certificate was issued by an external CA, specify the external CA certificate chain with the following parameters: ++ ++``` ++pki_cert_chain_nickname=external ++pki_cert_chain_path=external.crt ++``` ++ ++Finally, execute the following command: ++ ++``` ++$ pkispawn -f ca-step2.cfg -s CA ++``` ++ ++Verifying System Certificates ++----------------------------- ++ ++Verify that the server NSS database contains the following certificates: ++ ++``` ++$ certutil -L -d /etc/pki/pki-tomcat/alias ++ ++Certificate Nickname Trust Attributes ++ SSL,S/MIME,JAR/XPI ++ ++external CT,C,C ++ca_signing CTu,Cu,Cu ++ca_ocsp_signing u,u,u ++subsystem u,u,u ++ca_audit_signing u,u,Pu ++sslserver u,u,u ++``` ++ ++Verifying Admin Certificate ++--------------------------- ++ ++Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ++ ++``` ++$ pki -c Secret.123 client-init ++``` ++ ++Import the external CA certificate chain: ++ ++``` ++$ pki -c Secret.123 client-cert-import --ca-cert external.crt ++``` ++ ++Import the CA signing certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt ++``` ++ ++Import admin key and certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import \ ++ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ ++ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf ++``` ++ ++Verify that the admin certificate can be used to access the CA subsystem by executing the following command: ++ ++``` ++$ pki -c Secret.123 -n caadmin ca-user-show caadmin ++-------------- ++User "caadmin" ++-------------- ++ User ID: caadmin ++ Full name: caadmin ++ Email: caadmin@example.com ++ Type: adminType ++ State: 1 ++``` +diff --git a/docs/installation/Installing_KRA_with_Custom_Keys.md b/docs/installation/Installing_KRA_with_Custom_Keys.md +new file mode 100644 +index 0000000..e555363 +--- /dev/null ++++ b/docs/installation/Installing_KRA_with_Custom_Keys.md +@@ -0,0 +1,190 @@ ++Installing KRA with Custom Keys ++=============================== ++ ++Overview ++-------- ++ ++This page describes the process to install a KRA subsystem with custom KRA system and admin keys, CSRs, and certificates. ++ ++Starting KRA Subsystem Installation ++----------------------------------- ++ ++Prepare a file (e.g. kra-step1.cfg) that contains the deployment configuration step 1, for example: ++ ++``` ++[DEFAULT] ++pki_server_database_password=Secret.123 ++ ++[KRA] ++pki_admin_email=kraadmin@example.com ++pki_admin_name=kraadmin ++pki_admin_nickname=kraadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=kraadmin ++ ++pki_client_database_password=Secret.123 ++pki_client_database_purge=False ++pki_client_pkcs12_password=Secret.123 ++ ++pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com ++pki_ds_database=kra ++pki_ds_password=Secret.123 ++ ++pki_security_domain_name=EXAMPLE ++pki_security_domain_user=caadmin ++pki_security_domain_password=Secret.123 ++ ++pki_storage_nickname=kra_storage ++pki_transport_nickname=kra_transport ++pki_subsystem_nickname=subsystem ++pki_sslserver_nickname=sslserver ++pki_audit_signing_nickname=kra_audit_signing ++ ++pki_external=True ++pki_external_step_two=False ++``` ++ ++Then execute the following command: ++ ++``` ++$ pkispawn -f kra-step1.cfg -s KRA ++``` ++ ++It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: ++* server NSS database: /etc/pki/pki-tomcat/alias ++* admin NSS database: ~/dogtag/pki-tomcat/kra/alias ++ ++Since there are no CSR path parameters specified, it will not generate KRA system and admin keys. ++ ++Generating KRA Keys, CSRs, and Certificates ++------------------------------------------- ++ ++Generate custom KRA system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: ++* kra_storage.csr ++* kra_transport.csr ++* subsystem.csr ++* sslserver.csr ++* kra_audit_signing.csr ++* kra_admin.csr ++ ++Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: ++* kra_storage.crt ++* kra_transport.crt ++* subsystem.crt ++* sslserver.crt ++* kra_audit_signing.crt ++* kra_admin.crt ++ ++The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. ++ ++Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the KRA system and admin certificates. ++ ++See also: ++* [Generating KRA Storage Certificate](http://www.dogtagpki.org/wiki/Generating_KRA_Storage_Certificate) ++* [Generating KRA Transport Certificate](http://www.dogtagpki.org/wiki/Generating_KRA_Transport_Certificate) ++* [Generating Subsystem Certificate](http://www.dogtagpki.org/wiki/Generating_Subsystem_Certificate) ++* [Generating SSL Server Certificate](http://www.dogtagpki.org/wiki/Generating_SSL_Server_Certificate) ++* [Generating Audit Signing Certificate](http://www.dogtagpki.org/wiki/Generating_Audit_Signing_Certificate) ++* [Generating Admin Certificate](http://www.dogtagpki.org/wiki/Generating_Admin_Certificate) ++ ++Finishing KRA Subsystem Installation ++------------------------------------ ++ ++Prepare another file (e.g. kra-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. kra-step1.cfg) with additional changes below. ++ ++Specify step 2 with the following parameter: ++ ++``` ++pki_external_step_two=True ++``` ++ ++Specify the custom CSRs with the following parameters: ++ ++``` ++pki_storage_csr_path=kra_storage.csr ++pki_transport_csr_path=kra_transport.csr ++pki_subsystem_csr_path=subsystem.csr ++pki_sslserver_csr_path=sslserver.csr ++pki_audit_signing_csr_path=kra_audit_signing.csr ++pki_admin_csr_path=kra_admin.csr ++``` ++ ++Specify the custom certificates with the following parameters: ++ ++``` ++pki_storage_cert_path=kra_storage.crt ++pki_transport_cert_path=kra_transport.crt ++pki_subsystem_cert_path=subsystem.crt ++pki_sslserver_cert_path=sslserver.crt ++pki_audit_signing_cert_path=kra_audit_signing.crt ++pki_admin_cert_path=kra_admin.crt ++``` ++ ++Specify the external CA certificate chain with the following parameters: ++ ++``` ++pki_cert_chain_nickname=ca_signing ++pki_cert_chain_path=ca_signing.crt ++``` ++ ++Finally, execute the following command: ++ ++``` ++$ pkispawn -f kra-step2.cfg -s KRA ++``` ++ ++Verifying System Certificates ++----------------------------- ++ ++Verify that the server NSS database contains the following certificates: ++ ++``` ++$ certutil -L -d /etc/pki/pki-tomcat/alias ++ ++Certificate Nickname Trust Attributes ++ SSL,S/MIME,JAR/XPI ++ ++ca_signing CT,C,C ++kra_storage CTu,Cu,Cu ++kra_transport u,u,u ++subsystem u,u,u ++kra_audit_signing u,u,Pu ++sslserver u,u,u ++``` ++ ++Verifying Admin Certificate ++--------------------------- ++ ++Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ++ ++``` ++$ pki -c Secret.123 client-init ++``` ++ ++Import the external CA certificate chain: ++ ++``` ++$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt ++``` ++ ++Import the admin key and certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import \ ++ --pkcs12 ~/.dogtag/pki-tomcat/kra_admin_cert.p12 \ ++ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf ++``` ++ ++Verify that the admin certificate can be used to access KRA by executing the following command: ++ ++``` ++$ pki -c Secret.123 -n kraadmin kra-user-show kraadmin ++--------------- ++User "kraadmin" ++--------------- ++ User ID: kraadmin ++ Full name: kraadmin ++ Email: kraadmin@example.com ++ Type: adminType ++ State: 1 ++``` +diff --git a/docs/installation/Installing_OCSP_with_Custom_Keys.md b/docs/installation/Installing_OCSP_with_Custom_Keys.md +new file mode 100644 +index 0000000..dca4f79 +--- /dev/null ++++ b/docs/installation/Installing_OCSP_with_Custom_Keys.md +@@ -0,0 +1,183 @@ ++Installing OCSP with Custom Keys ++================================ ++ ++Overview ++-------- ++ ++This page describes the process to install a OCSP subsystem with custom OCSP system and admin keys, CSRs, and certificates. ++ ++Starting OCSP Subsystem Installation ++------------------------------------ ++ ++Prepare a file (e.g. ocsp-step1.cfg) that contains the deployment configuration step 1, for example: ++ ++``` ++[DEFAULT] ++pki_server_database_password=Secret.123 ++ ++[OCSP] ++pki_admin_email=ocspadmin@example.com ++pki_admin_name=ocspadmin ++pki_admin_nickname=ocspadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=ocspadmin ++ ++pki_client_database_password=Secret.123 ++pki_client_database_purge=False ++pki_client_pkcs12_password=Secret.123 ++ ++pki_ds_base_dn=dc=ocsp,dc=pki,dc=example,dc=com ++pki_ds_database=ocsp ++pki_ds_password=Secret.123 ++ ++pki_security_domain_name=EXAMPLE ++pki_security_domain_user=caadmin ++pki_security_domain_password=Secret.123 ++ ++pki_ocsp_signing_nickname=ocsp_signing ++pki_subsystem_nickname=subsystem ++pki_sslserver_nickname=sslserver ++pki_audit_signing_nickname=ocsp_audit_signing ++ ++pki_external=True ++pki_external_step_two=False ++``` ++ ++Then execute the following command: ++ ++``` ++$ pkispawn -f ocsp-step1.cfg -s OCSP ++``` ++ ++It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: ++* server NSS database: /etc/pki/pki-tomcat/alias ++* admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias ++ ++Since there are no CSR path parameters specified, it will not generate the OCSP system and admin keys. ++ ++Generating OCSP Keys, CSRs, and Certificates ++-------------------------------------------- ++ ++Generate custom OCSP system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: ++* ocsp_signing.csr ++* subsystem.csr ++* sslserver.csr ++* ocsp_audit_signing.csr ++* ocsp_admin.csr ++ ++Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: ++* ocsp_signing.crt ++* subsystem.crt ++* sslserver.crt ++* ocsp_audit_signing.crt ++* ocsp_admin.crt ++ ++The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. ++ ++Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the OCSP system and admin certificates. ++ ++See also: ++* [Generating OCSP Signing Certificate](http://www.dogtagpki.org/wiki/Generating_OCSP_Signing_Certificate) ++* [Generating Subsystem Certificate](http://www.dogtagpki.org/wiki/Generating_Subsystem_Certificate) ++* [Generating SSL Server Certificate](http://www.dogtagpki.org/wiki/Generating_SSL_Server_Certificate) ++* [Generating Audit Signing Certificate](http://www.dogtagpki.org/wiki/Generating_Audit_Signing_Certificate) ++* [Generating Admin Certificate](http://www.dogtagpki.org/wiki/Generating_Admin_Certificate) ++ ++Finishing OCSP Subsystem Installation ++------------------------------------- ++ ++Prepare another file (e.g. ocsp-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ocsp-step1.cfg) with additional changes below. ++ ++Specify step 2 with the following parameter: ++ ++``` ++pki_external_step_two=True ++``` ++ ++Specify the custom CSRs with the following parameters: ++ ++``` ++pki_ocsp_signing_csr_path=ocsp_signing.csr ++pki_subsystem_csr_path=subsystem.csr ++pki_sslserver_csr_path=sslserver.csr ++pki_audit_signing_csr_path=ocsp_audit_signing.csr ++pki_admin_csr_path=ocsp_admin.csr ++``` ++ ++Specify the custom certificates with the following parameters: ++ ++``` ++pki_ocsp_signing_cert_path=ocsp_signing.crt ++pki_subsystem_cert_path=subsystem.crt ++pki_sslserver_cert_path=sslserver.crt ++pki_audit_signing_cert_path=ocsp_audit_signing.crt ++pki_admin_cert_path=ocsp_admin.crt ++``` ++ ++Specify the external CA certificate chain with the following parameters: ++ ++``` ++pki_cert_chain_nickname=ca_signing ++pki_cert_chain_path=ca_signing.crt ++``` ++ ++Finally, execute the following command: ++ ++``` ++$ pkispawn -f ocsp-step2.cfg -s OCSP ++``` ++ ++Verifying System Certificates ++----------------------------- ++ ++Verify that the server NSS database contains the following certificates: ++ ++``` ++$ certutil -L -d /etc/pki/pki-tomcat/alias ++ ++Certificate Nickname Trust Attributes ++ SSL,S/MIME,JAR/XPI ++ ++ca_signing CT,C,C ++ocsp_signing CTu,Cu,Cu ++subsystem u,u,u ++ocsp_audit_signing u,u,Pu ++sslserver u,u,u ++``` ++ ++Verifying Admin Certificate ++--------------------------- ++ ++Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ++ ++``` ++$ pki -c Secret.123 client-init ++``` ++ ++Import the external CA certificate chain: ++ ++``` ++$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt ++``` ++ ++Import the admin key and certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import \ ++ --pkcs12 ~/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \ ++ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf ++``` ++ ++Verify that the admin certificate can be used to access the OCSP subsystem by executing the following command: ++ ++``` ++$ pki -c Secret.123 -n ocspadmin ocsp-user-show ocspadmin ++---------------- ++User "ocspadmin" ++---------------- ++ User ID: ocspadmin ++ Full name: ocspadmin ++ Email: ocspadmin@example.com ++ Type: adminType ++ State: 1 ++``` +-- +1.8.3.1 + + +From 253f16813de60b1951b769a437c92322e36647bf Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 9 Nov 2018 11:06:57 -0800 +Subject: [PATCH 13/13] bug 1653863 tools supporting CMC requests output keyID + needs to be captured in file + +This patch adds code in both CRMFPopClient and PKCS10Client to automatically +write the private key id into a file named .keyId so that +they can be featched later for CMCRequest +is the name of the file specified with the "-o" option. + +This patch also changed all references from "CMC self-test" to +"CMC shared secret" instead. + +A test feature is also added to CMCRequest. + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=1655951 + +Change-Id: Iaf2772be54f9937da456655cdec688f13f6e8b71 +(cherry picked from commit cb99e112b9421f6fe98b4ac5ab5885c28ee958c3) +--- + base/ca/shared/conf/CS.cfg | 10 +- + base/ca/shared/conf/registry.cfg | 8 +- + .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 82 -------- + .../profiles/ca/caECFullCMCSharedTokenCert.cfg | 82 ++++++++ + .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 82 -------- + .../profiles/ca/caFullCMCSharedTokenCert.cfg | 82 ++++++++ + base/java-tools/man/man1/CMCRequest.1 | 22 +- + base/java-tools/man/man1/PKCS10Client.1 | 3 +- + .../src/com/netscape/cmstools/CMCRequest.java | 227 ++++++++++++++++----- + .../src/com/netscape/cmstools/CRMFPopClient.java | 22 +- + .../src/com/netscape/cmstools/PKCS10Client.java | 24 ++- + .../CMCSelfSignedSubjectNameConstraint.java | 129 ------------ + .../CMCSharedTokenSubjectNameConstraint.java | 130 ++++++++++++ + 13 files changed, 526 insertions(+), 377 deletions(-) + delete mode 100644 base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg + delete mode 100644 base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg + delete mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java + create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 4cef240..29d4fd4 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -975,7 +975,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 + oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension + oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 + os.userid=nobody +-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSelfSignedCert,caECFullCMCSelfSignedCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment ++profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment + profile.caUUIDdeviceCert.class_id=caEnrollImpl + profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg + profile.caManualRenewal.class_id=caEnrollImpl +@@ -1050,10 +1050,10 @@ profile.caFullCMCUserSignedCert.class_id=caEnrollImpl + profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg + profile.caECFullCMCUserSignedCert.class_id=caEnrollImpl + profile.caECFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserSignedCert.cfg +-profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl +-profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg +-profile.caECFullCMCSelfSignedCert.class_id=caEnrollImpl +-profile.caECFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSelfSignedCert.cfg ++profile.caFullCMCSharedTokenCert.class_id=caEnrollImpl ++profile.caFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSharedTokenCert.cfg ++profile.caECFullCMCSharedTokenCert.class_id=caEnrollImpl ++profile.caECFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSharedTokenCert.cfg + profile.caInternalAuthOCSPCert.class_id=caEnrollImpl + profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg + profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg +index 4fe6e93..a78af86 100644 +--- a/base/ca/shared/conf/registry.cfg ++++ b/base/ca/shared/conf/registry.cfg +@@ -1,5 +1,5 @@ + types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl ++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSharedTokenSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl + constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint + constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint + constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +@@ -36,9 +36,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr + constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint + constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint + constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint +-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint +-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint +-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint ++constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSharedTokenSubjectNameConstraint ++constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.desc=CMC Shared Token request User Subject Name Constraint ++constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.name=CMC Shared Token request User Subject Name Constraint + constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint + constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint + constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +deleted file mode 100644 +index b3cc471..0000000 +--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg ++++ /dev/null +@@ -1,82 +0,0 @@ +-desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request +-enable=false +-enableBy=admin +-name=Self-Signed CMC User Certificate Enrollment +-visible=false +-auth.instance_id=CMCUserSignedAuth +-input.list=i1 +-input.i1.class_id=cmcCertReqInputImpl +-output.list=o1 +-output.o1.class_id=certOutputImpl +-policyset.list=cmcUserCertSet +-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +-policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl +-policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint +-policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl +-policyset.cmcUserCertSet.1.default.name=Subject Name Default +-policyset.cmcUserCertSet.1.default.params.name= +-policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +-policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +-policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +-policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +-policyset.cmcUserCertSet.2.constraint.params.range=365 +-policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +-policyset.cmcUserCertSet.2.default.name=Validity Default +-policyset.cmcUserCertSet.2.default.params.range=180 +-policyset.cmcUserCertSet.2.default.params.startTime=0 +-policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +-policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 +-policyset.cmcUserCertSet.3.constraint.params.keyType=EC +-policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +-policyset.cmcUserCertSet.3.default.name=Key Default +-policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.4.constraint.name=No Constraint +-policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +-policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +-policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.5.constraint.name=No Constraint +-policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +-policyset.cmcUserCertSet.5.default.name=AIA Extension Default +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +-policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +-policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +-policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +-policyset.cmcUserCertSet.6.default.name=Key Usage Default +-policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false +-policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.7.constraint.name=No Constraint +-policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +-policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +-policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +-policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +-policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +-policyset.cmcUserCertSet.8.default.name=Signing Alg +-policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg +new file mode 100644 +index 0000000..ffdccb1 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg +@@ -0,0 +1,82 @@ ++desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC Shared Token certificate request ++enable=false ++enableBy=admin ++name=CMC Shared Token User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint ++policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=EC ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +deleted file mode 100644 +index 538b16a..0000000 +--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg ++++ /dev/null +@@ -1,82 +0,0 @@ +-desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request +-enable=false +-enableBy=admin +-name=Self-Signed CMC User Certificate Enrollment +-visible=false +-auth.instance_id=CMCUserSignedAuth +-input.list=i1 +-input.i1.class_id=cmcCertReqInputImpl +-output.list=o1 +-output.o1.class_id=certOutputImpl +-policyset.list=cmcUserCertSet +-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +-policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl +-policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint +-policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl +-policyset.cmcUserCertSet.1.default.name=Subject Name Default +-policyset.cmcUserCertSet.1.default.params.name= +-policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +-policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +-policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +-policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +-policyset.cmcUserCertSet.2.constraint.params.range=365 +-policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +-policyset.cmcUserCertSet.2.default.name=Validity Default +-policyset.cmcUserCertSet.2.default.params.range=180 +-policyset.cmcUserCertSet.2.default.params.startTime=0 +-policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +-policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +-policyset.cmcUserCertSet.3.constraint.params.keyType=RSA +-policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +-policyset.cmcUserCertSet.3.default.name=Key Default +-policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.4.constraint.name=No Constraint +-policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +-policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +-policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.5.constraint.name=No Constraint +-policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +-policyset.cmcUserCertSet.5.default.name=AIA Extension Default +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +-policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +-policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +-policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +-policyset.cmcUserCertSet.6.default.name=Key Usage Default +-policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +-policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.7.constraint.name=No Constraint +-policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +-policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +-policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +-policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +-policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +-policyset.cmcUserCertSet.8.default.name=Signing Alg +-policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg +new file mode 100644 +index 0000000..5ef8004 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg +@@ -0,0 +1,82 @@ ++desc=This certificate profile is for enrolling user certificates by using the CMC Shared Token certificate request ++enable=false ++enableBy=admin ++name=CMC Shared Token User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint ++policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.cmcUserCertSet.3.constraint.params.keyType=RSA ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1 +index 8c67fc0..18f5e50 100644 +--- a/base/java-tools/man/man1/CMCRequest.1 ++++ b/base/java-tools/man/man1/CMCRequest.1 +@@ -63,7 +63,7 @@ name of crypto token where user signing certificate key can be found (default is + .B nickname + The nickname of the user certificate that corresponds to the private key that is used to sign the request. + +-This parameter is ignored if \fBselfSign\fP or \fBidentityProofV2.enable\fP is true. ++This parameter is ignored if \fBuseSharedSecret\fP or \fBidentityProofV2.enable\fP is true. + + .TP + .B password +@@ -114,27 +114,27 @@ Supported keyGenAlg are: \fBSHA-256, SHA-384, and SHA-512\fP + Supported macAlg are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP + + .TP +-.B request.selfSign +-\fBtrue\fP or \fBfalse\fP. If \fBselfSign\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. ++.B request.useSharedSecret ++\fBtrue\fP or \fBfalse\fP. If \fBuseSharedSecret\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. + +-\fBrequest.selfSign\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. ++\fBrequest.useSharedSecret\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. + +-In Dogtag, if \fBselfSign\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. ++In Dogtag, if \fBrequest.useSharedSecret\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. + +-The \fBselfSign\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. ++The \fBrequest.useSharedSecret\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. + +-By default, if unspecified, \fBselfSign\fP is false. ++By default, if unspecified, \fBrequest.useSharedSecret\fP is false. + +-\fBNote\fP: to employ the \fBselfSign\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) ++\fBNote\fP: to employ the \fBrequest.useSharedSecret\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) + +-If \fBselfSign\fP is true, \fBrequest.privKeyId\fP must be specified. ++If \fBrequest.useSharedSecret\fP is true, \fBrequest.privKeyId\fP must be specified. + It is crutial that the caller that employs this option has access to the private key of the certificate request. + + .TP + .B request.privKeyId + The \fBrequest.privKeyId\fP parameter is required in the following cases: + +-\fBselfSign\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP ++\fBrequest.useSharedSecret\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP + + .TP + .B decryptedPop.enable, encryptedPopResponseFile, decryptedPopRequestFile +@@ -149,7 +149,7 @@ When preparing for the second trip, the following parameters must be present: + + \fBrequest.privKeyId\fP - see descripton for \fBrequest.privKeyId\fP; It is used to decrypt the EncryptedPop, thereby proving the possession of the private key. + +-Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBselfSign\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. ++Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBrequest.useSharedSecret\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. + + .TP + .B revRequest.[enable, serial, reason, comment, issuer, sharedSecret] +diff --git a/base/java-tools/man/man1/PKCS10Client.1 b/base/java-tools/man/man1/PKCS10Client.1 +index e85c833..122680c 100644 +--- a/base/java-tools/man/man1/PKCS10Client.1 ++++ b/base/java-tools/man/man1/PKCS10Client.1 +@@ -84,7 +84,8 @@ Gives the subject DN of the certificate. + .B -x + + .TP +-.B -y ++.B -y ++To be used with "request.useSharedSecret=true" when running CMCRequest. + + .SH AUTHORS + Amol Kahat . +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 4e40143..1070a93 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -268,13 +268,19 @@ public class CMCRequest { + } + + /* +- * signData self-signs the PKIData using the private key that matches +- * the public key in the request ++ * signData self-signs (for Shared Token) the PKIData using the private key ++ * that matches the public key in the request + */ + static SignedData signData( + java.security.PrivateKey privKey, + PKIData pkidata) { +- String method = "signData for selfSign: "; ++ return signData(privKey, pkidata, null); ++ } ++ static SignedData signData( ++ java.security.PrivateKey privKey, ++ PKIData pkidata, ++ SignerIdentifier test_cmc_si /*for TEST_CMC use_shared_secret case only*/) { ++ String method = "signData for useSharedSecret begins: "; + System.out.println(method + "begins: "); + SignedData req = null; + +@@ -286,10 +292,15 @@ public class CMCRequest { + + KeyIdentifier keyIdObj = null; + try { +- keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); +- SignerIdentifier si = new SignerIdentifier( ++ SignerIdentifier si = null; ++ if (test_cmc_si == null) { ++ keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); ++ si = new SignerIdentifier( + SignerIdentifier.SUBJECT_KEY_IDENTIFIER, + null, new OCTET_STRING(keyIdObj.getIdentifier())); ++ } else //TEST_CMC use_shared_secret case ++ si = test_cmc_si; ++ + req = createSignedData(privKey, si, null /*certChain*/, pkidata); + } catch (Exception e) { + e.printStackTrace(); +@@ -430,7 +441,7 @@ public class CMCRequest { + * @return request in PKIData + */ + static PKIData createPKIData( +- String selfSign, ++ String useSharedSecret, + String[] rValue, String format, String transactionMgtEnable, + String transactionMgtId, + String identificationEnable, String identification, +@@ -495,16 +506,16 @@ public class CMCRequest { + + CertRequest certReq = certReqMsg.getCertReq(); + CertTemplate certTemplate = certReq.getCertTemplate(); +- if (selfSign.equals("true")) { ++ if (useSharedSecret.equals("true")) { + skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromCertTemplate( + certTemplate, + PKIXExtensions.SubjectKey_Id); + if (skiExtn != null) { + System.out.println(method + +- " SubjectKeyIdentifier extension found in self-signed request"); ++ " SubjectKeyIdentifier extension found in self-signed Shared Token request"); + } else { + System.out.println(method + +- " SubjectKeyIdentifier extension missing in self-signed request"); ++ " SubjectKeyIdentifier extension missing in self-signed Shared Token request"); + System.exit(1); + } + } +@@ -569,7 +580,7 @@ public class CMCRequest { + System.exit(1); + } + +- if (selfSign.equals("true")) { ++ if (useSharedSecret.equals("true")) { + try { + skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromPKCS10( + pkcs, "SubjectKeyIdentifier"); +@@ -798,13 +809,13 @@ public class CMCRequest { + System.out.println("#nickname: nickname for user certificate which will be used"); + System.out.println("#to sign the CMC full request (enrollment or revocation)."); + System.out.println(""); +- System.out.println("#selfSign: if selfSign is true, the CMC request will be"); ++ System.out.println("#request.useSharedSecret: if request.useSharedSecret is true, the CMC request will be"); + System.out.println("#signed with the pairing private key of the enrollment request;"); + System.out.println("#and in which case the nickname will be ignored"); + System.out.println("#If revRequest.sharedSecret is specified, then nickname will also be ignored."); + System.out.println("nickname=CMS User Signing Certificate"); + System.out.println(""); +- System.out.println("selfSign=false"); ++ System.out.println("request.useSharedSecret=false"); + System.out.println(""); + System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); + System.out.println("dbdir=./"); +@@ -1219,7 +1230,7 @@ public class CMCRequest { + * Constructing OtherMsg to include the SignerInfo makes no sense here + * as the outer layer SignedData would have SignerInfo. + * It is possibly done because the original code assumed a self-signed +- * revocation request that is subsequently signed by an agent... ++ * Shared Token revocation request that is subsequently signed by an agent... + * which is not conforming to the RFC. + + EncapsulatedContentInfo revokeContent = new EncapsulatedContentInfo( +@@ -1881,6 +1892,7 @@ public class CMCRequest { + HMACDigest hmacDigest = new HMACDigest(SHA2Digest, challenge); + hmacDigest.update(ASN1Util.encode(request)); + popProofValue = hmacDigest.digest(); ++ System.out.println(method + "popProofValue length = " + popProofValue.length); + } catch (Exception ex) { + CryptoUtil.obscureBytes(challenge, "random"); + System.out.println(method + "calculating POP Proof Value failed: " + ex); +@@ -1926,6 +1938,137 @@ public class CMCRequest { + return pkidata; + } + ++ static void outputContentInfo(ContentInfo cmcblob, String ofilename) { ++ try (FileOutputStream os = new FileOutputStream(ofilename)){ ++ cmcblob.encode(os); ++ System.out.println(""); ++ System.out.println(""); ++ System.out.println("The CMC enrollment request in binary format is stored in " + ++ ofilename); ++ } catch (IOException e) { ++ System.out.println("CMCRequest: unable to open file " + ofilename + ++ " for writing:\n" + e); ++ } ++ } ++ ++ ++ /* ++ * processResignCMC ++ * ++ * This is for testing only, for the purpose of producing ++ * negative tests consisted of deliberate alteration of ++ * CMC controls to see how CA reacts to these variations. ++ * ++ * It takes in a blob of the format cmc (with altered fields): ++ * format=test_cmc ++ * which is the same as output format from CMCRequest, ++ * and re-signs it with either signerCert or privKeyID ++ * and spits out to output ++ * Note: if signerCert is not null, then privKeyID is ignored ++ * ++ * @author cfu ++ */ ++ static void processResignCMC(String ifilename, String ofilename, X509Certificate signerCert, String privKeyId, String tokenName, String nickname, CryptoManager cm) { ++ try { ++ if (ifilename == null || ifilename.equals("")) { ++ System.out.println("TEST_CMC: param input needed for test_cmc"); ++ System.exit(1); ++ } ++ if (ofilename == null || ofilename.equals("")) { ++ System.out.println("TEST_CMC: param output needed for test_cmc"); ++ System.exit(1); ++ } ++ ++ PrivateKey privk = null; ++ if (signerCert == null) { ++ if (privKeyId == null) { ++ System.out.println("TEST_CMC: signerCert not supplied, need privKeyId to re-sign."); ++ System.exit(1); ++ } else { ++ System.out.println("TEST_CMC: got re-signing privKeyId: " + privKeyId); ++ ++ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyId); ++ ++ privk = CryptoUtil.findPrivateKeyFromID(keyIDb); ++ ++ if (privk != null) { ++ System.out.println("TEST_CMC: got private key"); ++ } else { ++ System.out.println("TEST_CMC: error getting private key null"); ++ System.exit(1); ++ } ++ } ++ } ++ ++ FileInputStream inputBlob = null; ++ FileOutputStream outputBlob = null; ++ try { ++ inputBlob = new FileInputStream(ifilename); ++ } catch (FileNotFoundException e) { ++ System.out.println("can''t find file " + ++ ifilename + e); ++ System.exit(1); ++ } ++ ++ byte data[] = new byte[inputBlob.available()]; ++ inputBlob.read(data); ++ System.out.println("TEST_CMC: input read"); ++ ContentInfo.Template ci_template = new ContentInfo.Template(); ++ ContentInfo ci = ++ (ContentInfo) ci_template.decode(new ByteArrayInputStream(data)); ++ if (ci != null) ++ System.out.println("TEST_CMC: ContentInfo template decoded"); ++ ++ SignedData signedData = (SignedData) ci.getInterpretedContent(); ++ if (signedData != null) ++ System.out.println("TEST_CMC: SignedData retrieved"); ++ ++ EncapsulatedContentInfo eci = signedData.getContentInfo(); ++ if (eci != null) ++ System.out.println("TEST_CMC: EncapsulatedContentInfo retrieved"); ++ OCTET_STRING os = eci.getContent(); //this is the orig data ++ if (os != null) ++ System.out.println("TEST_CMC: orig data retrieved"); ++ byte origData [] = os.toByteArray(); ++ PKIData.Template pkidata_template = new PKIData.Template(); ++ PKIData pkidata = ++ (PKIData) pkidata_template.decode(new ByteArrayInputStream(origData)); ++ if (pkidata != null) ++ System.out.println("TEST_CMC: PKIData decoded"); ++ ++ // now re-sign ++ SignedData newSignedData = null; ++ if (signerCert != null) { ++ System.out.println("TEST_CMC: re-signing using signer cert:" + ++ nickname); ++ newSignedData = signData(signerCert, tokenName, nickname, cm, pkidata); ++ } else { // self-signed Shared Token request ++ System.out.println("TEST_CMC: re-signing using private key: " + ++ privKeyId); ++ SET signInfos = signedData.getSignerInfos(); ++ SignerInfo si = (SignerInfo) (ASN1Util.decode(SignerInfo.getTemplate(), ASN1Util.encode(signInfos.elementAt(0)))); ++ newSignedData = signData(privk, pkidata, si.getSignerIdentifier()); ++ } ++ ++ if (newSignedData == null) { ++ System.out.println("TEST_CMC: PKIData signing returned null"); ++ System.exit(1); ++ } ++ System.out.println("TEST_CMC: PKIData signed"); ++ ContentInfo cmcblob = getCMCBlob(newSignedData, null); ++ if (cmcblob == null) { ++ System.out.println("TEST_CMC: getCMCBlob returned null"); ++ System.exit(1); ++ } ++ ++ outputContentInfo(cmcblob, ofilename); ++ System.out.println("TEST_CMC: completed"); ++ } catch (Exception ex) { ++ System.out.println("TEST_CMC: exception caught: " + ex); ++ System.exit(1); ++ } ++ } ++ + public static void main(String[] s) { + String numRequests = null; + String dbdir = null, nickname = null; +@@ -1948,7 +2091,7 @@ public class CMCRequest { + String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256"; + String popLinkWitnessEnable = "false"; + String bodyPartIDs = null, lraPopWitnessEnable = "false"; +- String selfSign = "false"; ++ String useSharedSecret = "false"; + + System.out.println(""); + +@@ -2009,8 +2152,9 @@ public class CMCRequest { + decryptedPopEnable = val; + } else if (name.equals("encryptedPopResponseFile")) { + encryptedPopResponseFile = val; +- } else if (name.equals("request.selfSign")) { +- selfSign = val; ++ } else if (name.equals("request.useSharedSecret") || ++ name.equals("request.selfSign")) { ++ useSharedSecret = val; + } else if (name.equals("request.privKeyId")) { + privKeyId = val; + } else if (name.equals("decryptedPopRequestFile")) { +@@ -2095,12 +2239,13 @@ public class CMCRequest { + printUsage(); + } + +- if ((!selfSign.equals("true") && (revRequestSharedSecret == null)) ++ if ((!useSharedSecret.equals("true") && (revRequestSharedSecret == null)) + && nickname == null) { + System.out.println("Missing nickname."); + printUsage(); + } + ++ + try { + // initialize CryptoManager + if (dbdir == null) +@@ -2142,7 +2287,7 @@ public class CMCRequest { + certname.append(tokenName); + certname.append(":"); + } +- if ((!selfSign.equals("true") || (revRequestSharedSecret == null)) ++ if ((!useSharedSecret.equals("true") || (revRequestSharedSecret == null)) + && nickname != null) { + certname.append(nickname); + signerCert = cm.findCertByNickname(certname.toString()); +@@ -2151,14 +2296,22 @@ public class CMCRequest { + } + } + ++ // TEST_CMC ++ if (format.equals("test_cmc")) { ++ System.out.println("TEST_CMC: request format is test_cmc; re-signing the request"); ++ processResignCMC(ifilename, ofilename, signerCert, privKeyId, ++ tokenName, nickname, cm); ++ System.exit(0); ++ } ++ + ContentInfo cmcblob = null; + PKIData pkidata = null; + PrivateKey privk = null; +- if (selfSign.equalsIgnoreCase("true") || ++ if (useSharedSecret.equalsIgnoreCase("true") || + decryptedPopEnable.equalsIgnoreCase("true") || + popLinkWitnessV2Enable.equalsIgnoreCase("true")) { + if (privKeyId == null) { +- System.out.println("selfSign or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); ++ System.out.println("useSharedSecret or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); + printUsage(); + } else { + System.out.println("got request privKeyId: " + privKeyId); +@@ -2353,7 +2506,7 @@ public class CMCRequest { + + // create the request PKIData + pkidata = createPKIData( +- selfSign, ++ useSharedSecret, + requests, + format, transactionMgtEnable, transactionMgtId, + identificationEnable, identification, +@@ -2381,13 +2534,13 @@ public class CMCRequest { + SignedData signedData = null; + + // sign the request +- if (selfSign.equalsIgnoreCase("true")) { +- // selfSign signs with private key +- System.out.println("selfSign is true..."); ++ if (useSharedSecret.equalsIgnoreCase("true")) { ++ // useSharedSecret signs with private key ++ System.out.println("useSharedSecret is true..."); + signedData = signData(privk, pkidata); + } else { +- // none selfSign signs with existing cert +- System.out.println("selfSign is false..."); ++ // none useSharedSecret signs with existing cert ++ System.out.println("useSharedSecret is false..."); + signedData = signData(signerCert, tokenName, nickname, cm, pkidata); + } + if (signedData == null) { +@@ -2404,27 +2557,7 @@ public class CMCRequest { + + // (6) Finally, print the actual CMC blob to the + // specified output file +- FileOutputStream os = null; +- try { +- os = new FileOutputStream(ofilename); +- cmcblob.encode(os); +- System.out.println(""); +- System.out.println(""); +- System.out.println("The CMC enrollment request in binary format is stored in " + +- ofilename); +- } catch (IOException e) { +- System.out.println("CMCRequest: unable to open file " + ofilename + +- " for writing:\n" + e); +- } +- +- try { +- os.close(); +- } catch (IOException e) { +- System.out.println("CMCRequest: Unexpected error " + +- "encountered while attempting to close() " + +- "\n" + e); +- } +- ++ outputContentInfo(cmcblob, ofilename); + } catch (Exception e) { + e.printStackTrace(); + System.exit(1); +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 747b7d6..dd7a264 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -190,7 +190,7 @@ public class CRMFPopClient { + option.setArgName("keywrap algorithm"); + options.addOption(option); + +- options.addOption("y", false, "for Self-signed cmc."); ++ options.addOption("y", false, "for cmc SharedSecret requests."); + + options.addOption("v", "verbose", false, "Run in verbose mode."); + options.addOption(null, "help", false, "Show help message."); +@@ -210,7 +210,7 @@ public class CRMFPopClient { + System.out.println(" -k Attribute value encoding in subject DN (default: false)"); + System.out.println(" - true: enabled"); + System.out.println(" - false: disabled"); +- System.out.println(" -y Add SubjectKeyIdentifier extension in case of self-signed CMC requests (default: false)"); ++ System.out.println(" -y Add SubjectKeyIdentifier extension in case of CMC SharedSecret requests (default: false); To be used with 'request.useSharedSecret=true' when running CMCRequest."); + System.out.println(" - true: enabled"); + System.out.println(" - false: disabled"); + System.out.println(" -a Key algorithm (default: rsa)"); +@@ -320,7 +320,7 @@ public class CRMFPopClient { + int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); + int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + +- boolean self_sign = cmd.hasOption("y"); ++ boolean use_shared_secret = cmd.hasOption("y"); + + // get the keywrap algorithm + KeyWrapAlgorithm keyWrapAlgorithm = null; +@@ -335,6 +335,7 @@ public class CRMFPopClient { + } + + String output = cmd.getOptionValue("o"); ++ String output_kid = output + ".keyId"; + + String hostPort = cmd.getOptionValue("m"); + String username = cmd.getOptionValue("u"); +@@ -507,7 +508,7 @@ public class CRMFPopClient { + + if (verbose) System.out.println("Creating certificate request"); + CertRequest certRequest = client.createCertRequest( +- self_sign, ++ use_shared_secret, + token, transportCert, algorithm, keyPair, + subject, keyWrapAlgorithm); + +@@ -558,11 +559,16 @@ public class CRMFPopClient { + requestor); + + } else if (output != null) { +- System.out.println("Storing CRMF requrest into " + output); ++ System.out.println("Storing CRMF request into " + output); + try (FileWriter out = new FileWriter(output)) { + out.write(csr); + } + ++ System.out.println("Storing CRMF request key id into " + output_kid); ++ try (FileWriter out_kid = new FileWriter(output_kid)) { ++ out_kid.write(kid); ++ } ++ + } else { + System.out.println(csr); + } +@@ -655,7 +661,7 @@ public class CRMFPopClient { + } + + public CertRequest createCertRequest( +- boolean self_sign, ++ boolean use_shared_secret, + CryptoToken token, + X509Certificate transportCert, + String algorithm, +@@ -701,8 +707,8 @@ public class CRMFPopClient { + seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); + */ + +- if (self_sign) { // per rfc 5272 +- System.out.println("CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension."); ++ if (use_shared_secret) { // per rfc 5272 ++ System.out.println("CRMFPopClient: use_shared_secret true. Generating SubjectKeyIdentifier extension."); + KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(keyPair); + OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); + SEQUENCE extns = new SEQUENCE(); +diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +index 9f39430..137049e 100644 +--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java ++++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +@@ -18,6 +18,7 @@ + package com.netscape.cmstools; + + import java.io.FileOutputStream; ++import java.io.FileWriter; + import java.io.IOException; + import java.io.PrintStream; + import java.security.KeyPair; +@@ -84,11 +85,11 @@ public class PKCS10Client { + System.out.println( + " available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n"); + System.out.println( +- "In addition: -y \n"); ++ "In addition: -y To be used with 'request.useSharedSecret=true' when running CMCRequest.\n"); + } + + public static void main(String args[]) throws Exception { +- String dbdir = null, ofilename = null, password = null, subjectName = null, tokenName = null; ++ String dbdir = null, ofilename = null, kid_ofilename = null, password = null, subjectName = null, tokenName = null; + + String alg = "rsa"; + String ecc_curve = "nistp256"; +@@ -99,7 +100,7 @@ public class PKCS10Client { + boolean ec_ssl_ecdh = false; + int rsa_keylen = 2048; + +- boolean self_sign = false; ++ boolean use_shared_secret = false; + + if (args.length < 4) { + printUsage(); +@@ -163,6 +164,7 @@ public class PKCS10Client { + rsa_keylen = Integer.parseInt(args[i+1]); + } else if (name.equals("-o")) { + ofilename = args[i+1]; ++ kid_ofilename = ofilename + ".keyId"; + } else if (name.equals("-n")) { + subjectName = args[i+1]; + } else if (name.equals("-h")) { +@@ -170,9 +172,9 @@ public class PKCS10Client { + } else if (name.equals("-y")) { + String temp = args[i+1]; + if (temp.equals("true")) +- self_sign = true; ++ use_shared_secret = true; + else +- self_sign = false; ++ use_shared_secret = false; + } else { + System.out.println("Unrecognized argument(" + i + "): " + + name); +@@ -277,8 +279,8 @@ public class PKCS10Client { + + + Extensions extns = new Extensions(); +- if (self_sign) { // per rfc 5272 +- System.out.println("PKCS10Client: self_sign true. Generating SubjectKeyIdentifier extension."); ++ if (use_shared_secret) { // per rfc 5272 ++ System.out.println("PKCS10Client: use_shared_secret true. Generating SubjectKeyIdentifier extension."); + KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(pair); + SubjectKeyIdentifierExtension extn = new SubjectKeyIdentifierExtension(false, + subjKeyId.getIdentifier()); +@@ -318,7 +320,13 @@ public class PKCS10Client { + ps.println(Cert.REQUEST_FOOTER); + ps.flush(); + ps.close(); +- System.out.println("PKCS10Client: done. Request written to file: "+ ofilename); ++ System.out.println("PKCS10Client: done. Certificate request written into "+ ofilename); ++ ++ try (FileWriter out_kid = new FileWriter(kid_ofilename)) { ++ out_kid.write(kid); ++ } ++ System.out.println("PKCS10Client: PKCS#10 request key id written into " + kid_ofilename); ++ + } catch (Exception e) { + System.out.println("PKCS10Client: Exception caught: "+e.toString()); + System.exit(1); +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java +deleted file mode 100644 +index d4554ca..0000000 +--- a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java ++++ /dev/null +@@ -1,129 +0,0 @@ +-// --- BEGIN COPYRIGHT BLOCK --- +-// This program is free software; you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation; version 2 of the License. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License along +-// with this program; if not, write to the Free Software Foundation, Inc., +-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-// +-// (C) 2013 Red Hat, Inc. +-// All rights reserved. +-// --- END COPYRIGHT BLOCK --- +-package com.netscape.cms.profile.constraint; +- +-import java.util.Locale; +- +-import com.netscape.certsrv.apps.CMS; +-import com.netscape.certsrv.authentication.IAuthToken; +-import com.netscape.certsrv.authentication.IAuthManager; +-import com.netscape.certsrv.base.IConfigStore; +-import com.netscape.certsrv.profile.EProfileException; +-import com.netscape.certsrv.profile.ERejectException; +-import com.netscape.certsrv.profile.IPolicyDefault; +-import com.netscape.certsrv.profile.IProfile; +-import com.netscape.certsrv.property.IDescriptor; +-import com.netscape.certsrv.request.IRequest; +-import com.netscape.cms.profile.common.EnrollProfile; +-import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; +- +-import netscape.security.x509.CertificateSubjectName; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertInfo; +- +-/** +- * This class implements the user subject name constraint for self-signed cmc requests. +- * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match +- * +- * @author cfu +- * @version $Revision$, $Date$ +- */ +-public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint { +- +- public CMCSelfSignedSubjectNameConstraint() { +- } +- +- public void init(IProfile profile, IConfigStore config) +- throws EProfileException { +- super.init(profile, config); +- } +- +- public IDescriptor getConfigDescriptor(Locale locale, String name) { +- return null; +- } +- +- public String getDefaultConfig(String name) { +- return null; +- } +- +- /** +- * Validates the request. The request is not modified +- * during the validation. User encoded subject name +- * is copied into the certificate template. +- */ +- public void validate(IRequest request, X509CertInfo info) +- throws ERejectException { +- String method = "CMCSelfSignedSubjectNameConstraint: "; +- String msg = ""; +- +- CertificateSubjectName infoCertSN = null; +- String authTokenSharedTokenSN = null; +- +- try { +- infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); +- if (infoCertSN == null) { +- msg = method + "infoCertSN null"; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- CMS.debug(method + "validate user subject ="+ +- infoCertSN.toString()); +- X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); +- if (infoCertName == null) { +- msg = method + "infoCertName null"; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- +- authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); +- if (authTokenSharedTokenSN == null) { +- msg = method + "authTokenSharedTokenSN null"; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { +- CMS.debug(method + "names matched"); +- } else { +- msg = method + "names do not match; authTokenSharedTokenSN =" + +- authTokenSharedTokenSN; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- +- } catch (Exception e) { +- throw new ERejectException( +- CMS.getUserMessage(getLocale(request), +- "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); +- } +- } +- +- public String getText(Locale locale) { +- return CMS.getUserMessage(locale, +- "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); +- } +- +- public boolean isApplicable(IPolicyDefault def) { +- String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: "; +- if (def instanceof AuthTokenSubjectNameDefault) { +- CMS.debug(method + "true"); +- return true; +- } +- CMS.debug(method + "false"); +- return false; +- } +-} +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java +new file mode 100644 +index 0000000..879e1cc +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java +@@ -0,0 +1,130 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2013 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.cms.profile.constraint; ++ ++import java.util.Locale; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthToken; ++import com.netscape.certsrv.authentication.IAuthManager; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.profile.EProfileException; ++import com.netscape.certsrv.profile.ERejectException; ++import com.netscape.certsrv.profile.IPolicyDefault; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++import com.netscape.cms.profile.common.EnrollProfile; ++import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; ++ ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertInfo; ++ ++/** ++ * This class implements the user subject name constraint for cmc requests ++ * authenticated by the SharedSecret ++ * The resulting cert should match that of the authenticating DN ++ * ++ * @author cfu ++ * @version $Revision$, $Date$ ++ */ ++public class CMCSharedTokenSubjectNameConstraint extends EnrollConstraint { ++ ++ public CMCSharedTokenSubjectNameConstraint() { ++ } ++ ++ public void init(IProfile profile, IConfigStore config) ++ throws EProfileException { ++ super.init(profile, config); ++ } ++ ++ public IDescriptor getConfigDescriptor(Locale locale, String name) { ++ return null; ++ } ++ ++ public String getDefaultConfig(String name) { ++ return null; ++ } ++ ++ /** ++ * Validates the request. The request is not modified ++ * during the validation. User encoded subject name ++ * is copied into the certificate template. ++ */ ++ public void validate(IRequest request, X509CertInfo info) ++ throws ERejectException { ++ String method = "CMCSharedTokenSubjectNameConstraint: "; ++ String msg = ""; ++ ++ CertificateSubjectName infoCertSN = null; ++ String authTokenSharedTokenSN = null; ++ ++ try { ++ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); ++ if (infoCertSN == null) { ++ msg = method + "infoCertSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ CMS.debug(method + "validate user subject ="+ ++ infoCertSN.toString()); ++ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); ++ if (infoCertName == null) { ++ msg = method + "infoCertName null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ if (authTokenSharedTokenSN == null) { ++ msg = method + "authTokenSharedTokenSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { ++ CMS.debug(method + "names matched"); ++ } else { ++ msg = method + "names do not match; authTokenSharedTokenSN =" + ++ authTokenSharedTokenSN; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ } catch (Exception e) { ++ throw new ERejectException( ++ CMS.getUserMessage(getLocale(request), ++ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); ++ } ++ } ++ ++ public String getText(Locale locale) { ++ return CMS.getUserMessage(locale, ++ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); ++ } ++ ++ public boolean isApplicable(IPolicyDefault def) { ++ String method = "CMCSharedTokenSubjectNameConstraint: isApplicable: "; ++ if (def instanceof AuthTokenSubjectNameDefault) { ++ CMS.debug(method + "true"); ++ return true; ++ } ++ CMS.debug(method + "false"); ++ return false; ++ } ++} +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.9-batch-3.0.patch b/SOURCES/pki-core-10.5.9-batch-3.0.patch new file mode 100644 index 0000000..5ba8682 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-batch-3.0.patch @@ -0,0 +1,2863 @@ +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 63cb299..2d5d962 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -911,7 +911,7 @@ log.instance.SignedAudit._007=## $ pki-server ca-audit-event-enable/disable insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++PKICertImport \- Used to safely validate and import certificates into the NSS database. ++ ++.SH SYNOPSIS ++.PP ++\fBUsage: PKICertImport -d -i -n -t -u [-h ] [-f ] [-a]\fP ++ ++Validate and import a certificate into the specified NSS database. Verifies signature, trust chain, trust, and usage flags. If a certificate is not valid, it will not be added to the NSS DB or specified hardware token. ++ ++.SH DESCRIPTION ++.PP ++The certificate import utility validates signature, trust chain, trust, and usage flags before importing a certificate into the specified NSS database. This ensures that no certificate is used before its authenticity has been verified. Unlike \fBcertutil\fP, only one invocation is necessary to both validate and import certificates. ++.PP ++See \fBcertutil\fP for more information about the parameters to \fBPKICertImport\fP. ++ ++.SH OPTIONS ++.PP ++\fBPKICertImport\fP parameters: ++.PP ++.TP ++.B --ascii, -a ++The certificate is encoded in ASCII (PEM) format instead of binary format. Optional. ++ ++.TP ++.B --database, -d ++The directory containing the NSS database. This is usually the client's personal directory. Required. ++ ++.TP ++.B --password, -f ++The path to a file containing the password to the NSS database. Optional. ++ ++.TP ++.B --hsm, -h ++Name of the token. By default it takes 'internal'. Optional. ++ ++.TP ++.B --certificate, -i ++Path to the certificate to import. Required. ++ ++.TP ++.B --nickname, -n ++Nickname for the certificate in the NSS DB. Required. ++ ++.TP ++.B --trust, -t ++Trust flags for the certificate. See \fBcertutil\fP for more information about the available trust flags. Required. ++ ++.TP ++.B --usage, -u ++Usage to validate the certificate against. See \fBcertutil\fP for more information about available usage flags. Required. ++ ++.SH AUTHORS ++Alexander Scheel . ++ ++.SH COPYRIGHT ++Copyright (c) 2019 Red Hat, Inc. This is licensed under the GNU General Public ++License, version 2 (GPLv2). A copy of this license is available at ++http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 8bfb0fb..f21f305 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -306,7 +306,7 @@ log.instance.SignedAudit._007=## $ pki-server kra-audit-event-enable/disable + * + *
    +- *
  • signed.audit LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN used at audit function shutdown ++ *
  • signed.audit AUDIT_LOG_SHUTDOWN used at audit function shutdown + *
+ */ + public synchronized void shutdown() { +diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties +index ddc278e..64548da 100644 +--- a/base/server/cmsbundle/src/audit-events.properties ++++ b/base/server/cmsbundle/src/audit-events.properties +@@ -8,1286 +8,1758 @@ + # + # Event: + # Description: ++# + # Applicable subsystems: + # Enabled by default: + # Fields: + # - : ++# + # + # Note: In the actual event definition there should be exactly 1 space + # after the # sign. + # + # Common fields: +-# - Outcome: must be "success" or "failure" +-# - SubjectID: must be the UID of the user responsible for the operation +-# "$System$" if system-initiated operation (e.g. log signing) ++# - Outcome: "Success" or "Failure" ++# - SubjectID: The UID of the user responsible for the operation ++# "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing). + # + ######################################################################### +-# Selectable Signed Audit Events ++# Required Audit Events ++# ++# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure] ++# Description: This event is used when access session failed to establish. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - ClientIP: Client IP address. ++# - ServerIP: Server IP address. ++# - SubjectID: Client certificate subject DN. ++# - Outcome: Failure ++# - Info: Failure reason. ++# ++LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\ ++:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure ++# ++# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success] ++# Description: This event is used when access session was established successfully. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - ClientIP: Client IP address. ++# - ServerIP: Server IP address. ++# - SubjectID: Client certificate subject DN. ++# - Outcome: Success ++# ++LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ ++:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success ++# ++# Event: ACCESS_SESSION_TERMINATED ++# Description: This event is used when access session was terminated. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - ClientIP: Client IP address. ++# - ServerIP: Server IP address. ++# - SubjectID: Client certificate subject DN. ++# - Info: The TLS Alert received from NSS ++# - Outcome: Success ++# - Info: The TLS Alert received from NSS ++# ++LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ ++:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated ++# ++# Event: AUDIT_LOG_SIGNING ++# Description: This event is used when a signature on the audit log is generated (same as "flush" time). ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: Predefined to be "$System$" because this operation ++# associates with no user. ++# - Outcome: Success ++# - sig: The base-64 encoded signature of the buffer just flushed. ++# ++LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} + # + # Event: AUDIT_LOG_STARTUP +-# - used at audit function startup ++# Description: This event is used at audit function startup. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: + # + LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup + # +-# Event: AUDIT_LOG_SHUTDOWN +-# - used at audit function shutdown ++# Event: AUTH with [Outcome=Failure] ++# Description: This event is used when authentication fails. ++# In case of SSL-client auth, only webserver env can pick up the SSL violation. ++# CS authMgr can pick up certificate mismatch, so this event is used. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: Failure ++# (obviously, if authentication failed, you won't have a valid SubjectID, so ++# in this case, SubjectID should be $Unidentified$) ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. ++# - AttemptedCred: The credential attempted and failed. + # +-LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown ++LOGGING_SIGNED_AUDIT_AUTH_FAIL=:[AuditEvent=AUTH]{0} authentication failure + # +-# Event: CIMC_CERT_VERIFICATION +-# - used for verifying CIMC system certificates ++# Event: AUTH with [Outcome=Success] ++# Description: This event is used when authentication succeeded. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# - CertNickName is the cert nickname ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of user who has been authenticated ++# - Outcome: Success ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. + # +-LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification ++LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authentication success + # +-# Event: ROLE_ASSUME +-# - used when user assumes a role (in current CS that's when one accesses a +-# role port) ++# Event: AUTHZ with [Outcome=Failure] ++# Description: This event is used when authorization has failed. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# Role must be be one of the valid roles, by default: "Administrators", +-# "Certificate Manager Agents", and "Auditors" +-# note that customized role names can be used once configured ++# Fields: ++# - SubjectID: id of user who has failed to be authorized for an action ++# - Outcome: Failure ++# - aclResource: The ACL resource ID as defined in ACL resource list. ++# - Op: One of the operations as defined with the ACL statement ++# e.g. "read" for an ACL statement containing "(read,write)". ++# - Info: + # +-LOGGING_SIGNED_AUDIT_ROLE_ASSUME=:[AuditEvent=ROLE_ASSUME]{0} assume privileged role ++LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=:[AuditEvent=AUTHZ]{0} authorization failure + # +-# Event: CONFIG_CERT_POLICY +-# - used when configuring certificate policy constraints and extensions +-# Applicable subsystems: CA +-# Enabled by default: No +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Event: AUTHZ with [Outcome=Success] ++# Description: This event is used when authorization is successful. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of user who has been authorized for an action ++# - Outcome: Success ++# - aclResource: The ACL resource ID as defined in ACL resource list. ++# - Op: One of the operations as defined with the ACL statement ++# e.g. "read" for an ACL statement containing "(read,write)". + # +-LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=:[AuditEvent=AUTHZ]{0} authorization success + # +-# Event: CONFIG_CERT_PROFILE +-# - used when configuring certificate profile +-# (general settings and certificate profile) +-# (extensions and constraints policies are to be obsoleted but do it anyway) ++# Event: CERT_PROFILE_APPROVAL ++# Description: This event is used when an agent approves/disapproves a certificate profile set by the ++# administrator for automatic approval. + # Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: id of the CA agent who approved the certificate enrollment profile ++# - Outcome: ++# - ProfileID: One of the profiles defined by the administrator ++# and to be approved by an agent. ++# - Op: "approve" or "disapprove". + # +-LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval + # +-# Event: CONFIG_CRL_PROFILE +-# - used when configuring CRL profile +-# (extensions, frequency, CRL format) ++# Event: CERT_REQUEST_PROCESSED ++# Description: This event is used when certificate request has just been through the approval process. + # Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: The UID of the agent who approves, rejects, or cancels ++# the certificate request. ++# - Outcome: ++# - ReqID: The request ID. ++# - InfoName: "certificate" (in case of approval), "rejectReason" ++# (in case of reject), or "cancelReason" (in case of cancel) ++# - InfoValue: The certificate (in case of success), a reject reason in ++# text, or a cancel reason in text. ++# - CertSerialNum: + # +-LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed + # +-# Event: CONFIG_OCSP_PROFILE +-# - used when configuring OCSP profile +-# (everything under Online Certificate Status Manager) +-# Applicable subsystems: OCSP ++# Event: CERT_SIGNING_INFO ++# Description: This event indicates which key is used to sign certificates. ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: Success ++# - SKI: Subject Key Identifier of the certificate signing certificate ++# - AuthorityID: (applicable only to lightweight CA) + # +-LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info + # +-# Event: CONFIG_AUTH +-# - used when configuring authentication +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CERT_STATUS_CHANGE_REQUEST ++# Description: This event is used when a certificate status change request (e.g. revocation) ++# is made (before approval process). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- Password MUST NOT be logged --- ++# Fields: ++# - SubjectID: id of uer who performed the action ++# - Outcome: ++# - ReqID: The request ID. ++# - CertSerialNum: The serial number (in hex) of the certificate to be revoked. ++# - RequestType: "revoke", "on-hold", "off-hold" + # +-LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made + # +-# Event: CONFIG_ROLE +-# - used when configuring role information (anything under users/groups) +-# add/remove/edit a role, etc) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED ++# Description: This event is used when certificate status is changed (revoked, expired, on-hold, ++# off-hold). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: The UID of the agent that processed the request. ++# - Outcome: ++# - ReqID: The request ID. ++# - RequestType: "revoke", "on-hold", "off-hold" ++# - Approval: "complete", "rejected", or "canceled" ++# (note that "complete" means "approved") ++# - CertSerialNum: The serial number (in hex). ++# - RevokeReasonNum: One of the following number: ++# reason number reason ++# -------------------------------------- ++# 0 Unspecified ++# 1 Key compromised ++# 2 CA key compromised (should not be used) ++# 3 Affiliation changed ++# 4 Certificate superceded ++# 5 Cessation of operation ++# 6 Certificate is on-hold ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CONFIG_ROLE=:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed + # +-# Event: CONFIG_ACL +-# - used when configuring ACL information ++# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure] ++# Description: This event is when access session failed to establish when Certificate System acts as client. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - ClientHost: Client hostname. ++# - ServerHost: Server hostname. ++# - ServerPort: Server port. ++# - SubjectID: SYSTEM ++# - Outcome: Failure ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client + # +-# Event: CONFIG_SIGNED_AUDIT +-# - used when configuring signedAudit ++# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success] ++# Description: This event is used when access session was established successfully when ++# Certificate System acts as client. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - ClientHost: Client hostname. ++# - ServerHost: Server hostname. ++# - ServerPort: Server port. ++# - SubjectID: SYSTEM ++# - Outcome: Success + # +-LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client + # +-# Event: CONFIG_ENCRYPTION +-# - used when configuring encryption (cert settings and SSL cipher preferences) ++# Event: CLIENT_ACCESS_SESSION_TERMINATED ++# Description: This event is used when access session was terminated when Certificate System acts as client. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - ClientHost: Client hostname. ++# - ServerHost: Server hostname. ++# - ServerPort: Server port. ++# - SubjectID: SYSTEM ++# - Outcome: Success ++# - Info: The TLS Alert received from NSS + # +-LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client + # +-# Event: CONFIG_TRUSTED_PUBLIC_KEY +-# - used when +-# 1. "Manage Certificate" is used to edit the trustness of certificates +-# and deletion of certificates +-# 2. "Certificate Setup Wizard" is used to import CA certificates into the +-# certificate database (Although CrossCertificatePairs are stored +-# within internaldb, audit them as well) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CMC_REQUEST_RECEIVED ++# Description: This event is used when a CMC request is received. ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# If CMC requests is signed by an agent, SubjectID should ++# be that of the agent. ++# In case of an unsigned request, it would bear $Unidentified$. ++# - Outcome: ++# - CMCRequest: Base64 encoding of the CMC request received + # +-LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration ++LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received + # +-# Event: CONFIG_DRM +-# - used when configuring DRM +-# (Key recovery scheme, change of any secret component) +-# Applicable subsystems: KRA ++# Event: CMC_RESPONSE_SENT ++# Description: This event is used when a CMC response is sent. ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# - Outcome: ++# - CMCResponse: Base64 encoding of the CMC response sent + # +-LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent + # +-# Event: SELFTESTS_EXECUTION +-# - used when self tests are run +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CMC_SIGNED_REQUEST_SIG_VERIFY ++# Description: This event is used when agent signed CMC certificate requests or revocation requests ++# are submitted and signature is verified. ++# Applicable subsystems: CA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: the user who signed the CMC request (success case) ++# - Outcome: ++# - ReqType: The request type (enrollment, or revocation). ++# - CertSubject: The certificate subject name of the certificate request. ++# - SignerInfo: A unique String representation for the signer. + # +-LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details) ++LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification + # +-# Event: AUDIT_LOG_DELETE +-# - used AFTER audit log gets expired (authz should not allow, +-# but in case authz gets compromised. Make sure it is written +-# AFTER the log expiration happens) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# LogFile must be the complete name (including the path) of the +-# signedAudit log that is attempted to be deleted ++# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY ++# Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests ++# are submitted and signature is verified. ++# Applicable subsystems: CA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: the user who signed the CMC request (success case) ++# - Outcome: ++# - ReqType: The request type (enrollment, or revocation). ++# - CertSubject: The certificate subject name of the certificate request. ++# - CMCSignerInfo: A unique String representation for the CMC request signer. ++# - info: + # +-LOGGING_SIGNED_AUDIT_LOG_DELETE_3=:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success + # +-# Event: LOG_PATH_CHANGE +-# - used when log file name (including any path changes) for any of +-# audit, system, transaction, or other customized log file +-# change is attempted (authz should not allow, but make sure it's +-# written after the attempt) ++# Event: CONFIG_ACL ++# Description: This event is used when configuring ACL information. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# LogType must be "System", "Transaction", or "SignedAudit" +-# toLogFile must be the name (including any path changes) that the user is +-# attempting to change to ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt ++LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change + # +-# Event: LOG_EXPIRATION_CHANGE +-# - used when log expiration time change is attempted (authz should not +-# allow, but make sure it's written after the attempt) ++# Event: CONFIG_AUTH ++# Description: This event is used when configuring authentication. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# LogType must be "System", "Transaction", or "SignedAudit" +-# ExpirationTime must be the amount of time (in seconds) that is +-# attempted to be changed to ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- Password MUST NOT be logged --- + # +-# -- feature disabled -- +-#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt ++LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change + # +-# Event: SERVER_SIDE_KEYGEN_REQUEST +-# - used when server-side key generation request is made +-# This is for tokenkeys +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CONFIG_CERT_PROFILE ++# Description: This event is used when configuring certificate profile ++# (general settings and certificate profile). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# EntityID must be the representation of the subject that will be on the certificate when issued ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request ++LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change + # +-# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED +-# - used when server-side key generation request has been processed. +-# This is for tokenkeys +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CONFIG_CRL_PROFILE ++# Description: This event is used when configuring CRL profile ++# (extensions, frequency, CRL format). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# EntityID must be the representation of the subject that will be on the certificate when issued +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be archived ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed ++LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change + # +-# Event: KEY_RECOVERY_REQUEST +-# - used when key recovery request is made +-# Applicable subsystems: CA, OCSP, TKS, TPS, TPS +-# Enabled by default: No +-# RecoveryID must be the recovery request ID +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be recovered ++# Event: CONFIG_DRM ++# Description: This event is used when configuring KRA. ++# This includes key recovery scheme, change of any secret component. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- + # +-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made ++LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change + # +-# Event: KEY_RECOVERY_AGENT_LOGIN +-# - used when DRM agents login as recovery agents to approve +-# key recovery requests +-# Applicable subsystems: KRA +-# Enabled by default: No +-# RecoveryID must be the recovery request ID +-# RecoveryAgent must be the recovery agent the DRM agent is +-# logging in with ++# Event: CONFIG_OCSP_PROFILE ++# Description: This event is used when configuring OCSP profile ++# (everything under Online Certificate Status Manager). ++# Applicable subsystems: OCSP ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login ++LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change + # +-# Event: KEY_GEN_ASYMMETRIC +-# - used when asymmetric keys are generated +-# (like when CA certificate requests are generated - +-# e.g. CA certificate change over, renewal with new key, etc.) ++# Event: CONFIG_ROLE ++# Description: This event is used when configuring role information. ++# This includes anything under users/groups, add/remove/edit a role, etc. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# PubKey must be the base-64 encoded public key material ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation ++LOGGING_SIGNED_AUDIT_CONFIG_ROLE=:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change + # +-# Event: CERT_SIGNING_INFO +-# Applicable subsystems: CA ++# Event: CONFIG_SERIAL_NUMBER ++# Description: This event is used when configuring serial number ranges ++# (when requesting a serial number range when cloning, for example). ++# Applicable subsystems: CA, KRA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info ++LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update + # +-# Event: OCSP_SIGNING_INFO +-# Applicable subsystems: CA, OCSP ++# Event: CONFIG_SIGNED_AUDIT ++# Description: This event is used when configuring signedAudit. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info ++LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change ++# ++# Event: CONFIG_TRUSTED_PUBLIC_KEY ++# Description: This event is used when: ++# 1. "Manage Certificate" is used to edit the trustness of certificates ++# and deletion of certificates ++# 2. "Certificate Setup Wizard" is used to import CA certificates into the ++# certificate database (Although CrossCertificatePairs are stored ++# within internaldb, audit them as well) ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ID of administrator who performed this configuration ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration + # + # Event: CRL_SIGNING_INFO ++# Description: This event indicates which key is used to sign CRLs. + # Applicable subsystems: CA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: ++# - SKI: Subject Key Identifier of the CRL signing certificate + # + LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info + # +-# Event: NON_PROFILE_CERT_REQUEST +-# - used when a non-profile certificate request is made (before approval process) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# SubjectID must be the UID of user that triggered this event +-# (if CMC enrollment requests signed by an agent, SubjectID should +-# be that of the agent), while +-# CertSubject must be the certificate subject name of the certificate request +-# ReqID must be the certificate request ID +-# ServiceID must be the identity of the servlet that submitted the original +-# request +-# +-LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles +-# +-# Event: CMC_REQUEST_RECEIVED +-# - used when a CMC request is received. ++# Event: DELTA_CRL_GENERATION ++# Description: This event is used when delta CRL generation is complete. + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of user that triggered this event +-# (if CMC requests is signed by an agent, SubjectID should +-# be that of the agent) +-# In case of an unsigned request, it would bear $Unidentified$ ++# Fields: ++# - SubjectID: $Unidentified$ ++# - Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise. ++# - CRLnum: The CRL number that identifies the CRL ++# - Info: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received ++LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation + # +-# Event: CMC_RESPONSE_SENT +-# - used when a CMC response is sent ++# Event: FULL_CRL_GENERATION ++# Description: This event is used when full CRL generation is complete. + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of user that triggered this event ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise. ++# - CRLnum: The CRL number that identifies the CRL ++# - Info: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent ++LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation + # + # Event: PROFILE_CERT_REQUEST +-# - used when a profile certificate request is made (before approval process) ++# Description: This event is used when a profile certificate request is made (before approval process). + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of user that triggered this event +-# (if CMC enrollment requests signed by an agent, SubjectID should +-# be that of the agent), while +-# CertSubject must be the certificate subject name of the certificate request +-# ReqID must be the certificate request ID +-# ProfileID must be one of the certificate profiles defined by the +-# administrator ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# If CMC enrollment requests signed by an agent, SubjectID should ++# be that of the agent. ++# - Outcome: ++# - CertSubject: The certificate subject name of the certificate request. ++# - ReqID: The certificate request ID. ++# - ProfileID: One of the certificate profiles defined by the ++# administrator. + # + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles + # +-# Event: CERT_REQUEST_PROCESSED +-# - used when certificate request has just been through the approval process ++# Event: PROOF_OF_POSSESSION ++# Description: This event is used for proof of possession during certificate enrollment processing. + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of the agent who approves, rejects, or cancels +-# the certificate request +-# ReqID must be the request ID +-# InfoName must be value "certificate" (in case of approval), "rejectReason" +-# (in case of reject), or "cancelReason" (in case of cancel) +-# InfoValue must contain the certificate (in case of success), a reject reason in +-# text, or a cancel reason in text ++# Fields: ++# - SubjectID: id that represents the authenticated user ++# - Outcome: ++# - Info: some information on when/how it occurred + # +-LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed ++LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession + # +-# Event: CERT_STATUS_CHANGE_REQUEST +-# - used when a certificate status change request (e.g. revocation) +-# is made (before approval process) +-# Applicable subsystems: CA ++# Event: OCSP_ADD_CA_REQUEST_PROCESSED ++# Description: This event is used when an add CA request to the OCSP Responder is processed. ++# Applicable subsystems: OCSP + # Enabled by default: Yes +-# ReqID must be the request ID +-# CertSerialNum must be the serial number (in hex) of the certificate to be revoked +-# RequestType must be "revoke", "on-hold", "off-hold" ++# Fields: ++# - SubjectID: OCSP administrator user id ++# - Outcome: "Success" when CA is added successfully, "Failure" otherwise. ++# - CASubjectDN: The subject DN of the leaf CA cert in the chain. + # +-LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made ++LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder + # +-# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED +-# - used when certificate status is changed (revoked, expired, on-hold, +-# off-hold) +-# Applicable subsystems: CA ++# Event: OCSP_GENERATION ++# Description: This event is used when an OCSP response generated is complete. ++# Applicable subsystems: CA, OCSP + # Enabled by default: Yes +-# SubjectID must be the UID of the agent that processed the request +-# ReqID must be the request ID +-# RequestType must be "revoke", "on-hold", "off-hold" +-# Approval must be "complete", "rejected", or "canceled" +-# (note that "complete" means "approved") +-# CertSerialNum must be the serial number (in hex) +-# RevokeReasonNum must contain one of the following number: +-# reason number reason +-# -------------------------------------- +-# 0 Unspecified +-# 1 Key compromised +-# 2 CA key compromised (should not be used) +-# 3 Affiliation changed +-# 4 Certificate superceded +-# 5 Cessation of operation +-# 6 Certificate is on-hold ++# Fields: ++# - SubjectID: $NonRoleUser$ ++# - Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise. ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed ++LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation + # +-# Event: AUTHZ with [Outcome=Success] +-# - used when authorization is successful +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is used when a remove CA request to the OCSP Responder is processed and failed. ++# Applicable subsystems: OCSP + # Enabled by default: Yes +-# Outcome must be success for this event +-# aclResource must be the ACL resource ID as defined in ACL resource list +-# Op must be one of the operations as defined with the ACL statement +-# e.g. "read" for an ACL statement containing "(read,write)" ++# Fields: ++# - SubjectID: OCSP administrator user id ++# - Outcome: Failure ++# - CASubjectDN: The subject DN of the leaf CA certificate in the chain. + # +-LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=:[AuditEvent=AUTHZ]{0} authorization success ++LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed + # +-# Event: AUTHZ with [Outcome=Failure] +-# - used when authorization has failed +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when a remove CA request to the OCSP Responder is processed successfully. ++# Applicable subsystems: OCSP + # Enabled by default: Yes +-# Outcome must be failure for this event +-# aclResource must be the ACL resource ID as defined in ACL resource list +-# Op must be one of the operations as defined with the ACL statement +-# e.g. "read" for an ACL statement containing "(read,write)" ++# Fields: ++# - SubjectID: OCSP administrator user id ++# - Outcome: "Success" when CA is removed successfully, "Failure" otherwise. ++# - CASubjectDN: The subject DN of the leaf CA certificate in the chain. + # +-LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=:[AuditEvent=AUTHZ]{0} authorization failure ++LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful + # +-# Event: INTER_BOUNDARY +-# - used when inter-CIMC_Boundary data transfer is successful +-# (this is used when data does not need to be captured) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# ProtectionMethod must be one of the following: "SSL", or "unknown" +-# ReqType must be the request type +-# ReqID must be the request ID ++# Event: OCSP_SIGNING_INFO ++# Description: This event indicates which key is used to sign OCSP responses. ++# Applicable subsystems: CA, OCSP ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: ++# - SKI: Subject Key Identifier of the OCSP signing certificate ++# - AuthorityID: (applicable only to lightweight CA) + # +-LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CIMC_Boundary communication (data exchange) success ++LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info + # +-# Event: AUTH with [Outcome=Failure] +-# - used when authentication fails (in case of SSL-client auth, +-# only webserver env can pick up the SSL violation; +-# CS authMgr can pick up certificate mis-match, so this event is used) ++# Event: ROLE_ASSUME ++# Description: This event is used when a user assumes a role. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# Outcome should always be "failure" in this event +-# (obviously, if authentication failed, you won't have a valid SubjectID, so +-# in this case, SubjectID should be $Unidentified$) +-# AuthMgr must be the authentication manager instance name that did +-# this authentication +-# AttemptedCred must be the credential attempted and failed ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Role: One of the valid roles: ++# "Administrators", "Certificate Manager Agents", or "Auditors". ++# Note that customized role names can be used once configured. + # +-LOGGING_SIGNED_AUDIT_AUTH_FAIL=:[AuditEvent=AUTH]{0} authentication failure ++LOGGING_SIGNED_AUDIT_ROLE_ASSUME=:[AuditEvent=ROLE_ASSUME]{0} assume privileged role + # +-# Event: AUTH with [Outcome=Success] +-# - used when authentication succeeded ++# Event: SECURITY_DOMAIN_UPDATE ++# Description: This event is used when updating contents of security domain ++# (add/remove a subsystem). ++# Applicable subsystems: CA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: CA administrator user ID ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# ++LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update ++# ++# Event: SELFTESTS_EXECUTION ++# Description: This event is used when self tests are run. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# Outcome should always be "success" in this event +-# AuthMgr must be the authentication manager instance name that did +-# this authentication ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: + # +-LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authentication success ++LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details) ++######################################################################### ++# Available Audit Events - Enabled by default: Yes ++######################################################################### + # +-# Event: CERT_PROFILE_APPROVAL +-# - used when an agent approves/disapproves a certificate profile set by the +-# administrator for automatic approval +-# Applicable subsystems: CA ++# Event: ASYMKEY_GENERATION_REQUEST ++# Description: This event is used when asymmetric key generation request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# ProfileID must be one of the profiles defined by the administrator +-# and to be approved by an agent +-# Op must be "approve" or "disapprove" ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: + # +-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval ++LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made + # +-# Event: PROOF_OF_POSSESSION +-# - used for proof of possession during certificate enrollment processing +-# Applicable subsystems: CA ++# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED ++# Description: This event is used when a request to generate asymmetric keys received by the KRA ++# is processed. ++# Applicable subsystems: KRA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: ++# - KeyID: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession ++LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed + # +-# Event: CMC_PROOF_OF_IDENTIFICATION +-# - used for proof of identification during CMC request processing ++# Event: AUTHORITY_CONFIG ++# Description: This event is used when configuring lightweight authorities. + # Applicable subsystems: CA +-# Enabled by default: No +-# - In case of success, "SubjectID" is the actual identified identification; +-# - In case of failure, "SubjectID" is the attempted identification ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request ++LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change + # +-# Event: CMC_ID_POP_LINK_WITNESS +-# - used for identification and POP linking verification during CMC request processing +-# Applicable subsystems: CA +-# Enabled by default: No ++# Event: CONFIG_ENCRYPTION ++# Description: This event is used when configuring encryption (cert settings and SSL cipher preferences). ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification ++LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_AUTHENTICATOR ++# Description: This event is used when configuring token authenticators. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - OP: ++# - Authenticator: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_CONNECTOR ++# Description: This event is used when configuring token connectors. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Service: can be any of the methods offered ++# - Connector: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_MAPPING_RESOLVER ++# Description: This event is used when configuring token mapping resolver. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: TPS administrator id ++# - Outcome: ++# - Service: ++# - MappingResolverID: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_RECORD ++# Description: This event is used when information in token record changed. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: TPS administrator id ++# - Outcome: ++# - OP: operation to add or delete token ++# - TokenID: smart card unique id ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: in general is used for capturing error info for failed cases ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change ++# ++# Event: KEY_GEN_ASYMMETRIC ++# Description: This event is used when asymmetric keys are generated ++# such as when CA certificate requests are generated, ++# e.g. CA certificate change over, renewal with new key. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - PubKey: The base-64 encoded public key material. ++# ++LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation ++# ++# Event: LOG_PATH_CHANGE ++# Description: This event is used when log file name (including any path changes) for any of ++# audit, system, transaction, or other customized log file change is attempted. ++# The ACL should not allow this operation, but make sure it's written after the attempt. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: administrator user id ++# - Outcome: ++# - LogType: "System", "Transaction", or "SignedAudit" ++# - toLogFile: The name (including any path changes) that the user is ++# attempting to change to. ++# ++LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt ++# ++# Event: RANDOM_GENERATION ++# Description: This event is used when a random number generation is complete. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when a random number is generated successfully, "Failure" otherwise. ++# - Info: ++# - Caller: PKI code that calls the random number generator. ++# - Size: Size of random number in bytes. ++# - FailureReason: ++# ++LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation + # + # Event: SCHEDULE_CRL_GENERATION +-# - used when CRL generation is scheduled ++# Description: This event is used when CRL generation is scheduled. + # Applicable subsystems: CA +-# Enabled by default: No +-# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when CRL generation is scheduled successfully, "Failure" otherwise. ++# - FailureReason: + # + LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation + # +-# Event: DELTA_CRL_GENERATION +-# - used when delta CRL generation is complete +-# Applicable subsystems: CA ++# Event: SECURITY_DATA_ARCHIVAL_REQUEST ++# Description: This event is used when security data recovery request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ArchivalRequestID: The requestID provided by the CA through the connector. ++# It is used to track the request through from CA to KRA. ++# - RequestId: The KRA archival request ID. ++# - ClientKeyID: The user supplied client ID associated with ++# the security data to be archived. ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made + # +-# Event: DELTA_CRL_PUBLISHING +-# - used when delta CRL publishing is complete +-# Applicable subsystems: CA +-# Enabled by default: No +-# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise ++# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED ++# Description: This event is used when user security data archive request is processed. ++# This is when KRA receives and processed the request. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ArchivalRequestID: The requestID provided by the CA through the connector. ++# It is used to track the request through from CA to KRA. ++# - RequestId: The KRA archival request ID. ++# - ClientKeyID: The user supplied client ID associated with ++# the security data to be archived. ++# - KeyID: ++# - PubKey: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed + # +-# Event: FULL_CRL_GENERATION +-# - used when full CRL generation is complete +-# Applicable subsystems: CA ++# Event: SECURITY_DATA_RECOVERY_REQUEST ++# Description: This event is used when security data recovery request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# Outcome is "success" when full CRL is generated successfully, "failure" otherwise ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - DataID: The ID of the security data being requested to be recovered. ++# - PubKey: + # +-LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made + # +-# Event: FULL_CRL_PUBLISHING +-# - used when full CRL publishing is complete +-# Applicable subsystems: CA +-# Enabled by default: No +-# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise ++# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED ++# Description: This event is used when security data recovery request is processed. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - KeyID: The ID of the security data being requested to be recovered. ++# - RecoveryAgents: The UIDs of the recovery agents approving this request. ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed + # +-# Event: CRL_RETRIEVAL +-# - used when CRLs are retrieved by the OCSP Responder +-# Applicable subsystems: OCSP +-# Enabled by default: No +-# Outcome is "success" when CRL is retrieved successfully, "failure" otherwise +-# CRLnum is the CRL number that identifies the CRL ++# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE ++# Description: This event is used when KRA agents login as recovery agents to change ++# the state of key recovery requests. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - Operation: The operation performed (approve, reject, cancel etc.). + # +-LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change + # +-# Event: CRL_VALIDATION +-# - used when CRL is retrieved and validation process occurs +-# Applicable subsystems: OCSP +-# Enabled by default: No ++# Event: SERVER_SIDE_KEYGEN_REQUEST ++# Description: This event is used when server-side key generation request is made. ++# This is for token keys. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - EntityID: The representation of the subject that will be on the certificate when issued. ++# - RequestID: + # +-LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation ++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request + # +-# Event: OCSP_ADD_CA_REQUEST +-# - used when a CA is attempted to be added to the OCSP Responder +-# Applicable subsystems: OCSP +-# Enabled by default: No +-# Outcome is "success" as the request is made +-# CA must be the base-64 encoded PKCS7 certificate (or chain) ++# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED ++# Description: This event is used when server-side key generation request has been processed. ++# This is for token keys. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - EntityID: The representation of the subject that will be on the certificate when issued. ++# - RequestID: ++# - PubKey: The base-64 encoded public key associated with ++# the private key to be archived. + # +-LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder ++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed + # +-# Event: OCSP_ADD_CA_REQUEST_PROCESSED +-# - used when an add CA request to the OCSP Responder is processed +-# Applicable subsystems: OCSP ++# Event: SYMKEY_GENERATION_REQUEST ++# Description: This event is used when symmetric key generation request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# Outcome is "success" when CA is added successfully, "failure" otherwise +-# CASubjectDN is the subject DN of the leaf CA cert in the chain ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: The ID of the symmetric key to be generated and archived. + # +-LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder ++LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made + # +-# Event: OCSP_REMOVE_CA_REQUEST +-# - used when a CA is attempted to be removed from the OCSP Responder +-# Applicable subsystems: OCSP +-# Enabled by default: No +-# Outcome is "success" as the request is made +-# CA must be the DN id of the CA +-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder ++# Event: SYMKEY_GENERATION_REQUEST_PROCESSED ++# Description: This event is used when symmetric key generation request is processed. ++# This is when KRA receives and processes the request. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: The user supplied client ID associated with ++# the symmetric key to be generated and archived. ++# - KeyID: ++# - FailureReason: + # +-# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success] +-# - used when a remove CA request to the OCSP Responder is processed successfully +-# Applicable subsystems: OCSP ++LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed ++# ++# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure] ++# Description: This event is used when token apple upgrade failed. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Outcome is "success" when CA is removed successfully, "failure" otherwise +-# CASubjectDN is the subject DN of the leaf CA cert in the chain ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - KeyVersion: ++# - oldAppletVersion: ++# - newAppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful ++LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure + # +-# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure] +-# - used when a remove CA request to the OCSP Responder is processed and failed +-# Applicable subsystems: OCSP ++# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success] ++# Description: This event is used when token apple upgrade succeeded. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Outcome is "failure" +-# CASubjectDN is DN ID of the CA ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - KeyVersion: ++# - oldAppletVersion: ++# - newAppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed ++LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success + # +-# Event: OCSP_GENERATION +-# - used when an OCSP response generated is complete +-# Applicable subsystems: CA, OCSP ++# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure] ++# Description: This event is used when token key changeover failed. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Outcome is "success" when OCSP response is generated successfully, "failure" otherwise ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - oldKeyVersion: ++# - newKeyVersion: ++# - Info: Info in case of failure. + # +-LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure + # +-# Event: RANDOM_GENERATION +-# - used when a random number generation is complete +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success] ++# Description: This event is used when token key changeover succeeded. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Info: +-# - Caller is PKI code that calls the random number generator +-# - Size is size of random number in bytes +-# Outcome is "success" when a random number is generated successfully, "failure" otherwise +-LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - oldKeyVersion: ++# - newKeyVersion: ++# - Info: Usually is unused for success. + # +-# Event: CMC_SIGNED_REQUEST_SIG_VERIFY +-# - used when agent signed CMC certificate requests or revocation requests +-# are submitted and signature is verified +-# Applicable subsystems: CA ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success ++# ++# Event: TOKEN_KEY_CHANGEOVER_REQUIRED ++# Description: This event is used when token key changeover is required. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# ReqType must be the request type (enrollment, or revocation) +-# CertSubject must be the certificate subject name of the certificate request +-# SignerInfo must be a unique String representation for the signer ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - oldKeyVersion: ++# - newKeyVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required ++######################################################################### ++# Available Audit Events - Enabled by default: No ++######################################################################### + # +-# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY +-# - used when CMC (user-signed or self-signed) certificate requests or revocation requests +-# are submitted and signature is verified ++# Event: AUDIT_LOG_DELETE ++# Description: This event is used AFTER audit log gets expired. ++# The ACL should not allow this operation, but it is provided in case ACL gets compromised. ++# Make sure it is written AFTER the log expiration happens. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - LogFile: The complete name (including the path) of the ++# signedAudit log that is attempted to be deleted. ++# ++LOGGING_SIGNED_AUDIT_LOG_DELETE_3=:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion ++# ++# Event: AUDIT_LOG_SHUTDOWN ++# Description: This event is used at audit function shutdown. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# ++LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown ++# ++# Event: CIMC_CERT_VERIFICATION ++# Description: This event is used for verifying CS system certificates. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - CertNickName: The certificate nickname. ++# ++LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CS certificate verification ++# ++# Event: CMC_ID_POP_LINK_WITNESS ++# Description: This event is used for identification and POP linking verification during CMC request processing. + # Applicable subsystems: CA +-# Enabled by default: Yes +-# ReqType must be the request type (enrollment, or revocation) +-# CertSubject must be the certificate subject name of the certificate request +-# CMCSignerInfo must be a unique String representation for the CMC request signer ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure ++LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification + # +-# Event: COMPUTE_RANDOM_DATA_REQUEST +-# - used for TPS to TKS to get random challenge data +-# Applicable subsystems: TKS, TPS ++# Event: CMC_PROOF_OF_IDENTIFICATION ++# Description: This event is used for proof of identification during CMC request processing. ++# Applicable subsystems: CA + # Enabled by default: No +-# AgentID must be the trusted agent id used to make the request ++# Fields: ++# - SubjectID: ++# In case of success, "SubjectID" is the actual identified identification. ++# In case of failure, "SubjectID" is the attempted identification. ++# - Outcome: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request ++LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request + # +-# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success] +-# - used for TPS to TKS to get random challenge data ++# Event: COMPUTE_RANDOM_DATA_REQUEST ++# Description: This event is used when the request for TPS to TKS to get random challenge data is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# Outcome is SUCCESS or FAILURE +-# Status is 0 for no error. +-# AgentID must be the trusted agent id used to make the request +-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully ++# Fields: ++# - Outcome: ++# - AgentID: The trusted agent ID used to make the request. ++# ++LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request + # + # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure] +-# - used for TPS to TKS to get random challenge data ++# Description: This event is used when the request for TPS to TKS to get random challenge data is processed unsuccessfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# Outcome is SUCCESS or FAILURE +-# Status is 0 for no error. +-# Error gives the error message +-# AgentID must be the trusted agent id used to make the request ++# Fields: ++# - Outcome: Success or Failure. ++# - Status: 0 for no error. ++# - Error: The error message. ++# - AgentID: The trusted agent ID used to make the request. + # + LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed + # ++# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when the request for TPS to TKS to get random challenge data is processed successfully. ++# Applicable subsystems: TKS, TPS ++# Fields: ++# - Outcome: Success or Failure. ++# - Status: 0 for no error. ++# - AgentID: The trusted agent ID used to make the request. ++# ++LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully ++# + # Event: COMPUTE_SESSION_KEY_REQUEST +-# - used for TPS to TKS to get a sessoin key for secure channel setup ++# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token establishing the secure channel +-# AgentID must be the trusted agent id used to make the request ++# Fields: ++# - Outcome: ++# - AgentID: The trusted agent ID used to make the request. + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the + ## CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that + ## encoded parameters are being logged. +-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel +-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel ++# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. ++# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. + # + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request + # ++# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed unsuccessfully. ++# Applicable subsystems: TKS, TPS ++# Enabled by default: No ++# Fields: ++# - Outcome: Failure ++# - status: Error code or 0 for no error. ++# - AgentID: The trusted agent ID used to make the request. ++# - IsCryptoValidate: tells if the card cryptogram is to be validated ++# - IsServerSideKeygen: tells if the keys are to be generated on server ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The numeric keyset, e.g. #01#01. ++# - Error: The error message. ++# ++## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. ++## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. ++# ++LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed ++# + # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success] +-# - request for TPS to TKS to get a sessoin key for secure channel processed ++# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed successfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token establishing the secure channel +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# Status is 0 for no error. +-# IsCryptoValidate tells if the card cryptogram is to be validated +-# IsServerSideKeygen tells if the keys are to be generated on server +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the number keyset ex: #01#01 ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Success ++# - status: 0 for no error. ++# - IsCryptoValidate: tells if the card cryptogram is to be validated ++# - IsServerSideKeygen: tells if the keys are to be generated on server ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The number keyset, e.g. #01#01. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the + ## CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact + ## that decoded parameters are now logged. + ## Also added TKSKeyset, KeyInfo_KeyVersion, + ## NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully + # +-# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure] +-# - request for TPS to TKS to get a sessoin key for secure channel processed +-# Applicable subsystems: TKS, TPS ++# Event: CONFIG_CERT_POLICY ++# Description: This event is used when configuring certificate policy constraints and extensions. ++# Applicable subsystems: CA + # Enabled by default: No +-# SubjectID must be the CUID of the token establishing the secure channel +-# Outcome is SUCCESS or FAILURE +-# Status is error code or 0 for no error. +-# AgentID must be the trusted agent id used to make the request +-# status is 0 for success, non-zero for various errors +-# IsCryptoValidate tells if the card cryptogram is to be validated +-# IsServerSideKeygen tells if the keys are to be generated on server +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the numeric keyset ex: #01#01 +-# Error gives the error message ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. +-## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex ++LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change + # +-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed ++# Event: CONFIG_TOKEN_GENERAL ++# Description: This event is used when doing general TPS configuration. ++# Applicable subsystems: TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_PROFILE ++# Description: This event is used when configuring token profile. ++# Applicable subsystems: TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Service: can be any of the methods offered ++# - ProfileID: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change ++# ++# Event: CRL_RETRIEVAL ++# Description: This event is used when CRLs are retrieved by the OCSP Responder. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when CRL is retrieved successfully, "Failure" otherwise. ++# - CRLnum: The CRL number that identifies the CRL. ++# ++LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval ++# ++# Event: CRL_VALIDATION ++# Description: This event is used when CRL is retrieved and validation process occurs. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# ++LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation ++# ++# Event: DELTA_CRL_PUBLISHING ++# Description: This event is used when delta CRL publishing is complete. ++# Applicable subsystems: CA ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when delta CRL is publishing successfully, "Failure" otherwise. ++# - CRLnum: ++# - FailureReason: ++# ++LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing + # + # Event: DIVERSIFY_KEY_REQUEST +-# - request for TPS to TKS to do key change over ++# Description: This event is used when the request for TPS to TKS to do key changeover is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting key change over +-# AgentID must be the trusted agent id used to make the request +-# status is 0 for success, non-zero for various errors +-# oldMasterKeyName is the old master key name +-# newMasterKeyName is the new master key name ++# Fields: ++# - Outcome: ++# - AgentID: The trusted agent ID used to make the request. ++# - oldMasterKeyName: The old master key name. ++# - newMasterKeyName: The new master key name. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged. +-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel +-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel ++# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. ++# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. + # + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request + # +-# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success] +-# - request for TPS to TKS to do key change over request processed ++# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is when the request for TPS to TKS to do key changeover is processed unsuccessfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting key change over +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# oldMasterKeyName is the old master key name +-# newMasterKeyName is the new master key name ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Failure ++# - status: 0 for success, non-zero for various errors. ++# - oldMasterKeyName: The old master key name. ++# - newMasterKeyName: The new master key name. ++# - Error: The error message. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# OldKeyInfo_KeyVersion is the old key version number in hex. +-# NewKeyInfo_KeyVersion is the new key version number in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - OldKeyInfo_KeyVersion: The old key version number in hex. ++# - NewKeyInfo_KeyVersion: The new key version number in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully ++LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed + # +-# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure] +-# - request for TPS to TKS to do key change over request processed ++# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when the request for TPS to TKS to do key changeover is processed successfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting key change over +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# oldMasterKeyName is the old master key name +-# newMasterKeyName is the new master key name +-# Error gives the error message ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Success ++# - status: 0 for success, non-zero for various errors. ++# - oldMasterKeyName: The old master key name. ++# - newMasterKeyName: The new master key name. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# OldKeyInfo_KeyVersion is the old key version number in hex. +-# NewKeyInfo_KeyVersion is the new key version number in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - OldKeyInfo_KeyVersion: The old key version number in hex. ++# - NewKeyInfo_KeyVersion: The new key version number in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed ++LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully + # + # Event: ENCRYPT_DATA_REQUEST +-# - request from TPS to TKS to encrypt data +-# (or generate random data and encrypt) ++# Description: This event is used when the request from TPS to TKS to encrypt data ++# (or generate random data and encrypt) is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting encrypt data +-# AgentID must be the trusted agent id used to make the request +-# status is 0 for success, non-zero for various errors +-# isRandom tells if the data is randomly generated on TKS +-# +-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request ++# Fields: ++# - SubjectID: The CUID of the token requesting encrypt data. ++# - AgentID: The trusted agent ID used to make the request. ++# - status: 0 for success, non-zero for various errors. ++# - isRandom: tells if the data is randomly generated on TKS + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged. +-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel +-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel ++# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. ++# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. + # ++LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request + # +-# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success] +-# - request from TPS to TKS to encrypt data +-# (or generate random data and encrypt) ++# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is used when the request from TPS to TKS to encrypt data ++# (or generate random data and encrypt) is processed unsuccessfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting encrypt data +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# isRandom tells if the data is randomly generated on TKS +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the numeric keyset ex: #01#01 ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Failure ++# - status: 0 for success, non-zero for various errors. ++# - isRandom: tells if the data is randomly generated on TKS ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The numeric keyset, e.g. #01#01. ++# - Error: The error message. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully ++LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed + # +-# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure] +-# - request from TPS to TKS to encrypt data +-# (or generate random data and encrypt) ++# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when the request from TPS to TKS to encrypt data ++# (or generate random data and encrypt) is processed successfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting encrypt data +-# AgentID must be the trusted agent id used to make the request +-# Outocme is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# isRandom tells if the data is randomly generated on TKS +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the numeric keyset ex: #01#01 +-# Error gives the error message ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Success ++# - status: 0 for success, non-zero for various errors. ++# - isRandom: tells if the data is randomly generated on TKS ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The numeric keyset, e.g. #01#01. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed ++LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully + # +-# Event: SECURITY_DOMAIN_UPDATE +-# - used when updating contents of security domain +-# (add/remove a subsystem) ++# Event: FULL_CRL_PUBLISHING ++# Description: This event is used when full CRL publishing is complete. + # Applicable subsystems: CA +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when full CRL is publishing successfully, "Failure" otherwise. ++# - CRLnum: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update ++LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing + # +-# Event: CONFIG_SERIAL_NUMBER +-# - used when configuring serial number ranges +-# (when requesting a serial number range when cloning, for example) +-# Applicable subsystems: CA, KRA +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Event: INTER_BOUNDARY ++# Description: This event is used when inter-CS boundary data transfer is successful. ++# This is used when data does not need to be captured. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ProtectionMethod: "SSL" or "unknown". ++# - ReqType: The request type. ++# - ReqID: The request ID. + # +-LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update ++LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CS boundary communication (data exchange) success + # +-# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED +-# - used when user security data archive request is processed +-# this is when DRM receives and processed the request ++# Event: KEY_RECOVERY_AGENT_LOGIN ++# Description: This event is used when KRA agents login as recovery agents to approve ++# key recovery requests. + # Applicable subsystems: KRA +-# Enabled by default: Yes +-# ArchivalRequestID is the requestID provided by the CA through the connector +-# It is used to track the request through from CA to KRA. +-# RequestId is the KRA archival request ID +-# ClientKeyID must be the user supplied client ID associated with +-# the security data to be archived ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - RecoveryAgent: The recovery agent the KRA agent is ++# logging in with. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed ++LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login + # +-# Event: SECURITY_DATA_ARCHIVAL_REQUEST +-# - used when security data recovery request is made +-# Applicable subsystems: CA, KRA +-# Enabled by default: Yes +-# ArchivalRequestID is the requestID provided by the CA through the connector +-# It is used to track the request through from CA to KRA. +-# RequestId is the KRA archival request ID +-# ClientKeyID must be the user supplied client ID associated with +-# the security data to be archived ++# Event: KEY_RECOVERY_REQUEST ++# Description: This event is used when key recovery request is made. ++# Applicable subsystems: CA, OCSP, TKS, TPS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - PubKey: The base-64 encoded public key associated with ++# the private key to be recovered. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made ++LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made + # +-# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED +-# - used when security data recovery request is processed ++# Event: KEY_STATUS_CHANGE ++# Description: This event is used when modify key status is executed. + # Applicable subsystems: KRA +-# Enabled by default: Yes +-# RecoveryID must be the recovery request ID +-# KeyID is the ID of the security data being requested to be recovered +-# RecoveryAgents are the UIDs of the recovery agents approving this request ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - KeyID: An existing key ID in the database. ++# - OldStatus: The old status to change from. ++# - NewStatus: The new status to change to. ++# - Info: + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed ++LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change + # +-# Event: SECURITY_DATA_RECOVERY_REQUEST +-# - used when security data recovery request is made +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# RecoveryID must be the recovery request ID +-# DataID is the ID of the security data to be recovered ++# Event: LOG_EXPIRATION_CHANGE (disabled) ++# Description: This event is used when log expiration time change is attempted. ++# The ACL should not allow this operation, but make sure it's written after the attempt. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - LogType: "System", "Transaction", or "SignedAudit". ++# - ExpirationTime: The amount of time (in seconds) that is ++# attempted to be changed to. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made ++#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt + # +-# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE +-# - used when DRM agents login as recovery agents to change +-# the state of key recovery requests +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# RecoveryID must be the recovery request ID +-# Operation is the operation performed (approve, reject, cancel etc.) ++# Event: NON_PROFILE_CERT_REQUEST ++# Description: This event is used when a non-profile certificate request is made (before approval process). ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# If CMC enrollment requests signed by an agent, SubjectID should ++# be that of the agent. ++# - Outcome: ++# - CertSubject: The certificate subject name of the certificate request. ++# - ReqID: The certificate request ID. ++# - ServiceID: The identity of the servlet that submitted the original ++# request. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change ++LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles ++# ++# Event: OCSP_ADD_CA_REQUEST ++# Description: This event is used when a CA is attempted to be added to the OCSP Responder. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - CA: The base-64 encoded PKCS7 certificate (or chain). ++# ++LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder ++# ++# Event: OCSP_REMOVE_CA_REQUEST ++# Description: This event is used when a CA is attempted to be removed from the OCSP Responder. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - CASubjectDN: The DN ID of the CA. ++# ++LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder + # + # Event: SECURITY_DATA_EXPORT_KEY +-# - used when user attempts to retrieve key after the recovery request ++# Description: This event is used when user attempts to retrieve key after the recovery request + # has been approved. + # Applicable subsystems: KRA + # Enabled by default: No +-# RecoveryID must be the recovery request ID +-# KeyID is the key being retrieved +-# Info is the failure reason if the export fails. +-# PubKey is the public key for the private key being retrieved ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - KeyID: The key being retrieved. ++# - Info: The failure reason if the export fails. ++# - PubKey: The public key for the private key being retrieved. + # + LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request + # + # Event: SECURITY_DATA_INFO +-# - used when user attempts to get metadata information about a key ++# Description: This event is used when user attempts to get metadata information about a key. + # Applicable subsystems: KRA + # Enabled by default: No +-# RecoveryID must be the recovery request ID +-# KeyID is the key being retrieved +-# Info is the failure reason if the export fails. +-# PubKey is the public key for the private key being retrieved ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - KeyID: The key being retrieved. ++# - ClientKeyId: ++# - Info: The failure reason if the export fails. ++# - PubKey: The public key for the private key being retrieved. + # + LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request + # +-# Event: KEY_STATUS_CHANGE +-# - used when modify key status is executed +-# Applicable subsystems: KRA ++# Event: TOKEN_AUTH with [Outcome=Failure] ++# Description: This event is used when authentication failed. ++# Applicable subsystems: TPS + # Enabled by default: No +-# keyID must be an existing key id in the database +-# oldStatus is the old status to change from +-# newStatus is the new status to change to +-# +-LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change +-# +-# Event: SYMKEY_GENERATION_REQUEST_PROCESSED +-# - used when symmetric key generation request is processed +-# this is when DRM receives and processes the request +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# Client ID must be the user supplied client ID associated with +-# the symmetric key to be generated and archived +-# +-LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed +-# +-# Event: SYMKEY_GENERATION_REQUEST +-# - used when symmetric key generation request is made +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# ClientKeyID is the ID of the symmetirc key to be generated and archived +-# +-LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made +-# +-# Event: ASYMKEY_GENERATION_REQUEST +-# - used when asymmetric key generation request is made +-# Applicable subsystems: KRA +-# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: Failure ++# (obviously, if authentication failed, you won't have a valid SubjectID, so ++# in this case, AttemptedID is recorded) ++# - IP: ++# - CUID: ++# - MSN: ++# - OP: ++# - tokenType: ++# - AppletVersion: ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. + # +-LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made ++LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=:[AuditEvent=TOKEN_AUTH]{0} token authentication failure + # +-# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED +-# - used when a request to generate asymmetric keys received by the DRM +-# is processed. +-# Applicable subsystems: KRA +-# Enabled by default: Yes ++# Event: TOKEN_AUTH with [Outcome=Success] ++# Description: This event is used when authentication succeeded. ++# Applicable subsystems: TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: Success ++# - IP: ++# - CUID: ++# - MSN: ++# - OP: ++# - tokenType: ++# - AppletVersion: ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. + # +-LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed ++LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=:[AuditEvent=TOKEN_AUTH]{0} token authentication success + # + # Event: TOKEN_CERT_ENROLLMENT +-# - used for TPS when token certificate enrollment request is made ++# Description: This event is used for TPS when token certificate enrollment request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# - Info is normally used to store more info in case of failure ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - Info: Info in case of failure. + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made + # + # Event: TOKEN_CERT_RENEWAL +-# - used for TPS when token certificate renewal request is made ++# Description: This event is used for TPS when token certificate renewal request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# - Info is normally used to store more info in case of failure ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - Info: Info in case of failure. + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made + # + # Event: TOKEN_CERT_RETRIEVAL +-# - used for TPS when token certificate retrieval request is made; +-# usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY ++# Description: This event is used for TPS when token certificate retrieval request is made; ++# usually used during recovery, along with TOKEN_KEY_RECOVERY. + # Applicable subsystems: TPS + # Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - Info: + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made + # +-# Event: TOKEN_KEY_RECOVERY +-# - used for TPS when token certificate key recovery request is made +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made +-# + # Event: TOKEN_CERT_STATUS_CHANGE_REQUEST +-# - used when a token certificate status change request (e.g. revocation) is made ++# Description: This event is used when a token certificate status change request (e.g. revocation) is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# CUID must be the last token that the certificate was associated with +-# CertSerialNum must be the serial number (in decimal) of the certificate to be revoked +-# RequestType must be "revoke", "on-hold", "off-hold" ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: The last token that the certificate was associated with. ++# - tokenType: ++# - CertSerialNum: The serial number (in decimal) of the certificate to be revoked. ++# - RequestType: "revoke", "on-hold", "off-hold". ++# - RevokeReasonNum: ++# - CA_ID: ++# - Info: + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made + # +-# Event: TOKEN_PIN_RESET with [Outcome=Success] +-# - used when token pin reset request succeeded +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success +-# +-# Event: TOKEN_PIN_RESET with [Outcome=Failure] +-# - used when token pin reset request failed +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure +-# +-# Event: TOKEN_OP_REQUEST +-# - used when token processor op request is made ++# Event: TOKEN_FORMAT with [Outcome=Failure] ++# Description: This event is used when token format operation failed. + # Applicable subsystems: TPS + # Enabled by default: No +-# - OP can be "format", "enroll", or "pinReset" ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made ++LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=:[AuditEvent=TOKEN_FORMAT]{0} token op format failure + # + # Event: TOKEN_FORMAT with [Outcome=Success] +-# - used when token format op succeeded ++# Description: This event is used when token format operation succeeded. + # Applicable subsystems: TPS + # Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - KeyVersion: + # + LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=:[AuditEvent=TOKEN_FORMAT]{0} token op format success + # +-# Event: TOKEN_FORMAT with [Outcome=Failure] +-# - used when token format op failed +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=:[AuditEvent=TOKEN_FORMAT]{0} token op format failure +-# +-# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success] +-# - used when token apple upgrade succeeded +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success +-# +-# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure] +-# - used when token apple upgrade failed +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure +-# +-# Event: TOKEN_KEY_CHANGEOVER_REQUIRED +-# - used when token key changeover is required +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required +-# +-# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success] +-# - used when token key changeover succeeded +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# - Info usually is unused for success +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success +-# +-# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure] +-# - used when token key changeover failed +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# - Info is used for storing more info in case of failure +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure +-# +-# Event: TOKEN_AUTH with [Outcome=Failure] +-# - used when authentication failed ++# Event: TOKEN_KEY_RECOVERY ++# Description: This event is used for TPS when token certificate key recovery request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# Outcome should always be "failure" in this event +-# (obviously, if authentication failed, you won't have a valid SubjectID, so +-# in this case, AttemptedID is recorded) +-# AuthMgr must be the authentication manager instance name that did +-# this authentication ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - KRA_ID: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=:[AuditEvent=TOKEN_AUTH]{0} token authentication failure ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made + # +-# Event: TOKEN_AUTH with [Outcome=Success] +-# - used when authentication succeeded ++# Event: TOKEN_OP_REQUEST ++# Description: This event is used when token processor operation request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# Outcome should always be "success" in this event +-# AuthMgr must be the authentication manager instance name that did +-# this authentication ++# Fields: ++# - IP: ++# - CUID: ++# - MSN: ++# - Outcome: ++# - OP: "format", "enroll", or "pinReset" ++# - AppletVersion: + # +-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=:[AuditEvent=TOKEN_AUTH]{0} token authentication success ++LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made + # +-# Event: CONFIG_TOKEN_GENERAL +-# - used when doing general TPS configuration ++# Event: TOKEN_PIN_RESET with [Outcome=Failure] ++# Description: This event is used when token pin reset request failed. + # Applicable subsystems: TPS + # Enabled by default: No +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases ++# Fields: ++# - IP: ++# - SubjectID: ++# - CUID: ++# - Outcome: ++# - tokenType: ++# - AppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure + # +-# Event: CONFIG_TOKEN_PROFILE +-# - used when configuring token profile ++# Event: TOKEN_PIN_RESET with [Outcome=Success] ++# Description: This event is used when token pin reset request succeeded. + # Applicable subsystems: TPS + # Enabled by default: No +-# Service can be any of the methods offered +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_MAPPING_RESOLVER +-# - used when configuring token mapping resolver +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_AUTHENTICATOR +-# - used when configuring token authenticators +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# Service can be any of the methods offered +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_CONNECTOR +-# - used when configuring token connectors +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# Service can be any of the methods offered +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_RECORD +-# - used when information in token record changed +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases ++# Fields: ++# - IP: ++# - SubjectID: ++# - CUID: ++# - Outcome: ++# - tokenType: ++# - AppletVersion: ++# - KeyVersion: + # +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success + # + # Event: TOKEN_STATE_CHANGE +-# - used when token state changed ++# Description: This event is used when token state changed. + # Applicable subsystems: TPS + # Enabled by default: No +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - oldState: ++# - oldReason: ++# - newState: ++# - newReason: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. + # + LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed +-# +-# Event: AUTHORITY_CONFIG +-# - used when configuring lightweight authorities +-# Applicable subsystems: CA +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change +-# +-# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure] +-# - used when access session failed to establish +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\ +-:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure +-# +-# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success] +-# - used when access session was established successfully +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ +-:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success +-# +-# Event: ACCESS_SESSION_TERMINATED +-# - used when access session was terminated +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ +-:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated +-# +-# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure] +-# access session failed to establish when Certificate System acts as client +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ +-:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client +-# +-# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success] +-# - used when access session was established successfully when +-# Certificate System acts as client +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ +-:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client +-# +-# Event: CLIENT_ACCESS_SESSION_TERMINATED +-# - used when access session was terminated when Certificate System acts as client +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ +-:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client +-# +-######################################################################### +-# Unselectable Signed Audit Events +-# +-# Event: AUDIT_LOG_SIGNING +-# - used when a signature on the audit log is generated (same as "flush" time) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# SubjectID is predefined to be "$System$" because this operation +-# associates with no user +-# sig must be the base-64 encoded signature of the buffer just flushed +-# +-LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} +diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg +index 2face58..9227c27 100644 +--- a/base/tks/shared/conf/CS.cfg ++++ b/base/tks/shared/conf/CS.cfg +@@ -214,7 +214,7 @@ log.instance.SignedAudit._007=## $ pki-server tks-audit-event-enable/disable +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 98d5e29..c289245 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -29,7 +29,6 @@ import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; + import java.math.BigInteger; +-import java.security.cert.X509Certificate; + import java.security.MessageDigest; + import java.security.PublicKey; + import java.security.cert.X509Certificate; +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index 97971dd..b3136a0 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -28,7 +28,6 @@ package com.netscape.cms.authentication; + import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; +-import java.security.cert.X509Certificate; + import java.math.BigInteger; + import java.security.MessageDigest; + import java.security.PublicKey; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 7398891..cc65c78 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -54,34 +54,6 @@ import javax.ws.rs.core.MultivaluedMap; + import javax.ws.rs.core.Response; + import javax.xml.parsers.ParserConfigurationException; + +-import netscape.ldap.LDAPAttribute; +-import netscape.ldap.LDAPAttributeSet; +-import netscape.ldap.LDAPConnection; +-import netscape.ldap.LDAPDN; +-import netscape.ldap.LDAPEntry; +-import netscape.ldap.LDAPException; +-import netscape.ldap.LDAPModification; +-import netscape.ldap.LDAPSearchConstraints; +-import netscape.ldap.LDAPSearchResults; +-import netscape.ldap.LDAPv3; +-import netscape.security.pkcs.ContentInfo; +-import netscape.security.pkcs.PKCS10; +-import netscape.security.pkcs.PKCS12; +-import netscape.security.pkcs.PKCS12Util; +-import netscape.security.pkcs.PKCS7; +-import netscape.security.pkcs.SignerInfo; +-import netscape.security.util.DerOutputStream; +-import netscape.security.util.ObjectIdentifier; +-import netscape.security.x509.AlgorithmId; +-import netscape.security.x509.BasicConstraintsExtension; +-import netscape.security.x509.CertificateChain; +-import netscape.security.x509.Extension; +-import netscape.security.x509.Extensions; +-import netscape.security.x509.KeyUsageExtension; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509Key; +- + import org.apache.commons.lang.StringUtils; + import org.apache.velocity.context.Context; + import org.mozilla.jss.CryptoManager; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +index 338e26b..1cb8a4c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +@@ -138,7 +138,7 @@ public class GetStatus extends CMSServlet { + try { + inputStream = new FileInputStream(versionFilePathName); + String contents = IOUtils.toString(inputStream); +- ++ + if(contents != null) { + CMS.debug("Returning product version: " + version); + version = contents.trim(); +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 0ae0764..515136b 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -399,11 +399,6 @@ pki_master_crl_enable=True + # based on the CMS hostname and port. + pki_default_ocsp_uri= + +-# Default OCSP URI added by AuthInfoAccessExtDefault if the profile +-# config is blank. If both are blank, the value is constructed +-# based on the CMS hostname and port. +-pki_default_ocsp_uri= +- + # Paths + # These are used in the processing of pkispawn and are not supposed + # to be overwritten by user configuration files. +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index e0989a9..45af9a0 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -202,20 +202,21 @@ class PKISubsystem(object): + def load(self): + self.config.clear() + +- lines = open(self.cs_conf).read().splitlines() +- +- for index, line in enumerate(lines): +- if not line or line.startswith('#'): +- continue +- parts = line.split('=', 1) +- if len(parts) < 2: +- raise Exception('Missing delimiter in %s line %d' % (self.cs_conf, index + 1)) +- name = parts[0] +- value = parts[1] +- self.config[name] = value +- +- self.type = self.config['cs.type'] +- self.prefix = self.type.lower() ++ if os.path.exists(self.cs_conf): ++ lines = open(self.cs_conf).read().splitlines() ++ ++ for index, line in enumerate(lines): ++ if not line or line.startswith('#'): ++ continue ++ parts = line.split('=', 1) ++ if len(parts) < 2: ++ raise Exception('Missing delimiter in %s line %d' % (self.cs_conf, index + 1)) ++ name = parts[0] ++ value = parts[1] ++ self.config[name] = value ++ ++ self.type = self.config['cs.type'] ++ self.prefix = self.type.lower() + + def find_system_certs(self): + certs = [] +diff --git a/base/server/python/pki/server/deployment/pkiconfig.py b/base/server/python/pki/server/deployment/pkiconfig.py +index 9e1cab5..cb71db9 100644 +--- a/base/server/python/pki/server/deployment/pkiconfig.py ++++ b/base/server/python/pki/server/deployment/pkiconfig.py +@@ -39,9 +39,7 @@ PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" + PKI_DEPLOYMENT_DEFAULT_UID = 17 + PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" + +-PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "RA", "TKS", "TPS"] +-PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] +-PKI_TOMCAT_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] ++PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] + PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", + "lib", "logs", "ocsp", "temp", "tks", "tps", + "webapps", "work"] +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 77594ec..9b9e1b8 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -914,7 +914,7 @@ class Instance: + # Return list of PKI subsystems in the specified tomcat instance + rv = [] + try: +- for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: ++ for subsystem in config.PKI_SUBSYSTEMS: + path = os.path.join( + self.mdict['pki_instance_path'], + subsystem.lower() +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index 4515b55..b35e82c 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -155,7 +155,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.security_domain.deregister(None) + + except Exception as e: # pylint: disable=broad-except +- config.pki_log.error(str(e)) ++ config.pki_log.error(log.PKI_OSERROR_1, e, ++ extra=config.PKI_INDENTATION_LEVEL_0) + # If it is a normal destroy, pass any exception + if not deployer.mdict['pki_force_destroy']: + raise +diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +index fb9f754..32b716a 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +@@ -42,10 +42,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.directory.create(deployer.mdict['pki_subsystem_log_path']) + deployer.directory.create( + deployer.mdict['pki_subsystem_archive_log_path']) +- if deployer.mdict['pki_subsystem'] in \ +- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: +- deployer.directory.create( +- deployer.mdict['pki_subsystem_signed_audit_log_path']) ++ ++ deployer.directory.create( ++ deployer.mdict['pki_subsystem_signed_audit_log_path']) + + # create /var/lib/pki///conf + deployer.directory.create( +@@ -127,10 +126,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + # remove instance-based subsystem logs only if --remove-logs flag is specified + if deployer.mdict['pki_remove_logs']: +- if deployer.mdict['pki_subsystem'] in \ +- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: +- deployer.directory.delete( +- deployer.mdict['pki_subsystem_signed_audit_log_path']) ++ deployer.directory.delete( ++ deployer.mdict['pki_subsystem_signed_audit_log_path']) + deployer.directory.delete( + deployer.mdict['pki_subsystem_archive_log_path']) + deployer.directory.delete( +diff --git a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress b/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress +deleted file mode 100755 +index b7d5c0e..0000000 +--- a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress ++++ /dev/null +@@ -1,62 +0,0 @@ +-#!/usr/bin/python +-# Authors: +-# Endi S. Dewata +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; version 2 of the License. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License along +-# with this program; if not, write to the Free Software Foundation, Inc., +-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-# +-# Copyright (C) 2017 Red Hat, Inc. +-# All rights reserved. +-# +- +-from __future__ import absolute_import +-import os +-from lxml import etree +- +-import pki +- +- +-class UpdateAJPLoopbackAddress( +- pki.server.upgrade.PKIServerUpgradeScriptlet): +- +- def __init__(self): +- super(UpdateAJPLoopbackAddress, self).__init__() +- self.message = 'Update AJP loopback address' +- +- self.parser = etree.XMLParser(remove_blank_text=True) +- +- def upgrade_instance(self, instance): +- +- server_xml = os.path.join(instance.conf_dir, 'server.xml') +- self.backup(server_xml) +- +- document = etree.parse(server_xml, self.parser) +- +- server = document.getroot() +- connectors = server.findall('.//Connector') +- +- # replace IPv4- or IPv6-specific AJP loopback address with localhost +- for connector in connectors: +- +- protocol = connector.get('protocol') +- if protocol != 'AJP/1.3': +- continue +- +- address = connector.get('address') +- if address != '127.0.0.1' and address != '::1': +- continue +- +- connector.set('address', 'localhost') +- +- with open(server_xml, 'wb') as f: +- document.write(f, pretty_print=True, encoding='utf-8') diff --git a/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch b/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch new file mode 100644 index 0000000..9fbf423 --- /dev/null +++ b/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch @@ -0,0 +1,13020 @@ +From f06a4c36834fae773da8ed429d0a91fbcda8d6aa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 31 Oct 2018 21:56:14 +0100 +Subject: [PATCH 01/26] Updated upgrade framework + +The upgrade framework has been updated to match PKI 10.6 +which no longer requires an upgrade folder for each +upgradable version. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit b4e5de9d618b57868be8b8d9a49d574ea58a7d40) +--- + base/common/python/pki/upgrade.py | 118 +++++++-------------- + base/common/python/pki/util.py | 86 ++++++++++++++- + base/common/sbin/pki-upgrade | 3 +- + .../python/pki/server/deployment/pkiparser.py | 4 +- + base/server/python/pki/server/upgrade.py | 10 ++ + base/server/sbin/pki-server-upgrade | 19 +++- + 6 files changed, 152 insertions(+), 88 deletions(-) + +diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py +index 3106c70..c2d217f 100644 +--- a/base/common/python/pki/upgrade.py ++++ b/base/common/python/pki/upgrade.py +@@ -22,8 +22,8 @@ + from __future__ import absolute_import + from __future__ import print_function + import functools ++import logging + import os +-import re + import shutil + import traceback + +@@ -36,70 +36,9 @@ DEFAULT_VERSION = '10.0.0' + UPGRADE_DIR = pki.SHARE_DIR + '/upgrade' + BACKUP_DIR = pki.LOG_DIR + '/upgrade' + SYSTEM_TRACKER = pki.CONF_DIR + '/pki.version' +-verbose = False +- +- +-@functools.total_ordering +-class Version(object): +- +- def __init__(self, obj): +- +- if isinstance(obj, str): +- +- # parse - +- pos = obj.find('-') +- +- if pos > 0: +- self.version = obj[0:pos] +- elif pos < 0: +- self.version = obj +- else: +- raise Exception('Invalid version number: ' + obj) +- +- # parse .. +- match = re.match(r'^(\d+)\.(\d+)\.(\d+)$', self.version) +- +- if match is None: +- raise Exception('Invalid version number: ' + self.version) +- +- self.major = int(match.group(1)) +- self.minor = int(match.group(2)) +- self.patch = int(match.group(3)) +- +- elif isinstance(obj, Version): +- +- self.major = obj.major +- self.minor = obj.minor +- self.patch = obj.patch +- +- else: +- raise Exception('Unsupported version type: ' + str(type(obj))) +- +- # release is ignored in comparisons +- def __eq__(self, other): +- return (self.major == other.major and +- self.minor == other.minor and +- self.patch == other.patch) +- +- def __lt__(self, other): +- if self.major < other.major: +- return True + +- if self.major == other.major and self.minor < other.minor: +- return True +- +- if (self.major == other.major and +- self.minor == other.minor and +- self.patch < other.patch): +- return True +- +- return False +- +- # not hashable +- __hash__ = None +- +- def __repr__(self): +- return self.version ++logger = logging.getLogger(__name__) ++verbose = False + + + class PKIUpgradeTracker(object): +@@ -203,9 +142,9 @@ class PKIUpgradeTracker(object): + + version = self.properties.get(self.version_key) + if version: +- return Version(version) ++ return pki.util.Version(version) + +- return Version(DEFAULT_VERSION) ++ return pki.util.Version(DEFAULT_VERSION) + + def set_version(self, version): + +@@ -479,7 +418,7 @@ class PKIUpgrader(object): + + if os.path.exists(self.upgrade_dir): + for version in os.listdir(self.upgrade_dir): +- version = Version(version) ++ version = pki.util.Version(version) + all_versions.append(version) + + all_versions.sort() +@@ -489,25 +428,46 @@ class PKIUpgrader(object): + def versions(self): + + current_version = self.get_current_version() ++ logger.debug('Current version: %s', current_version) ++ + target_version = self.get_target_version() ++ logger.debug('Target version: %s', target_version) + +- current_versions = [] ++ upgrade_path = [] + + for version in self.all_versions(): + +- # skip old versions +- if version >= current_version: +- current_versions.append(version) ++ # skip older versions ++ if version < current_version: ++ continue ++ ++ # skip newer versions ++ if version > target_version: ++ continue ++ ++ upgrade_path.append(version) + +- current_versions.sort() ++ upgrade_path.sort() ++ ++ # start from current version ++ if not upgrade_path or upgrade_path[0] != current_version: ++ upgrade_path.insert(0, current_version) ++ ++ # stop at target version ++ if not upgrade_path or upgrade_path[-1] != target_version: ++ upgrade_path.append(target_version) ++ ++ logger.debug('Upgrade path:') ++ for version in upgrade_path: ++ logger.debug(' - %s', version) + + versions = [] + +- for index, version in enumerate(current_versions): ++ for index, version in enumerate(upgrade_path): + + # link versions +- if index < len(current_versions) - 1: +- version.next = current_versions[index + 1] ++ if index < len(upgrade_path) - 1: ++ version.next = upgrade_path[index + 1] + else: + version.next = target_version + +@@ -587,7 +547,7 @@ class PKIUpgrader(object): + return tracker.get_version() + + def get_target_version(self): +- return Version(pki.implementation_version()) ++ return pki.util.Version(pki.implementation_version()) + + def is_complete(self): + +@@ -632,9 +592,6 @@ class PKIUpgrader(object): + scriptlet.init() + scriptlet.upgrade() + +- except pki.PKIException: +- raise +- + except Exception as e: # pylint: disable=W0703 + + print() +@@ -699,9 +656,6 @@ class PKIUpgrader(object): + try: + scriptlet.revert() + +- except pki.PKIException: +- raise +- + except Exception as e: # pylint: disable=W0703 + + print() +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 871c899..65a861f 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -24,7 +24,9 @@ Module containing utility functions and classes for the Dogtag python code + + + from __future__ import absolute_import ++import functools + import os ++import re + import shutil + from shutil import Error + try: +@@ -32,6 +34,7 @@ try: + except ImportError: + WindowsError = None + ++import six + import subprocess + + DEFAULT_PKI_ENV_LIST = [ +@@ -124,11 +127,14 @@ def copydirs(source, dest): + + def chown(path, uid, gid): + """ +- Change ownership of a folder and its contents. ++ Change ownership of a file or folder recursively. + """ + + os.chown(path, uid, gid) + ++ if not os.path.isdir(path): ++ return ++ + for item in os.listdir(path): + itempath = os.path.join(path, item) + +@@ -138,6 +144,25 @@ def chown(path, uid, gid): + chown(itempath, uid, gid) + + ++def chmod(path, perms): ++ """ ++ Change permissions of a file or folder recursively. ++ """ ++ ++ os.chmod(path, perms) ++ ++ if not os.path.isdir(path): ++ return ++ ++ for item in os.listdir(path): ++ itempath = os.path.join(path, item) ++ ++ if os.path.isfile(itempath): ++ os.chmod(itempath, perms) ++ elif os.path.isdir(itempath): ++ chmod(itempath, perms) ++ ++ + def customize_file(input_file, output_file, params): + """ + Customize a file with specified parameters. +@@ -275,3 +300,62 @@ def read_environment_files(env_file_list=None): + if not key.strip() or key == u'_': + continue + os.environ[key] = value ++ ++ ++@functools.total_ordering ++class Version(object): ++ ++ def __init__(self, obj): ++ ++ if isinstance(obj, six.string_types): ++ ++ # parse ..[] ++ match = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj) ++ ++ if match is None: ++ raise Exception('Unable to parse version number: %s' % obj) ++ ++ self.major = int(match.group(1)) ++ self.minor = int(match.group(2)) ++ self.patch = int(match.group(3)) ++ ++ elif isinstance(obj, Version): ++ ++ self.major = obj.major ++ self.minor = obj.minor ++ self.patch = obj.patch ++ ++ else: ++ raise Exception('Unsupported version type: %s' % type(obj)) ++ ++ # release is ignored in comparisons ++ def __eq__(self, other): ++ return (self.major == other.major and ++ self.minor == other.minor and ++ self.patch == other.patch) ++ ++ def __ne__(self, other): ++ return not self.__eq__(other) ++ ++ def __lt__(self, other): ++ if self.major < other.major: ++ return True ++ ++ if self.major == other.major and self.minor < other.minor: ++ return True ++ ++ if (self.major == other.major and ++ self.minor == other.minor and ++ self.patch < other.patch): ++ return True ++ ++ return False ++ ++ def __gt__(self, other): ++ return not self.__lt__(other) and not self.__eq__(other) ++ ++ # not hashable ++ __hash__ = None ++ ++ def __repr__(self): ++ return '%d.%d.%d' % (self.major, self.minor, self.patch) +diff --git a/base/common/sbin/pki-upgrade b/base/common/sbin/pki-upgrade +index 1833de8..b6bf930 100755 +--- a/base/common/sbin/pki-upgrade ++++ b/base/common/sbin/pki-upgrade +@@ -26,6 +26,7 @@ import signal + import sys + + import pki ++import pki.util + import pki.upgrade + + # pylint: disable=W0613 +@@ -113,7 +114,7 @@ def main(argv): + reset_tracker = True + + elif o == '--set-tracker': +- tracker_version = pki.upgrade.Version(a) ++ tracker_version = pki.util.Version(a) + + elif o in ('-v', '--verbose'): + pki.upgrade.verbose = True +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 2ea7319..8971bb5 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -40,7 +40,7 @@ from six.moves.urllib.parse import urlparse # pylint: disable=F0401,E0611 + + # PKI Imports + import pki +-import pki.upgrade ++import pki.util + import pki.account + import pki.client + import pki.system +@@ -337,7 +337,7 @@ class PKIConfigParser: + default_http_port = '8080' + default_https_port = '8443' + +- application_version = str(pki.upgrade.Version( ++ application_version = str(pki.util.Version( + pki.implementation_version())) + + self.deployer.main_config = configparser.SafeConfigParser({ +diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py +index 926c683..e636b8a 100644 +--- a/base/server/python/pki/server/upgrade.py ++++ b/base/server/python/pki/server/upgrade.py +@@ -20,6 +20,7 @@ + + from __future__ import absolute_import + from __future__ import print_function ++import logging + import os + import traceback + +@@ -35,6 +36,8 @@ BACKUP_DIR = pki.LOG_DIR + '/server/upgrade' + INSTANCE_TRACKER = '%s/tomcat.conf' + SUBSYSTEM_TRACKER = '%s/CS.cfg' + ++logger = logging.getLogger(__name__) ++ + + class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + +@@ -65,8 +68,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + tracker.set_version(self.version.next) + + def upgrade(self): ++ + for instance in self.upgrader.instances(): + ++ logger.info('Upgrading %s instance', instance.name) ++ + self.upgrade_subsystems(instance) + + # If upgrading a specific subsystem don't upgrade the instance. +@@ -81,6 +87,7 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + try: + if verbose: + print('Upgrading ' + str(instance) + ' instance.') ++ + self.upgrade_instance(instance) + self.update_server_tracker(instance) + +@@ -106,8 +113,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + 'Upgrade failed in %s: %s' % (instance, e), e, instance) + + def upgrade_subsystems(self, instance): ++ + for subsystem in self.upgrader.subsystems(instance): + ++ logger.info('Upgrading %s subsystem', subsystem.name) ++ + if not self.can_upgrade_server(instance, subsystem): + if verbose: + print('Skipping ' + str(subsystem) + ' subsystem.') +diff --git a/base/server/sbin/pki-server-upgrade b/base/server/sbin/pki-server-upgrade +index 73e0e4a..932f1c5 100755 +--- a/base/server/sbin/pki-server-upgrade ++++ b/base/server/sbin/pki-server-upgrade +@@ -22,6 +22,7 @@ + from __future__ import absolute_import + from __future__ import print_function + import getopt ++import logging + import signal + import sys + +@@ -29,6 +30,8 @@ import pki + import pki.upgrade + import pki.server.upgrade + ++logger = logging.getLogger('pki.server.cli.upgrade') ++ + + # pylint: disable=W0613 + def interrupt_handler(event, frame): +@@ -71,13 +74,15 @@ def main(argv): + + signal.signal(signal.SIGINT, interrupt_handler) + ++ logging.basicConfig(format='%(levelname)s: %(message)s') ++ + try: + opts, _ = getopt.getopt(argv[1:], 'hi:s:t:vX', [ + 'instance=', 'subsystem=', 'instance-type=', + 'scriptlet-version=', 'scriptlet-index=', + 'silent', 'status', 'revert', + 'remove-tracker', 'reset-tracker', 'set-tracker=', +- 'verbose', 'help']) ++ 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) +@@ -132,10 +137,14 @@ def main(argv): + reset_tracker = True + + elif o == '--set-tracker': +- tracker_version = pki.upgrade.Version(a) ++ tracker_version = pki.util.Version(a) + + elif o in ('-v', '--verbose'): + pki.upgrade.verbose = True ++ logging.getLogger().setLevel(logging.INFO) ++ ++ elif o == '--debug': ++ logging.getLogger().setLevel(logging.DEBUG) + + elif o in ('-h', '--help'): + usage() +@@ -171,21 +180,27 @@ def main(argv): + silent=silent) + + if status: ++ logger.info('Getting PKI server upgrade status') + upgrader.status() + + elif revert: ++ logger.info('Reverting PKI server last upgrade') + upgrader.revert() + + elif remove_tracker: ++ logger.info('Removing PKI server upgrade tracker') + upgrader.remove_tracker() + + elif reset_tracker: ++ logger.info('Resetting PKI server upgrade tracker') + upgrader.reset_tracker() + + elif tracker_version is not None: ++ logger.info('Setting PKI server upgrade tracker') + upgrader.set_tracker(tracker_version) + + else: ++ logger.info('Upgrading PKI server') + upgrader.upgrade() + + except pki.PKIException as e: +-- +1.8.3.1 + + +From a7e4a037ed99dfc44de67dd4396627d452c34355 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 31 Oct 2018 22:57:17 +0100 +Subject: [PATCH 02/26] Removed empty upgrade folders + +The empty upgrade folders have been removed since they +are no longer necessary for upgrades. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit 42f14ef88deb25336563a23c67fb2ad3a3a8aa3c) +--- + base/common/upgrade/10.0.0/.gitignore | 4 ---- + base/common/upgrade/10.0.2/.gitignore | 4 ---- + base/common/upgrade/10.0.4/.gitignore | 4 ---- + base/common/upgrade/10.0.5/.gitignore | 4 ---- + base/common/upgrade/10.0.6/.gitignore | 4 ---- + base/common/upgrade/10.1.0/.gitignore | 4 ---- + base/common/upgrade/10.1.1/.gitignore | 4 ---- + base/common/upgrade/10.1.2/.gitignore | 4 ---- + base/common/upgrade/10.1.99/.gitignore | 4 ---- + base/common/upgrade/10.2.0/.gitignore | 4 ---- + base/common/upgrade/10.2.1/.gitignore | 4 ---- + base/common/upgrade/10.2.2/.gitignore | 4 ---- + base/common/upgrade/10.2.3/.gitignore | 4 ---- + base/common/upgrade/10.2.4/.gitignore | 0 + base/common/upgrade/10.2.5/.gitignore | 4 ---- + base/common/upgrade/10.2.6/.gitignore | 4 ---- + base/common/upgrade/10.3.0/.gitignore | 4 ---- + base/common/upgrade/10.3.1/.gitignore | 4 ---- + base/common/upgrade/10.3.2/.gitignore | 4 ---- + base/common/upgrade/10.3.3/.gitignore | 4 ---- + base/common/upgrade/10.3.4/.gitignore | 4 ---- + base/common/upgrade/10.3.5/.gitignore | 4 ---- + base/common/upgrade/10.4.0/.gitignore | 4 ---- + base/common/upgrade/10.4.1/.gitignore | 4 ---- + base/common/upgrade/10.4.2/.gitignore | 4 ---- + base/common/upgrade/10.4.3/.gitignore | 4 ---- + base/common/upgrade/10.4.4/.gitignore | 4 ---- + base/common/upgrade/10.4.5/.gitignore | 4 ---- + base/common/upgrade/10.4.6/.gitignore | 4 ---- + base/server/upgrade/10.0.0/.gitignore | 4 ---- + base/server/upgrade/10.0.2/.gitignore | 4 ---- + base/server/upgrade/10.0.3/.gitignore | 4 ---- + base/server/upgrade/10.0.4/.gitignore | 4 ---- + base/server/upgrade/10.0.6/.gitignore | 4 ---- + base/server/upgrade/10.1.0/.gitignore | 4 ---- + base/server/upgrade/10.1.2/.gitignore | 4 ---- + base/server/upgrade/10.2.0/.gitignore | 4 ---- + base/server/upgrade/10.3.1/.gitignore | 4 ---- + base/server/upgrade/10.3.2/.gitignore | 4 ---- + base/server/upgrade/10.3.4/.gitignore | 4 ---- + base/server/upgrade/10.4.1/.gitignore | 4 ---- + base/server/upgrade/10.4.3/.gitignore | 4 ---- + base/server/upgrade/10.4.4/.gitignore | 4 ---- + base/server/upgrade/10.4.5/.gitignore | 4 ---- + base/server/upgrade/10.5.1/.gitignore | 4 ---- + 45 files changed, 176 deletions(-) + delete mode 100644 base/common/upgrade/10.0.0/.gitignore + delete mode 100644 base/common/upgrade/10.0.2/.gitignore + delete mode 100644 base/common/upgrade/10.0.4/.gitignore + delete mode 100644 base/common/upgrade/10.0.5/.gitignore + delete mode 100644 base/common/upgrade/10.0.6/.gitignore + delete mode 100644 base/common/upgrade/10.1.0/.gitignore + delete mode 100644 base/common/upgrade/10.1.1/.gitignore + delete mode 100644 base/common/upgrade/10.1.2/.gitignore + delete mode 100644 base/common/upgrade/10.1.99/.gitignore + delete mode 100644 base/common/upgrade/10.2.0/.gitignore + delete mode 100644 base/common/upgrade/10.2.1/.gitignore + delete mode 100644 base/common/upgrade/10.2.2/.gitignore + delete mode 100644 base/common/upgrade/10.2.3/.gitignore + delete mode 100644 base/common/upgrade/10.2.4/.gitignore + delete mode 100644 base/common/upgrade/10.2.5/.gitignore + delete mode 100644 base/common/upgrade/10.2.6/.gitignore + delete mode 100644 base/common/upgrade/10.3.0/.gitignore + delete mode 100644 base/common/upgrade/10.3.1/.gitignore + delete mode 100644 base/common/upgrade/10.3.2/.gitignore + delete mode 100644 base/common/upgrade/10.3.3/.gitignore + delete mode 100644 base/common/upgrade/10.3.4/.gitignore + delete mode 100644 base/common/upgrade/10.3.5/.gitignore + delete mode 100644 base/common/upgrade/10.4.0/.gitignore + delete mode 100644 base/common/upgrade/10.4.1/.gitignore + delete mode 100644 base/common/upgrade/10.4.2/.gitignore + delete mode 100644 base/common/upgrade/10.4.3/.gitignore + delete mode 100644 base/common/upgrade/10.4.4/.gitignore + delete mode 100644 base/common/upgrade/10.4.5/.gitignore + delete mode 100644 base/common/upgrade/10.4.6/.gitignore + delete mode 100644 base/server/upgrade/10.0.0/.gitignore + delete mode 100644 base/server/upgrade/10.0.2/.gitignore + delete mode 100644 base/server/upgrade/10.0.3/.gitignore + delete mode 100644 base/server/upgrade/10.0.4/.gitignore + delete mode 100644 base/server/upgrade/10.0.6/.gitignore + delete mode 100644 base/server/upgrade/10.1.0/.gitignore + delete mode 100644 base/server/upgrade/10.1.2/.gitignore + delete mode 100644 base/server/upgrade/10.2.0/.gitignore + delete mode 100644 base/server/upgrade/10.3.1/.gitignore + delete mode 100644 base/server/upgrade/10.3.2/.gitignore + delete mode 100644 base/server/upgrade/10.3.4/.gitignore + delete mode 100644 base/server/upgrade/10.4.1/.gitignore + delete mode 100644 base/server/upgrade/10.4.3/.gitignore + delete mode 100644 base/server/upgrade/10.4.4/.gitignore + delete mode 100644 base/server/upgrade/10.4.5/.gitignore + delete mode 100644 base/server/upgrade/10.5.1/.gitignore + +diff --git a/base/common/upgrade/10.0.0/.gitignore b/base/common/upgrade/10.0.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.2/.gitignore b/base/common/upgrade/10.0.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.4/.gitignore b/base/common/upgrade/10.0.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.5/.gitignore b/base/common/upgrade/10.0.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.6/.gitignore b/base/common/upgrade/10.0.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.0/.gitignore b/base/common/upgrade/10.1.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.1/.gitignore b/base/common/upgrade/10.1.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.2/.gitignore b/base/common/upgrade/10.1.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.99/.gitignore b/base/common/upgrade/10.1.99/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.99/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.0/.gitignore b/base/common/upgrade/10.2.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.1/.gitignore b/base/common/upgrade/10.2.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.2/.gitignore b/base/common/upgrade/10.2.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.3/.gitignore b/base/common/upgrade/10.2.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.4/.gitignore b/base/common/upgrade/10.2.4/.gitignore +deleted file mode 100644 +index e69de29..0000000 +diff --git a/base/common/upgrade/10.2.5/.gitignore b/base/common/upgrade/10.2.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.6/.gitignore b/base/common/upgrade/10.2.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.0/.gitignore b/base/common/upgrade/10.3.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.1/.gitignore b/base/common/upgrade/10.3.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.2/.gitignore b/base/common/upgrade/10.3.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.3/.gitignore b/base/common/upgrade/10.3.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.0/.gitignore b/base/common/upgrade/10.4.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.0/.gitignore b/base/server/upgrade/10.0.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.2/.gitignore b/base/server/upgrade/10.0.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.3/.gitignore b/base/server/upgrade/10.0.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.4/.gitignore b/base/server/upgrade/10.0.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.6/.gitignore b/base/server/upgrade/10.0.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.1.0/.gitignore b/base/server/upgrade/10.1.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.1.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.1.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.2.0/.gitignore b/base/server/upgrade/10.2.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.2.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.3.1/.gitignore b/base/server/upgrade/10.3.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.3.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.3.2/.gitignore b/base/server/upgrade/10.3.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.3.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.3.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.5.1/.gitignore b/base/server/upgrade/10.5.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.5.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +-- +1.8.3.1 + + +From 8bdcb3dcb6d304604dc68e44917847b71724cde5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Nov 2018 04:34:50 +0100 +Subject: [PATCH 03/26] Updated pki-server -audit-event-find + +The pki-server -audit-event-find has been modified +to support searching all events, enabled events, and disabled +events. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit 1d7b48538cc6ede7780489cc22bc631caffebe04) +--- + base/server/python/pki/server/__init__.py | 95 ++++++++++++++++++++++++++++--- + 1 file changed, 88 insertions(+), 7 deletions(-) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index b5180f0..ace98f3 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -428,24 +428,105 @@ class PKISubsystem(object): + + def find_audit_events(self, enabled=None): + +- if not enabled: +- raise Exception('This operation is not yet supported. Specify --enabled True.') +- + events = [] + +- names = self.config['log.instance.SignedAudit.events'].split(',') +- names = list(map(str.strip, names)) +- names.sort() ++ # get enabled events ++ enabled_event_names = self.get_enabled_audit_events() ++ ++ if enabled is None: ++ # get all events ++ names = self.get_audit_events() ++ ++ elif enabled: # enabled == True ++ # get enabled events ++ names = enabled_event_names ++ ++ else: # enabled == False ++ # get all events ++ all_event_names = self.get_audit_events() ++ ++ # get disabled events by subtracting enabled events from all events ++ names = sorted(set(all_event_names) - set(enabled_event_names)) + ++ # get event properties + for name in names: + event = {} + event['name'] = name +- event['enabled'] = True ++ event['enabled'] = name in enabled_event_names + event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) + events.append(event) + + return events + ++ def get_audit_events(self): ++ ++ # get the full list of audit events from LogMessages.properties ++ ++ properties = {} ++ tmpdir = tempfile.mkdtemp() ++ ++ try: ++ # export LogMessages.properties from cmsbundle.jar ++ cmsbundle_jar = \ ++ '/usr/share/pki/%s/webapps/%s/WEB-INF/lib/pki-cmsbundle.jar' \ ++ % (self.name, self.name) ++ ++ cmd = [ ++ 'jar', ++ 'xf', ++ cmsbundle_jar, ++ 'LogMessages.properties' ++ ] ++ ++ logger.debug('Command: %s', ' '.join(cmd)) ++ ++ subprocess.check_output( ++ cmd, ++ cwd=tmpdir, ++ stderr=subprocess.STDOUT) ++ ++ # load LogMessages.properties ++ log_messages_properties = os.path.join(tmpdir, 'LogMessages.properties') ++ pki.util.load_properties(log_messages_properties, properties) ++ ++ finally: ++ shutil.rmtree(tmpdir) ++ ++ # get audit events ++ events = set() ++ name_pattern = re.compile(r'LOGGING_SIGNED_AUDIT_') ++ value_pattern = re.compile(r':') ++ ++ for name in properties: ++ ++ name_match = name_pattern.match(name) ++ if not name_match: ++ continue ++ ++ value = properties[name] ++ ++ value_match = value_pattern.match(value) ++ if not value_match: ++ continue ++ ++ event = value_match.group(1) ++ events.add(event) ++ ++ return sorted(events) ++ ++ def get_enabled_audit_events(self): ++ ++ # parse enabled audit events ++ value = self.config['log.instance.SignedAudit.events'] ++ event_list = value.replace(' ', '').split(',') ++ ++ # remove duplicates ++ events = set() ++ for event in event_list: ++ events.add(event) ++ ++ return sorted(events) ++ + def get_audit_log_dir(self): + + current_file_path = self.config['log.instance.SignedAudit.fileName'] +-- +1.8.3.1 + + +From bcc43b903a67a88c254240840e885407e7c51f3c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 7 Nov 2018 16:53:57 +0100 +Subject: [PATCH 04/26] Updated pki.util.load_properties() + +The pki.util.load_properties() has been modified to support +multi-line property value. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit 618c5aec2cf1f16bcf30e676d3ed1f84722a32e3) +--- + base/common/python/pki/util.py | 38 +++++++++++++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 9 deletions(-) + +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 65a861f..a5d220f 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -180,22 +180,42 @@ def load_properties(filename, properties): + with open(filename) as f: + + lines = f.read().splitlines() ++ name = None ++ multi_line = False + + for index, line in enumerate(lines): + +- line = line.strip() ++ if multi_line: ++ # append line to previous property + +- if not line or line.startswith('#'): +- continue ++ value = properties[name] ++ value = value + line + +- parts = line.split('=', 1) ++ else: ++ # parse line for new property ++ ++ line = line.lstrip() ++ if not line or line.startswith('#'): ++ continue ++ ++ parts = line.split('=', 1) ++ if len(parts) < 2: ++ raise Exception('Missing delimiter in %s line %d' % ++ (filename, index + 1)) + +- if len(parts) < 2: +- raise Exception('Missing delimiter in %s line %d' % +- (filename, index + 1)) ++ name = parts[0].rstrip() ++ value = parts[1].lstrip() ++ ++ # check if the value is multi-line ++ if value.endswith('\\'): ++ value = value[:-1] ++ multi_line = True ++ ++ else: ++ value = value.rstrip() ++ multi_line = False + +- name = parts[0].strip() +- value = parts[1].strip() ++ # store value in properties + properties[name] = value + + +-- +1.8.3.1 + + +From 68427be67b3b5cf1c55b2ffe5eefd37f45dd8cab Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 9 Nov 2018 16:34:14 +0100 +Subject: [PATCH 05/26] Added audit event management tools + +The pki-server -audit-* commands have been backported +to PKI 10.5. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit adc316972072789b12ab2c2feb391bbdb01768d5) +--- + base/server/python/pki/server/__init__.py | 83 +++- + base/server/python/pki/server/cli/audit.py | 587 ++++++++++++++++++++++++++++- + 2 files changed, 662 insertions(+), 8 deletions(-) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index ace98f3..6cbda2f 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -426,7 +426,65 @@ class PKISubsystem(object): + + pki.util.customize_file(input_file, output_file, params) + +- def find_audit_events(self, enabled=None): ++ def enable_audit_event(self, event_name): ++ ++ if not event_name: ++ raise ValueError("Please specify the Event name") ++ ++ names = self.get_audit_events() ++ if event_name not in names: ++ raise PKIServerException('Invalid audit event: %s' % event_name) ++ ++ value = self.config['log.instance.SignedAudit.events'] ++ events = set(value.replace(' ', '').split(',')) ++ ++ if event_name in events: ++ return False ++ ++ events.add(event_name) ++ event_list = ','.join(sorted(events)) ++ self.config['log.instance.SignedAudit.events'] = event_list ++ ++ return True ++ ++ def update_audit_event_filter(self, event_name, event_filter): ++ ++ if not event_name: ++ raise ValueError("Please specify the Event name") ++ ++ names = self.get_audit_events() ++ if event_name not in names: ++ raise PKIServerException('Invalid audit event: %s' % event_name) ++ ++ name = 'log.instance.SignedAudit.filters.%s' % event_name ++ ++ if event_filter: ++ self.config[name] = event_filter ++ else: ++ self.config.pop(name, None) ++ ++ def disable_audit_event(self, event_name): ++ ++ if not event_name: ++ raise ValueError("Please specify the Event name") ++ ++ names = self.get_audit_events() ++ if event_name not in names: ++ raise PKIServerException('Invalid audit event: %s' % event_name) ++ ++ value = self.config['log.instance.SignedAudit.events'] ++ events = set(value.replace(' ', '').split(',')) ++ ++ if event_name not in events: ++ return False ++ ++ events.remove(event_name) ++ event_list = ','.join(sorted(events)) ++ self.config['log.instance.SignedAudit.events'] = event_list ++ ++ return True ++ ++ def find_audit_event_configs(self, enabled=None): + + events = [] + +@@ -458,6 +516,22 @@ class PKISubsystem(object): + + return events + ++ def get_audit_event_config(self, name): ++ ++ names = self.get_audit_events() ++ ++ if name not in names: ++ raise PKIServerException('Invalid audit event: %s' % name) ++ ++ enabled_event_names = self.get_enabled_audit_events() ++ ++ event = {} ++ event['name'] = name ++ event['enabled'] = name in enabled_event_names ++ event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) ++ ++ return event ++ + def get_audit_events(self): + + # get the full list of audit events from LogMessages.properties +@@ -518,12 +592,7 @@ class PKISubsystem(object): + + # parse enabled audit events + value = self.config['log.instance.SignedAudit.events'] +- event_list = value.replace(' ', '').split(',') +- +- # remove duplicates +- events = set() +- for event in event_list: +- events.add(event) ++ events = set(value.replace(' ', '').split(',')) + + return sorted(events) + +diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py +index bbbdd10..44fd86a 100644 +--- a/base/server/python/pki/server/cli/audit.py ++++ b/base/server/python/pki/server/cli/audit.py +@@ -20,6 +20,7 @@ + + from __future__ import absolute_import + from __future__ import print_function ++ + import getopt + import os + import shutil +@@ -37,10 +38,271 @@ class AuditCLI(pki.cli.CLI): + 'audit', 'Audit management commands') + + self.parent = parent ++ self.add_module(AuditConfigShowCLI(self)) ++ self.add_module(AuditConfigModifyCLI(self)) + self.add_module(AuditEventFindCLI(self)) ++ self.add_module(AuditEventShowCLI(self)) ++ self.add_module(AuditEventEnableCLI(self)) ++ self.add_module(AuditEventDisableCLI(self)) ++ self.add_module(AuditEventUpdateCLI(self)) + self.add_module(AuditFileFindCLI(self)) + self.add_module(AuditFileVerifyCLI(self)) + ++ @staticmethod ++ def print_audit_config(subsystem): ++ ++ name = 'log.instance.SignedAudit.%s' ++ ++ enabled = subsystem.config[name % 'enable'].lower() == 'true' ++ ++ fileName = subsystem.config[name % 'fileName'] ++ bufferSize = subsystem.config[name % 'bufferSize'] ++ flushInterval = subsystem.config[name % 'flushInterval'] ++ ++ maxFileSize = subsystem.config[name % 'maxFileSize'] ++ rolloverInterval = subsystem.config[name % 'rolloverInterval'] ++ expirationTime = subsystem.config[name % 'expirationTime'] ++ ++ logSigning = subsystem.config[name % 'logSigning'].lower() == 'true' ++ signedAuditCertNickname = subsystem.config[name % 'signedAuditCertNickname'] ++ ++ print(' Enabled: %s' % enabled) ++ ++ print(' Log File: %s' % fileName) ++ print(' Buffer Size (bytes): %s' % bufferSize) ++ print(' Flush Interval (seconds): %s' % flushInterval) ++ ++ print(' Max File Size (bytes): %s' % maxFileSize) ++ print(' Rollover Interval (seconds): %s' % rolloverInterval) ++ print(' Expiration Time (seconds): %s' % expirationTime) ++ ++ print(' Log Signing: %s' % logSigning) ++ print(' Signing Certificate: %s' % signedAuditCertNickname) ++ ++ @staticmethod ++ def print_audit_event_config(event): ++ print(' Event Name: %s' % event.get('name')) ++ print(' Enabled: %s' % event.get('enabled')) ++ print(' Filter: %s' % event.get('filter')) ++ ++ ++class AuditConfigShowCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditConfigShowCLI, self).__init__( ++ 'config-show', 'Display audit configuration') ++ self.parent = parent ++ ++ def print_help(self): ++ print('Usage: pki-server %s-audit-config-show [OPTIONS]' % self.parent.parent.name) ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ try: ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.print_help() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.print_help() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ subsystem_name = self.parent.parent.name ++ subsystem = instance.get_subsystem(subsystem_name) ++ ++ if not subsystem: ++ print('ERROR: No %s subsystem in instance %s.' ++ % (subsystem_name.upper(), instance_name)) ++ sys.exit(1) ++ ++ AuditCLI.print_audit_config(subsystem) ++ ++ ++class AuditConfigModifyCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditConfigModifyCLI, self).__init__( ++ 'config-mod', 'Modify audit configuration') ++ self.parent = parent ++ ++ def print_help(self): ++ print('Usage: pki-server %s-audit-config-mod [OPTIONS]' % self.parent.parent.name) ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --enabled Enable/disable audit logging.') ++ print(' --logFile Set log file.') ++ print(' --bufferSize Set buffer size (bytes).') ++ print(' --flushInterval Set flush interval (seconds).') ++ print(' --maxFileSize Set maximum file size (bytes).') ++ print(' --rolloverInterval Set rollover interval (seconds).') ++ print(' --expirationTime