From ae472954d4b1a62b368acf044ac5e7c15ef8d0e4 Mon Sep 17 00:00:00 2001 From: John Magne Date: Fri, 19 Oct 2018 19:23:37 -0400 Subject: [PATCH 03/19] Resolves: Bug 1624097 - CC: Identify version/release of pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely. --- .../netscape/cms/servlet/csadmin/GetStatus.java | 48 ++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java index 1d2d0e6..338e26b 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java @@ -18,6 +18,7 @@ package com.netscape.cms.servlet.csadmin; import java.io.IOException; +import java.io.FileInputStream; import java.util.Locale; import javax.servlet.ServletConfig; @@ -34,6 +35,8 @@ import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.base.UserInfo; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cmsutil.xml.XMLObject; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.StringUtils; public class GetStatus extends CMSServlet { @@ -41,6 +44,8 @@ public class GetStatus extends CMSServlet { * */ private static final long serialVersionUID = -2852842030221659847L; + // File below will be a member of a pki theme package. + private static final String productVersionFILE = "/usr/share/pki/CS_SERVER_VERSION"; public GetStatus() { super(); @@ -80,6 +85,13 @@ public class GetStatus extends CMSServlet { xmlObj.addItemToContainer(root, "Type", type); xmlObj.addItemToContainer(root, "Status", status); xmlObj.addItemToContainer(root, "Version", version); + // File below will be a member of a pki theme package. + String productVersion = getProductVersion(productVersionFILE); + + if(!StringUtils.isEmpty(productVersion)) { + xmlObj.addItemToContainer(root,"ProductVersion", productVersion); + } + byte[] cb = xmlObj.toByteArray(); outputResult(httpResp, "application/xml", cb); @@ -108,4 +120,40 @@ public class GetStatus extends CMSServlet { return locale; } + /** + * Return the product version if the file: /usr/share/pki/CS_SERVER_VERSION + * exists. + * + * Caller only cares if there is a string or not, exceptions handled here. + */ + private String getProductVersion(String versionFilePathName) { + String version = null; + FileInputStream inputStream = null; + + if(StringUtils.isEmpty(versionFilePathName)) { + CMS.debug("Missing product version file path!"); + return null; + } + + try { + inputStream = new FileInputStream(versionFilePathName); + String contents = IOUtils.toString(inputStream); + + if(contents != null) { + CMS.debug("Returning product version: " + version); + version = contents.trim(); + } + } catch (Exception e) { + CMS.debug("Failed to read product version String. " + e); + } + finally { + if(inputStream != null) { + try { + inputStream.close(); + } catch (IOException e) { + } + } + } + return version; + } } -- 1.8.3.1 From 28452a131f11d6372beb6bc262b7c26bb4cb1961 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 14 Sep 2018 19:19:23 -0600 Subject: [PATCH 04/19] Ticket 2865 X500Name.directoryStringEncodingOrder overridden by CSR encoding https://pagure.io/dogtagpki/issue/2865 coverity fixes (cherry picked from commit b375305e00dedc4127e5aa1b97e11dcc26a68f72) --- .../netscape/cms/profile/def/UserSubjectNameDefault.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java index 636b045..459735e 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java @@ -105,7 +105,13 @@ public class UserSubjectNameDefault extends EnrollDefault { * keep the old name so that the attribute * encodings are preserved. */ X500Name oldX500name = oldName.getX500Name(); - if (x500name.toString().equals(oldX500name.toString())) { + if (x500name == null) { + CMS.debug( method + + "new Subject DN is null; " + + "retaining current value." + ); + x500name = oldX500name; + } else if (x500name.toString().equals(oldX500name.toString())) { CMS.debug( method + "new Subject DN has same string representation " + "as current value; retaining current value." @@ -196,6 +202,12 @@ public class UserSubjectNameDefault extends EnrollDefault { // to the certinfo CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName( IEnrollProfile.REQUEST_SUBJECT_NAME); + if (req_sbj == null) { + // failed to retrieve subject name + CMS.debug("UserSubjectNameDefault: populate req_sbj is null"); + throw new EProfileException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } try { info.set(X509CertInfo.SUBJECT, req_sbj); -- 1.8.3.1 From 2180a832fa531120c9fe2dead72b58e615ef4744 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 22 Aug 2018 18:12:06 -0700 Subject: [PATCH 07/19] ticket #2879 audit events for CA acting as TLS client This patch provides code for ticket 2879, adding audit events for CS when acting as a TLS client. For a running CS system, there are two cases when this happens: 1. When one CS subsystem is talking to another CS subsystem In this case: HttpClient is used 2. When a CS subsystem is talking to an ldap syste In this case: PKISocketFactory is used Events added are: - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED https://pagure.io/dogtagpki/issue/2879 Change-Id: Ib8e4c27c57cb2b13b461c36f37f52dc6a13956f8 (cherry picked from commit add6813cb15673d604f05173585101a6e56745ca) --- base/ca/shared/conf/CS.cfg | 4 +- .../event/ClientAccessSessionEstablishEvent.java | 74 +++++++ .../event/ClientAccessSessionTerminatedEvent.java | 53 +++++ base/kra/shared/conf/CS.cfg | 4 +- base/ocsp/shared/conf/CS.cfg | 4 +- .../cms/publish/publishers/OCSPPublisher.java | 4 + .../dogtagpki/server/PKIClientSocketListener.java | 230 +++++++++++++++++++++ base/server/cmsbundle/src/LogMessages.properties | 20 ++ .../cmscore/connector/HttpConnFactory.java | 6 + .../netscape/cmscore/connector/HttpConnection.java | 42 ++++ .../netscape/cmscore/connector/HttpConnector.java | 10 + .../com/netscape/cmscore/connector/Resender.java | 8 +- .../cmscore/ldapconn/PKISocketFactory.java | 9 +- base/tks/shared/conf/CS.cfg | 4 +- .../src/com/netscape/cmsutil/http/HttpClient.java | 14 ++ .../netscape/cmsutil/http/JssSSLSocketFactory.java | 8 + 16 files changed, 484 insertions(+), 10 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java create mode 100644 base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 92504ff..4cef240 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG +log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java new file mode 100644 index 0000000..f54641a --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java @@ -0,0 +1,74 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.SignedAuditEvent; + +public class ClientAccessSessionEstablishEvent extends SignedAuditEvent { + + private static final long serialVersionUID = 1L; + + public final static String CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS = + "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"; + + public final static String CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE = + "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"; + + public ClientAccessSessionEstablishEvent(String messageID) { + super(messageID); + } + + public static ClientAccessSessionEstablishEvent createSuccessEvent( + String clientHost, + String serverHost, + String serverPort, + String subjectID) { + + ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( + CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS); + + event.setAttribute("ClientHost", clientHost); + event.setAttribute("ServerHost", serverHost); + event.setAttribute("ServerPort", serverPort); + event.setAttribute("SubjectID", subjectID); + event.setAttribute("Outcome", ILogger.SUCCESS); + + return event; + } + + public static ClientAccessSessionEstablishEvent createFailureEvent( + String clientHost, + String serverHost, + String serverPort, + String subjectID, + String info) { + + ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( + CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE); + + event.setAttribute("ClientHost", clientHost); + event.setAttribute("ServerHost", serverHost); + event.setAttribute("ServerPort", serverPort); + event.setAttribute("SubjectID", subjectID); + event.setAttribute("Outcome", ILogger.FAILURE); + event.setAttribute("Info", info); + + return event; + } +} diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java new file mode 100644 index 0000000..cad0c97 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java @@ -0,0 +1,53 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.SignedAuditEvent; + +public class ClientAccessSessionTerminatedEvent extends SignedAuditEvent { + + private static final long serialVersionUID = 1L; + + public final static String CLIENT_ACCESS_SESSION_TERMINATED = + "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED"; + + public ClientAccessSessionTerminatedEvent(String messageID) { + super(messageID); + } + + public static ClientAccessSessionTerminatedEvent createEvent( + String clientHost, + String serverHost, + String serverPort, + String subjectID, + String info) { + + ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent( + CLIENT_ACCESS_SESSION_TERMINATED); + + event.setAttribute("ClientHost", clientHost); + event.setAttribute("ServerHost", serverHost); + event.setAttribute("ServerPort", serverPort); + event.setAttribute("SubjectID", subjectID); + event.setAttribute("Outcome", ILogger.SUCCESS); + event.setAttribute("Info", info); + + return event; + } +} diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 878e5f8..6108576 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL +log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg index b412e5e..d2e5256 100644 --- a/base/ocsp/shared/conf/CS.cfg +++ b/base/ocsp/shared/conf/CS.cfg @@ -216,11 +216,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL +log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) log.instance.SignedAudit.expirationTime=0 diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java index 11d44b8..d15523e 100644 --- a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java +++ b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java @@ -42,6 +42,8 @@ import com.netscape.cmsutil.http.HttpRequest; import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.util.Utils; +import org.dogtagpki.server.PKIClientSocketListener; + import netscape.ldap.LDAPConnection; /** @@ -247,12 +249,14 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo { Socket socket = null; JssSSLSocketFactory factory; + PKIClientSocketListener sockListener = new PKIClientSocketListener(); if (mClientAuthEnabled) { factory = new JssSSLSocketFactory(mNickname); } else { factory = new JssSSLSocketFactory(); } + factory.addSocketListener(sockListener); if (mHost != null && mHost.indexOf(' ') != -1) { // support failover hosts configuration diff --git a/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java new file mode 100644 index 0000000..dc49908 --- /dev/null +++ b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java @@ -0,0 +1,230 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package org.dogtagpki.server; + +import java.lang.Integer; +import java.net.InetAddress; +import java.security.Principal; +import java.util.HashMap; +import java.util.Map; +import java.util.WeakHashMap; + +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.ssl.SSLAlertDescription; +import org.mozilla.jss.ssl.SSLAlertEvent; +import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; +import org.mozilla.jss.ssl.SSLSecurityStatus; +import org.mozilla.jss.ssl.SSLSocket; +import org.mozilla.jss.ssl.SSLSocketListener; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.netscape.certsrv.logging.SignedAuditEvent; +import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; +import com.netscape.certsrv.logging.event.ClientAccessSessionTerminatedEvent; +import com.netscape.cms.logging.SignedAuditLogger; +import com.netscape.certsrv.apps.CMS; + +public class PKIClientSocketListener implements SSLSocketListener { + + private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); + private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); + + /** + * The socketInfos map is a storage for socket information that may not be available + * after the socket has been closed such as client IP address and subject ID. The + * WeakHashMap is used here to allow the map key (i.e. the socket object) to be + * garbage-collected since there is no guarantee that socket will be closed with an + * SSL alert for a proper map entry removal. + */ + Map> socketInfos = new WeakHashMap<>(); + + @Override + public void alertReceived(SSLAlertEvent event) { + String method = "PKIClientSocketListener.alertReceived: "; +CMS.debug(method + "begins"); + try { + SSLSocket socket = event.getSocket(); + + InetAddress serverAddress = socket.getInetAddress(); + InetAddress clientAddress = socket.getLocalAddress(); + String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); + String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); + String serverPort = Integer.toString(socket.getPort()); + + SSLSecurityStatus status = socket.getStatus(); +/* + X509Certificate peerCertificate = status.getPeerCertificate(); + Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); + String subjectID = subjectDN == null ? "" : subjectDN.toString(); +*/ +String subjectID = "SYSTEM"; + + int description = event.getDescription(); + String reason = SSLAlertDescription.valueOf(description).toString(); + + logger.debug("SSL alert received:"); + logger.debug(" - reason: " + reason); + logger.debug(" - client: " + clientIP); + logger.debug(" - server: " + serverIP); + logger.debug(" - subject: " + subjectID); + + + signedAuditLogger.log(ClientAccessSessionTerminatedEvent.createEvent( + clientIP, + serverIP, + serverPort, + subjectID, + reason)); + + CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); +CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); + + } catch (Exception e) { + logger.error(e.getMessage(), e); + } + } + + @Override + public void alertSent(SSLAlertEvent event) { + String method = "PKIClientSocketListener.alertSent: "; +CMS.debug(method + "begins"); + try { + SSLSocket socket = event.getSocket(); + + int description = event.getDescription(); +CMS.debug(method + "got description:"+ description); + String reason = SSLAlertDescription.valueOf(description).toString(); +CMS.debug(method + "got reason:"+ reason); + + SignedAuditEvent auditEvent; + String clientIP; + String serverIP; + String serverPort; + String subjectID; + + if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { + + // get socket info from socketInfos map since socket has been closed + Map info = socketInfos.get(socket); + clientIP = (String)info.get("clientIP"); + serverIP = (String)info.get("serverIP"); + serverPort = (String)info.get("serverPort"); + subjectID = (String)info.get("subjectID"); + + auditEvent = ClientAccessSessionTerminatedEvent.createEvent( + clientIP, + serverIP, + serverPort, + subjectID, + reason); + + CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); + CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP+ " serverPort=" + serverPort + " reason=" + reason); + + } else { + + // get socket info from the socket itself + InetAddress serverAddress = socket.getInetAddress(); + InetAddress clientAddress = socket.getLocalAddress(); + + clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); + serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); + serverPort = Integer.toString(socket.getPort()); + + SSLSecurityStatus status = socket.getStatus(); +/* + X509Certificate peerCertificate = status.getPeerCertificate(); + Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); +*/ +subjectID = "SYSTEM"; + + auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( + clientIP, + serverIP, + serverPort, + subjectID, + reason); + + } + + logger.debug("SSL alert sent:"); + logger.debug(" - reason: " + reason); + logger.debug(" - client: " + clientIP); + logger.debug(" - server: " + serverIP); + logger.debug(" - subject: " + subjectID); + + signedAuditLogger.log(auditEvent); + + CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"); +CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); + + } catch (Exception e) { + logger.error(e.getMessage(), e); + } + } + + @Override + public void handshakeCompleted(SSLHandshakeCompletedEvent event) { + String method = "PKIClientSocketListener.handshakeCompleted: "; +CMS.debug(method + "begins"); + try { + SSLSocket socket = event.getSocket(); + + InetAddress serverAddress = socket.getInetAddress(); + InetAddress clientAddress = socket.getLocalAddress(); + String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); + String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); + String serverPort = Integer.toString(socket.getPort()); + + SSLSecurityStatus status = socket.getStatus(); +/* + X509Certificate peerCertificate = status.getPeerCertificate(); + Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); + String subjectID = subjectDN == null ? "" : subjectDN.toString(); +*/ +String subjectID = "SYSTEM"; + + logger.debug("Handshake completed:"); + logger.debug(" - client: " + clientIP); + logger.debug(" - server: " + serverIP); + logger.debug(" - subject: " + subjectID); + + // store socket info in socketInfos map + Map info = new HashMap<>(); + info.put("clientIP", clientIP); + info.put("serverIP", serverIP); + info.put("serverPort", serverPort); + info.put("subjectID", subjectID); + socketInfos.put(socket, info); + + signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent( + clientIP, + serverIP, + serverPort, + subjectID)); + + CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"); +CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort); + + } catch (Exception e) { + logger.error(e.getMessage(), e); + } + } +} diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index d534506..a8a8deb 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2775,6 +2775,26 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ :[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated +# +# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE +# access session failed to establish when Certificate System acts as client +# +LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ +:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client +# +# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS +# - used when access session was established successfully when +# Certificate System acts as client +# +LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ +:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client +# +# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED +# - used when access session was terminated when Certificate System acts as client +# +LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ +:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client + ########################### #Unselectable signedAudit Events diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java index 47f5e61..e4f92b4 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java +++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java @@ -27,6 +27,8 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.net.ISocketFactory; +import org.dogtagpki.server.PKIClientSocketListener; + /** * Factory for getting HTTP Connections to a HTTPO server */ @@ -127,6 +129,10 @@ public class HttpConnFactory { try { ISocketFactory tFactory = new JssSSLSocketFactory(mNickname, mClientCiphers); + PKIClientSocketListener sockListener = new PKIClientSocketListener() +; + JssSSLSocketFactory factory = (JssSSLSocketFactory) tFactory; + factory.addSocketListener(sockListener); if (mTimeout == 0) { retConn = CMS.getHttpConnection(mDest, tFactory); diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java index fbd3268..649fa80 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java +++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java @@ -18,7 +18,10 @@ package com.netscape.cmscore.connector; import java.io.IOException; +import java.lang.Integer; import java.net.InetSocketAddress; +import java.net.InetAddress; +import java.net.UnknownHostException; import java.util.ArrayList; import java.util.List; @@ -28,14 +31,24 @@ import com.netscape.certsrv.connector.IHttpConnection; import com.netscape.certsrv.connector.IPKIMessage; import com.netscape.certsrv.connector.IRemoteAuthority; import com.netscape.certsrv.connector.IRequestEncoder; +import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; +import com.netscape.certsrv.logging.SignedAuditEvent; +import com.netscape.cms.logging.SignedAuditLogger; import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.http.HttpClient; import com.netscape.cmsutil.http.HttpRequest; import com.netscape.cmsutil.http.HttpResponse; import com.netscape.cmsutil.net.ISocketFactory; +import org.dogtagpki.server.PKIClientSocketListener; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + public class HttpConnection implements IHttpConnection { + private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); + private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); + protected IRemoteAuthority mDest = null; protected HttpRequest mHttpreq = new HttpRequest(); protected IRequestEncoder mReqEncoder = null; @@ -43,12 +56,18 @@ public class HttpConnection implements IHttpConnection { int timeout = 0; List targets; + String localIP = "localhost"; public HttpConnection(IRemoteAuthority dest, ISocketFactory factory, int timeout // seconds ) { CMS.debug("HttpConnection: Creating HttpConnection with timeout=" + timeout); + try { + localIP = InetAddress.getLocalHost().getHostAddress(); + } catch (UnknownHostException e) { + // default to "localhost"; + } mDest = dest; mReqEncoder = new HttpRequestEncoder(); @@ -118,6 +137,7 @@ public class HttpConnection implements IHttpConnection { void connect() throws IOException { IOException exception = null; + SignedAuditEvent auditEvent; // try all targets for (InetSocketAddress target : targets) { @@ -136,6 +156,14 @@ public class HttpConnection implements IHttpConnection { } catch (IOException e) { exception = e; CMS.debug("HttpConnection: Unable to connect to " + hostname + ":" + port + ": " + e); + auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( + localIP, + hostname, + Integer.toString(port), + "SYSTEM", + "connect:" +e.toString()); + signedAuditLogger.log(auditEvent); + // try the next target immediately } } @@ -229,6 +257,13 @@ public class HttpConnection implements IHttpConnection { HttpResponse resp = null; boolean reconnected = false; + SignedAuditEvent auditEvent; + String localIP = "localhost"; + try { + localIP = InetAddress.getLocalHost().getHostAddress(); + } catch (UnknownHostException e) { + // default to "localhost"; + } if (getRequestURI() == null) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "URI not set in HttpRequest")); @@ -266,6 +301,13 @@ public class HttpConnection implements IHttpConnection { resp = mHttpClient.send(mHttpreq); } catch (IOException e) { + auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( + localIP, + mHttpClient.getHost(), + mHttpClient.getPort(), + "SYSTEM", + "send:" +e.toString()); + signedAuditLogger.log(auditEvent); CMS.debug(e); diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java index 398becc..0588bf4 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java +++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java @@ -35,6 +35,8 @@ import com.netscape.cmsutil.http.HttpResponse; import com.netscape.cmsutil.http.JssSSLSocketFactory; import com.netscape.cmsutil.net.ISocketFactory; +import org.dogtagpki.server.PKIClientSocketListener; + public class HttpConnector implements IConnector { protected IAuthority mSource = null; protected IRemoteAuthority mDest = null; @@ -55,8 +57,12 @@ public class HttpConnector implements IConnector { mTimeout = 0; mSource = source; mDest = dest; + PKIClientSocketListener sockListener = new PKIClientSocketListener(); mFactory = new JssSSLSocketFactory(nickName, clientCiphers); + JssSSLSocketFactory factory = (JssSSLSocketFactory)mFactory; + factory.addSocketListener(sockListener); + int minConns = config.getInteger("minHttpConns", 1); int maxConns = config.getInteger("maxHttpConns", 15); @@ -82,8 +88,12 @@ public class HttpConnector implements IConnector { mSource = source; mDest = dest; mTimeout = timeout; + PKIClientSocketListener sockListener = new PKIClientSocketListener(); mFactory = new JssSSLSocketFactory(nickName, clientCiphers); + JssSSLSocketFactory factory = (JssSSLSocketFactory) mFactory; + factory.addSocketListener(sockListener); + int minConns = config.getInteger("minHttpConns", 1); int maxConns = config.getInteger("maxHttpConns", 15); diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java index e6d9ced..cc73077 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java +++ b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java @@ -39,6 +39,8 @@ import com.netscape.certsrv.request.RequestStatus; import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.http.JssSSLSocketFactory; +import org.dogtagpki.server.PKIClientSocketListener; + /** * Resend requests at intervals to the server to check if it's been completed. * Default interval is 5 minutes. @@ -127,7 +129,11 @@ public class Resender implements IResender { if (! connected) { CMS.debug("Connecting ..."); - mConn = new HttpConnection(mDest, new JssSSLSocketFactory(mNickName, mClientCiphers)); + PKIClientSocketListener sockListener = new PKIClientSocketListener(); + JssSSLSocketFactory factory = new JssSSLSocketFactory(mNickName, mClientCiphers); + factory.addSocketListener(sockListener); + + mConn = new HttpConnection(mDest, factory); initRequests(); connected = true; } diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java index d0c23ed..e9f28c9 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java +++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java @@ -35,6 +35,8 @@ import com.netscape.certsrv.base.IConfigStore; import netscape.ldap.LDAPException; import netscape.ldap.LDAPSSLSocketFactoryExt; +import org.dogtagpki.server.PKIClientSocketListener; + /** * Uses HCL ssl socket. * @@ -46,6 +48,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { private String mClientAuthCertNickname; private boolean mClientAuth; private boolean keepAlive; + PKIClientSocketListener sockListener = null; public PKISocketFactory() { init(); @@ -67,6 +70,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { IConfigStore cs = CMS.getConfigStore(); keepAlive = cs.getBoolean("tcp.keepAlive", true); CMS.debug("TCP Keep-Alive: " + keepAlive); + sockListener = new PKIClientSocketListener(); } catch (Exception e) { CMS.debug(e); @@ -75,6 +79,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { } public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException { + String method = "ldapconn/PKISocketFactory.makeSSLSocket: "; + CMS.debug(method + "begins"); /* * let inherit TLS range and cipher settings @@ -100,6 +106,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { s.setUseClientMode(true); s.enableV2CompatibleHello(false); + s.addSocketListener(sockListener); + SSLHandshakeCompletedListener listener = null; listener = new ClientHandshakeCB(this); @@ -119,7 +127,6 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { } public Socket makeSocket(String host, int port) throws LDAPException { - Socket s = null; try { diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg index e9bf03e..60a3355 100644 --- a/base/tks/shared/conf/CS.cfg +++ b/base/tks/shared/conf/CS.cfg @@ -208,11 +208,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL +log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) log.instance.SignedAudit.expirationTime=0 diff --git a/base/util/src/com/netscape/cmsutil/http/HttpClient.java b/base/util/src/com/netscape/cmsutil/http/HttpClient.java index db042a7..2204e19 100644 --- a/base/util/src/com/netscape/cmsutil/http/HttpClient.java +++ b/base/util/src/com/netscape/cmsutil/http/HttpClient.java @@ -46,6 +46,9 @@ public class HttpClient { protected BufferedReader mBufferedReader = null; protected SSLCertificateApprovalCallback mCertApprovalCallback = null; protected boolean mConnected = false; + // for auditing purposes + protected String mHost; + protected String mPort; public HttpClient() { } @@ -63,6 +66,9 @@ public class HttpClient { int timeout // milliseconds ) throws IOException { + mHost = host; + mPort = Integer.toString(port); + if (mFactory != null) { if (mCertApprovalCallback == null) { mSocket = mFactory.makeSocket(host, port, timeout); @@ -149,6 +155,14 @@ public class HttpClient { return mSocket; } + public String getHost() { + return mHost; + } + + public String getPort() { + return mPort; + } + /** * unit test */ diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java index eaed821..0d176ad 100644 --- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java @@ -27,6 +27,7 @@ import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback; import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; import org.mozilla.jss.ssl.SSLHandshakeCompletedListener; import org.mozilla.jss.ssl.SSLSocket; +import org.mozilla.jss.ssl.SSLSocketListener; import com.netscape.cmsutil.net.ISocketFactory; import com.netscape.cmsutil.crypto.CryptoUtil; @@ -40,6 +41,7 @@ public class JssSSLSocketFactory implements ISocketFactory { private String mClientAuthCertNickname = null; private String mClientCiphers = null; private SSLSocket s = null; + private SSLSocketListener sockListener = null; public JssSSLSocketFactory() { } @@ -83,6 +85,8 @@ public class JssSSLSocketFactory implements ISocketFactory { listener = new ClientHandshakeCB(this); s.addHandshakeCompletedListener(listener); + if (this.sockListener != null) + s.addSocketListener(this.sockListener); if (mClientAuthCertNickname != null) { // 052799 setClientCertNickname does not @@ -131,6 +135,10 @@ public class JssSSLSocketFactory implements ISocketFactory { return s; } + public void addSocketListener(SSLSocketListener sl) { + this.sockListener = sl; + } + public void log(int level, String msg) { } -- 1.8.3.1 From 44030bf381dc868e64c0e80d112bce72a626e8fb Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 31 Aug 2018 08:52:22 -0700 Subject: [PATCH 09/19] Ticket2960 add SHA384 ciphers and cleanup profiles Note: this is a 2nd attempt as the first attempt was reverted due to "breakage" of post-checkin-enablement of the IPA CI, which is speculated to have used a server cert as a client cert which violated one of the very essence of the "profile cleanup" part of the original patch; As a compromise, the clientAuth bit was added back to all non-CMC *server* profiles so the patch will pass the IPA CI. The revised patch has been adquately tested in addition to passing the IPA CI. This patch adds SHA384 ciphers to the cipher lists (RSA & EC) CryptoUtil.java contains changes to clientECCiphers: - RSA ciphers comemented out - SHA384 ciphers are added but RSA ones commented out Also added SHA384withRSA to ca.profiles.defaultSigningAlgsAllowed. In addition, a few cleanups are done: - all MD2, MD5 from allowed signing key algs from profiles - server profiles: * removed clientAuth oid 1.3.6.1.5.5.7.3.2 from cmc server profiles * fixed a couple KU's (RSA vs EC) that had true/false flipped - caCMCkraStorageCert.cfg * removed EKU (funny it had clientAuth) - caCMCkraTransportCert.cfg * removed EKU (funny it had clientAuth) - base/ca/shared/conf/eccServerCert.profile * added the missing CommonNameToSANDefault Tested with the following: - installation of an RSA CA and a KRA (strip down to only SHA384 ciphers) * performed successful agent access * tested key archival - installation of an EC CA (strip down to only SHA384 ciphers) * performed successful agent access * tested an agent-signed CMC request and submitted/issued successfully using HttpClient The above tests showed: - The SHA384 ciphers work out of box - The TLS server and client profiles changes did not break any TLS connections. - The KRA storage and transport profile changes did not break anything. fixes https://pagure.io/dogtagpki/issue/2960 Change-Id: Ia41dfbcec972cb18752b50056f29edf61cb3ce61 (cherry picked from commit 97e290663f29d5b2c5afab18e4a7c90af05c874c) --- base/ca/shared/conf/CS.cfg | 2 +- base/ca/shared/conf/eccAdminCert.profile | 2 +- base/ca/shared/conf/eccServerCert.profile | 4 +++- base/ca/shared/conf/rsaAdminCert.profile | 2 +- base/ca/shared/profiles/ca/AdminCert.cfg | 6 +++--- base/ca/shared/profiles/ca/ECAdminCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caAdminCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caAgentFileSigning.cfg | 2 +- base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 2 +- base/ca/shared/profiles/ca/caCMCUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 8 +------- base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 8 +------- base/ca/shared/profiles/ca/caCMCserverCert.cfg | 2 +- base/ca/shared/profiles/ca/caCrossSignedCACert.cfg | 2 +- base/ca/shared/profiles/ca/caDirBasedDualCert.cfg | 8 ++++---- base/ca/shared/profiles/ca/caDirPinUserCert.cfg | 2 +- base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- base/ca/shared/profiles/ca/caDualCert.cfg | 6 +++--- base/ca/shared/profiles/ca/caDualRAuserCert.cfg | 2 +- base/ca/shared/profiles/ca/caECAdminCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caECDirUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caECDualCert.cfg | 3 +-- base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg | 2 +- base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caECUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caEncUserCert.cfg | 2 +- base/ca/shared/profiles/ca/caIPAserviceCert.cfg | 2 +- base/ca/shared/profiles/ca/caInstallCACert.cfg | 2 +- base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg | 2 +- base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg | 2 +- base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 2 +- base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg | 2 +- base/ca/shared/profiles/ca/caJarSigningCert.cfg | 2 +- base/ca/shared/profiles/ca/caOtherCert.cfg | 2 +- base/ca/shared/profiles/ca/caRACert.cfg | 2 +- base/ca/shared/profiles/ca/caRARouterCert.cfg | 2 +- base/ca/shared/profiles/ca/caRAagentCert.cfg | 2 +- base/ca/shared/profiles/ca/caRAserverCert.cfg | 12 ++++++++---- base/ca/shared/profiles/ca/caRouterCert.cfg | 2 +- base/ca/shared/profiles/ca/caSigningUserCert.cfg | 2 +- base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caStorageCert.cfg | 10 ++-------- base/ca/shared/profiles/ca/caTPSCert.cfg | 2 +- base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg | 2 +- base/ca/shared/profiles/ca/caUserCert.cfg | 2 +- base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg | 2 +- .../netscape/cms/profile/common/CACertCAEnrollProfile.java | 2 +- .../src/com/netscape/cms/profile/def/SigningAlgDefault.java | 2 +- base/server/python/pki/server/deployment/pkiparser.py | 10 ++++++++-- base/server/share/conf/ciphers.info | 4 ++-- base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 ++++++++++-- 56 files changed, 103 insertions(+), 102 deletions(-) diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 6b39b0a..4cef240 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail= ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME] ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA ca.ocsp_signing.tokenname=internal -ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC +ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC ca.publish.createOwnDNEntry=false ca.publish.queue.enable=true ca.publish.queue.maxNumberOfThreads=3 diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile index 46d157a..219944a 100644 --- a/base/ca/shared/conf/eccAdminCert.profile +++ b/base/ca/shared/conf/eccAdminCert.profile @@ -26,7 +26,7 @@ list=2,4,5,6,7 6.default.params.keyUsageCritical=true 6.default.params.keyUsageDigitalSignature=true 6.default.params.keyUsageNonRepudiation=true -6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageDataEncipherment=false 6.default.params.keyUsageKeyEncipherment=false 6.default.params.keyUsageKeyAgreement=true 6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile index 8c679f7..d990e77 100644 --- a/base/ca/shared/conf/eccServerCert.profile +++ b/base/ca/shared/conf/eccServerCert.profile @@ -6,7 +6,7 @@ name=All Purpose SSL server cert with ECC keys Profile description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers profileIDMapping=caECServerCert profileSetIDMapping=serverCertSet -list=2,4,5,6,7 +list=2,4,5,6,7,8 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default 2.default.params.range=720 @@ -37,3 +37,5 @@ list=2,4,5,6,7 7.default.name=Extended Key Usage Extension Default 7.default.params.exKeyUsageCritical=false 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault +8.default.name=copy CN to SAN Default diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile index 5e84d74..7b3668c 100644 --- a/base/ca/shared/conf/rsaAdminCert.profile +++ b/base/ca/shared/conf/rsaAdminCert.profile @@ -26,7 +26,7 @@ list=2,4,5,6,7 6.default.params.keyUsageCritical=true 6.default.params.keyUsageDigitalSignature=true 6.default.params.keyUsageNonRepudiation=true -6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageDataEncipherment=false 6.default.params.keyUsageKeyEncipherment=true 6.default.params.keyUsageKeyAgreement=false 6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg index 7879614..18cbc2f 100644 --- a/base/ca/shared/profiles/ca/AdminCert.cfg +++ b/base/ca/shared/profiles/ca/AdminCert.cfg @@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint policyset.adminCertSet.6.constraint.params.keyUsageCritical=true policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default policyset.adminCertSet.6.default.params.keyUsageCritical=true policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false @@ -80,7 +80,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.adminCertSet.8.constraint.name=No Constraint -policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl policyset.adminCertSet.8.default.name=Signing Alg policyset.adminCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg index e00022e..38562a6 100644 --- a/base/ca/shared/profiles/ca/ECAdminCert.cfg +++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg @@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint policyset.adminCertSet.6.constraint.params.keyUsageCritical=true policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default policyset.adminCertSet.6.default.params.keyUsageCritical=true policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg index 86a3b11..6598677 100644 --- a/base/ca/shared/profiles/ca/caAdminCert.cfg +++ b/base/ca/shared/profiles/ca/caAdminCert.cfg @@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint policyset.adminCertSet.6.constraint.params.keyUsageCritical=true policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default policyset.adminCertSet.6.default.params.keyUsageCritical=true policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg index 5608373..cc65afc 100644 --- a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg +++ b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg @@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg index b7b4881..226c05c 100644 --- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg @@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg index 53b0c4d..68c59fb 100644 --- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg @@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg index df47758..657b98e 100644 --- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg @@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg index 1c2630d..908f584 100644 --- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg @@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=drmStorageCertSet -policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 +policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* @@ -71,12 +71,6 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false -policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl -policyset.drmStorageCertSet.7.constraint.name=No Constraint -policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default -policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false -policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.drmStorageCertSet.9.constraint.name=No Constraint policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg index 3d00408..628253d 100644 --- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg @@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=transportCertSet -policyset.transportCertSet.list=1,2,3,4,5,6,7,8 +policyset.transportCertSet.list=1,2,3,4,5,6,8 policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.transportCertSet.1.constraint.name=Subject Name Constraint policyset.transportCertSet.1.constraint.params.pattern=CN=.* @@ -71,12 +71,6 @@ policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false policyset.transportCertSet.6.default.params.keyUsageCrlSign=false policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false -policyset.transportCertSet.7.constraint.class_id=noConstraintImpl -policyset.transportCertSet.7.constraint.name=No Constraint -policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default -policyset.transportCertSet.7.default.params.exKeyUsageCritical=false -policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.transportCertSet.8.constraint.name=No Constraint policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg index 9ad9fac..628fc50 100644 --- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg @@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg index 8fafbdf..efc35a3 100644 --- a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg +++ b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg @@ -76,7 +76,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default policyset.caCertSet.8.default.params.critical=false policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.caCertSet.9.constraint.name=No Constraint -policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl policyset.caCertSet.9.default.name=Signing Alg policyset.caCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg index 3f34684..ac761c9 100644 --- a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg +++ b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg @@ -1,6 +1,6 @@ desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. visible=true -enable=true +enable=false enableBy=admin name=Directory-authenticated User Signing & Encryption Certificates Enrollment auth.instance_id=UserDirEnrollment @@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.encryptionCertSet.9.constraint.name=No Constraint -policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl policyset.encryptionCertSet.9.default.name=Signing Alg policyset.encryptionCertSet.9.default.params.signingAlg=- @@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.signingCertSet.9.constraint.name=No Constraint -policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl policyset.signingCertSet.9.default.name=Signing Alg policyset.signingCertSet.9.default.params.signingAlg=- -policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg index af2b5e5..f9e24b9 100644 --- a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg +++ b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg @@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.userCertSet.9.constraint.name=No Constraint -policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl policyset.userCertSet.9.default.name=Signing Alg policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg index 0b7f6b7..2e90d97 100644 --- a/base/ca/shared/profiles/ca/caDirUserCert.cfg +++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg @@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.userCertSet.9.constraint.name=No Constraint -policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl policyset.userCertSet.9.default.name=Signing Alg policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg index 87036d1..c5cf168 100644 --- a/base/ca/shared/profiles/ca/caDualCert.cfg +++ b/base/ca/shared/profiles/ca/caDualCert.cfg @@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.encryptionCertSet.9.constraint.name=No Constraint -policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl policyset.encryptionCertSet.9.default.name=Signing Alg policyset.encryptionCertSet.9.default.params.signingAlg=- @@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.signingCertSet.9.constraint.name=No Constraint -policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl policyset.signingCertSet.9.default.name=Signing Alg policyset.signingCertSet.9.default.params.signingAlg=- -policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg index 7d61b36..e25b4bb 100644 --- a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg +++ b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg @@ -88,7 +88,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.userCertSet.9.constraint.name=No Constraint -policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl policyset.userCertSet.9.default.name=Signing Alg policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg index d57bae1..84cab82 100644 --- a/base/ca/shared/profiles/ca/caECAdminCert.cfg +++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg @@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint policyset.adminCertSet.6.constraint.params.keyUsageCritical=true policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default policyset.adminCertSet.6.default.params.keyUsageCritical=true policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg index 4143102..7b33de6 100644 --- a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg @@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint policyset.userCertSet.6.constraint.params.keyUsageCritical=true policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default policyset.userCertSet.6.default.params.keyUsageCritical=true policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg index b65999e..11eafa7 100644 --- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg @@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint policyset.userCertSet.6.constraint.params.keyUsageCritical=true policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default policyset.userCertSet.6.default.params.keyUsageCritical=true policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg index 0a56caf..663aa13 100644 --- a/base/ca/shared/profiles/ca/caECDualCert.cfg +++ b/base/ca/shared/profiles/ca/caECDualCert.cfg @@ -161,8 +161,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.signingCertSet.9.constraint.name=No Constraint -policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl policyset.signingCertSet.9.default.name=Signing Alg policyset.signingCertSet.9.default.params.signingAlg=- -policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg index 48e6499..b3cc471 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg @@ -48,7 +48,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false @@ -60,7 +60,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg index b24cb03..822e96b 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg @@ -51,7 +51,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false @@ -63,7 +63,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg index e7b60ee..5a817df 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg @@ -59,7 +59,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false @@ -71,7 +71,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg index 8580544..24d61ca 100644 --- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg @@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg index 8df3576..3d072a2 100644 --- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg @@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false @@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg index a6bf04a..dda7282 100644 --- a/base/ca/shared/profiles/ca/caECUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECUserCert.cfg @@ -59,7 +59,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint policyset.userCertSet.6.constraint.params.keyUsageCritical=true policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true -policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false @@ -71,7 +71,7 @@ policyset.userCertSet.6.default.name=Key Usage Default policyset.userCertSet.6.default.params.keyUsageCritical=true policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true -policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false diff --git a/base/ca/shared/profiles/ca/caEncUserCert.cfg b/base/ca/shared/profiles/ca/caEncUserCert.cfg index 07e78f9..c166b28 100644 --- a/base/ca/shared/profiles/ca/caEncUserCert.cfg +++ b/base/ca/shared/profiles/ca/caEncUserCert.cfg @@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.encryptionCertSet.9.constraint.name=No Constraint -policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl policyset.encryptionCertSet.9.default.name=Signing Alg policyset.encryptionCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg index 9603758..42d802e 100644 --- a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg +++ b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg @@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg index 7bdb180..ba942d7 100644 --- a/base/ca/shared/profiles/ca/caInstallCACert.cfg +++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg @@ -80,7 +80,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default policyset.caCertSet.8.default.params.critical=false policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.caCertSet.9.constraint.name=No Constraint -policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl policyset.caCertSet.9.default.name=Signing Alg policyset.caCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg index 5acc174..60d560d 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg @@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.drmStorageCertSet.9.constraint.name=No Constraint -policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl policyset.drmStorageCertSet.9.default.name=Signing Alg policyset.drmStorageCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg index 8788f94..982c868 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg @@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.ocspCertSet.9.constraint.name=No Constraint -policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl policyset.ocspCertSet.9.default.name=Signing Alg policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg index de3c2a5..25538e7 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg @@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg index 9f7680a..bdc69bc 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg @@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.transportCertSet.8.constraint.name=No Constraint -policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl policyset.transportCertSet.8.default.name=Signing Alg policyset.transportCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caJarSigningCert.cfg b/base/ca/shared/profiles/ca/caJarSigningCert.cfg index f5f5e62..8aea48d 100644 --- a/base/ca/shared/profiles/ca/caJarSigningCert.cfg +++ b/base/ca/shared/profiles/ca/caJarSigningCert.cfg @@ -80,7 +80,7 @@ policyset.caJarSigningSet.5.default.params.nsCertSSLClient=false policyset.caJarSigningSet.5.default.params.nsCertSSLServer=false policyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl policyset.caJarSigningSet.6.constraint.name=No Constraint -policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl policyset.caJarSigningSet.6.default.name=Signing Alg policyset.caJarSigningSet.6.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caOtherCert.cfg b/base/ca/shared/profiles/ca/caOtherCert.cfg index e5cf627..5b8f50e 100644 --- a/base/ca/shared/profiles/ca/caOtherCert.cfg +++ b/base/ca/shared/profiles/ca/caOtherCert.cfg @@ -79,7 +79,7 @@ policyset.otherCertSet.7.default.params.exKeyUsageCritical=false policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.otherCertSet.8.constraint.name=No Constraint -policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl policyset.otherCertSet.8.default.name=Signing Alg policyset.otherCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRACert.cfg b/base/ca/shared/profiles/ca/caRACert.cfg index 9774566..fb1199e 100644 --- a/base/ca/shared/profiles/ca/caRACert.cfg +++ b/base/ca/shared/profiles/ca/caRACert.cfg @@ -79,7 +79,7 @@ policyset.raCertSet.7.default.params.exKeyUsageCritical=false policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.raCertSet.8.constraint.name=No Constraint -policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl policyset.raCertSet.8.default.name=Signing Alg policyset.raCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRARouterCert.cfg b/base/ca/shared/profiles/ca/caRARouterCert.cfg index 05b3a72..c504285 100644 --- a/base/ca/shared/profiles/ca/caRARouterCert.cfg +++ b/base/ca/shared/profiles/ca/caRARouterCert.cfg @@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRAagentCert.cfg b/base/ca/shared/profiles/ca/caRAagentCert.cfg index 2199b26..db22f90 100644 --- a/base/ca/shared/profiles/ca/caRAagentCert.cfg +++ b/base/ca/shared/profiles/ca/caRAagentCert.cfg @@ -89,7 +89,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.userCertSet.9.constraint.name=No Constraint -policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl policyset.userCertSet.9.default.name=Signing Alg policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caRAserverCert.cfg b/base/ca/shared/profiles/ca/caRAserverCert.cfg index 3a6cefa..e2406b4 100644 --- a/base/ca/shared/profiles/ca/caRAserverCert.cfg +++ b/base/ca/shared/profiles/ca/caRAserverCert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=.* @@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.6.constraint.params.keyUsageCritical=true policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false @@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.serverCertSet.6.default.name=Key Usage Default policyset.serverCertSet.6.default.params.keyUsageCritical=true policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false @@ -79,7 +79,11 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.9.default.name=copy CN to SAN Default diff --git a/base/ca/shared/profiles/ca/caRouterCert.cfg b/base/ca/shared/profiles/ca/caRouterCert.cfg index 3364675..b306102 100644 --- a/base/ca/shared/profiles/ca/caRouterCert.cfg +++ b/base/ca/shared/profiles/ca/caRouterCert.cfg @@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg index f197ffa..7fac691 100644 --- a/base/ca/shared/profiles/ca/caSigningUserCert.cfg +++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg @@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.signingCertSet.9.constraint.name=No Constraint -policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl policyset.signingCertSet.9.default.name=Signing Alg policyset.signingCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg index a55873f..6987061 100644 --- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg @@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false @@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.cmcUserCertSet.6.default.name=Key Usage Default policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg index c8e7205..62d6968 100644 --- a/base/ca/shared/profiles/ca/caStorageCert.cfg +++ b/base/ca/shared/profiles/ca/caStorageCert.cfg @@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=drmStorageCertSet -policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 +policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* @@ -71,15 +71,9 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false -policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl -policyset.drmStorageCertSet.7.constraint.name=No Constraint -policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default -policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false -policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.drmStorageCertSet.9.constraint.name=No Constraint -policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl policyset.drmStorageCertSet.9.default.name=Signing Alg policyset.drmStorageCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caTPSCert.cfg b/base/ca/shared/profiles/ca/caTPSCert.cfg index 82a217a..4f98512 100644 --- a/base/ca/shared/profiles/ca/caTPSCert.cfg +++ b/base/ca/shared/profiles/ca/caTPSCert.cfg @@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.serverCertSet.8.constraint.name=No Constraint -policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl policyset.serverCertSet.8.default.name=Signing Alg policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg index 43caf26..ef8ab5f 100644 --- a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg +++ b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg @@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 policyset.userCertSet.8.default.params.subjAltNameNumGNs=2 policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.userCertSet.9.constraint.name=No Constraint -policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl policyset.userCertSet.9.default.name=Signing Alg policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg index 9164dac..62bc40c 100644 --- a/base/ca/shared/profiles/ca/caUserCert.cfg +++ b/base/ca/shared/profiles/ca/caUserCert.cfg @@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.userCertSet.9.constraint.name=No Constraint -policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl policyset.userCertSet.9.default.name=Signing Alg policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg index 43b6e85..81fc027 100644 --- a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg +++ b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg @@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.userCertSet.9.constraint.name=No Constraint -policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl policyset.userCertSet.9.default.name=Signing Alg policyset.userCertSet.9.default.params.signingAlg=- diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java index 1ae2f08..c4f2d6b 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java @@ -76,7 +76,7 @@ public class CACertCAEnrollProfile extends CAEnrollProfile IConfigStore defConfig4 = def4.getConfigStore(); defConfig4.putString("params.signingAlg", "-"); defConfig4.putString("params.signingAlgsAllowed", - "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); + "SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); // extensions IProfilePolicy policy5 = diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java index 81ad58c..97f221e 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java @@ -46,7 +46,7 @@ public class SigningAlgDefault extends EnrollDefault { public static final String VAL_ALGORITHM = "signingAlg"; public static final String DEF_CONFIG_ALGORITHMS = - "-,MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA"; + "-,SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA"; public SigningAlgDefault() { super(); diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 53296fc..3e0c9d2 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -1152,7 +1152,9 @@ class PKIConfigParser: "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" else: self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ @@ -1186,7 +1188,11 @@ class PKIConfigParser: "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA" + "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ + "-TLS_RSA_WITH_AES_256_GCM_SHA384" if self.deployer.architecture == 64: self.mdict['NUXWDOG_JNI_PATH_SLOT'] = ( diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info index 44c6e4b..e51bffd 100644 --- a/base/server/share/conf/ciphers.info +++ b/base/server/share/conf/ciphers.info @@ -123,8 +123,8 @@ # ## # For RSA servers: - sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" # # # For ECC servers: - sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index d3036f3..c1688e4 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -188,13 +188,21 @@ public class CryptoUtil { public static final int LINE_COUNT = 76; static public final Integer[] clientECCiphers = { +/* SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, +*/ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +// SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, +/* + SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +*/ }; static public List clientECCipherList = new ArrayList(Arrays.asList(clientECCiphers)); -- 1.8.3.1 From 992d97189bbcfff3427b1dcc752f6588da25e496 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 31 Aug 2018 17:08:30 -0700 Subject: [PATCH 10/19] Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS mode This patch disables the TLS_RSA_* ciphers by default because they do not work with HSMs in FIPS mode. ciphers.info is also updated to reflect the changes. fixes https://pagure.io/dogtagpki/issue/3027 Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172 (cherry picked from commit 908514da63dd9364df0f17810d9d41bfb5c596d5) --- .../python/pki/server/deployment/pkiparser.py | 12 ++-- base/server/share/conf/ciphers.info | 70 ++++++++-------------- 2 files changed, 31 insertions(+), 51 deletions(-) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 3e0c9d2..2397f43 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -1130,7 +1130,7 @@ class PKIConfigParser: "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ @@ -1146,7 +1146,7 @@ class PKIConfigParser: "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ @@ -1183,12 +1183,12 @@ class PKIConfigParser: "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info index e51bffd..bbb3cf1 100644 --- a/base/server/share/conf/ciphers.info +++ b/base/server/share/conf/ciphers.info @@ -26,17 +26,6 @@ # suited for the type of the server installed. Changes can be made to # suit each site's needs. # -# Although TLS1.2 ciphers (SHA256) are preferred, many older clients -# do not support them. For example, the following "preferred modern" -# ciphers are on by default, and by simply limiting the -# sslVersionRange* parameters, they can be turned off. -# -# TLS_RSA_WITH_AES_128_CBC_SHA256, -# TLS_RSA_WITH_AES_256_CBC_SHA256, -# TLS_RSA_WITH_AES_128_GCM_SHA256, -# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -# # The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy, # which, while provide added security to the already secure and adequate # TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions. @@ -62,25 +51,6 @@ # TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, # TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 # -# The following somewhat weaker ciphers (in CBC mode), though -# adequate for the CS operations, can be turned off if so desired: -# -# TLS_RSA_WITH_AES_128_CBC_SHA, -# TLS_RSA_WITH_AES_256_CBC_SHA, -# -# Note: In an EC CS server setup, you will see by default that the -# following RSA ciphers are left on. Those are used for -# installation where the actual systems certs have not yet been -# created, and a temporary RSA ssl server cert is at play. -# -# Those can be turned off manually by sites. -# -# TLS_RSA_WITH_AES_256_CBC_SHA256, -# TLS_RSA_WITH_AES_128_GCM_SHA256 -# -# These ciphers might be removed by the installation script in -# some future release. -# # For RHEL 7.5 or greater: # # * all '3DES' ciphers have been disabled, @@ -98,33 +68,43 @@ # +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, # +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, # +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, +# +TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, # +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -# +TLS_RSA_WITH_AES_128_CBC_SHA256, -# +TLS_RSA_WITH_AES_256_CBC_SHA256, -# +TLS_RSA_WITH_AES_128_CBC_SHA, -# +TLS_RSA_WITH_AES_256_CBC_SHA -# -# NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA, -# and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain -# enabled in order to talk to the LDAP server -# during pkispawn installation/configuration. +# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, +# +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # # Default ciphers enabled for ECC servers: # # +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -# +TLS_RSA_WITH_AES_256_CBC_SHA, # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -# +TLS_RSA_WITH_AES_256_CBC_SHA256, # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, +# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, +# +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +# +# For RHEL 7.6 or greater: +# +# The following ciphers do not work with HSM in FIPS mode, and +# are therefore disabled by default. +# +# TLS_RSA_WITH_AES_256_CBC_SHA, +# TLS_RSA_WITH_AES_128_CBC_SHA, +# TLS_RSA_WITH_AES_128_CBC_SHA256, +# TLS_RSA_WITH_AES_256_CBC_SHA256, +# TLS_RSA_WITH_AES_128_GCM_SHA256, +# TLS_RSA_WITH_AES_256_GCM_SHA384 +# +# note: +# * They are currently not preferred in TLS 1.2 +# * They are deprecated in TLS 1.3 # ## # For RSA servers: - sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" # # # For ECC servers: - sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -- 1.8.3.1 From 5385791f72c5fab901aa38cbc31fd2fd9af269bf Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 18 Sep 2018 16:13:29 -0700 Subject: [PATCH 11/19] Bug1628410 CMC: add config to allow non-clientAuth This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg to allow agents to bypass clientAuth requirement in CMCAuth. Default value for cmc.bypassClientAuth is false. In addition, CMC enrollment profile caCMCUserCert "visible" value is set to false. fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410 Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc (cherry picked from commit 19120d14941b5964a728ab06b0406be3ddeff5d4) --- base/ca/shared/profiles/ca/caCMCUserCert.cfg | 2 +- .../com/netscape/cms/authentication/CMCAuth.java | 50 +++++++++++++--------- 2 files changed, 30 insertions(+), 22 deletions(-) diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg index 657b98e..1f990f2 100644 --- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. -visible=true +visible=false enable=true enableBy=admin auth.instance_id=CMCAuth diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index 9b6a819..98d5e29 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -127,6 +127,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, /* authentication plug-in configuration store */ private IConfigStore mConfig; + private boolean mBypassClientAuth = false; private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; @@ -213,6 +214,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, mName = name; mImplName = implName; mConfig = config; + mBypassClientAuth = + CMS.getConfigStore().getBoolean("cmc.bypassClientAuth", false); log(ILogger.LL_INFO, "Initialization complete!"); } @@ -882,28 +885,33 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, X509Certificate clientCert = (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); if (clientCert == null) { - // createAuditSubjectFromCert(auditContext, x509Certs[0]); - msg = "missing SSL client authentication certificate;"; - CMS.debug(method + msg); - s.close(); - throw new EMissingCredential( - CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); - } - netscape.security.x509.X500Name clientPrincipal = - (X500Name) clientCert.getSubjectDN(); - - netscape.security.x509.X500Name cmcPrincipal = - (X500Name) x509Certs[0].getSubjectDN(); - - // check ssl client cert against cmc signer - if (!clientPrincipal.equals(cmcPrincipal)) { - msg = "SSL client authentication certificate and CMC signer do not match"; - CMS.debug(method + msg); - s.close(); - throw new EInvalidCredentials( - CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + if (mBypassClientAuth) { + msg = "missing SSL client authentication certificate; allowed"; + CMS.debug(method + msg); + } else { + msg = "missing SSL client authentication certificate;"; + CMS.debug(method + msg); + s.close(); + throw new EMissingCredential( + CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); + } } else { - CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + netscape.security.x509.X500Name clientPrincipal = + (X500Name) clientCert.getSubjectDN(); + + netscape.security.x509.X500Name cmcPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { + msg = "SSL client authentication certificate and CMC signer do not match"; + CMS.debug(method + msg); + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + } } PublicKey signKey = cert.getPublicKey(); -- 1.8.3.1 From b53d4f5f135432d6bc25b4bc0def1ea4b44705a4 Mon Sep 17 00:00:00 2001 From: Dinesh Prasanth M K Date: Mon, 1 Oct 2018 16:25:08 -0400 Subject: [PATCH 12/19] Fixes password leak of Auth plugins to Audit Logs (#57) * Auth plugin adds `(sensitive)` instead of plain passwords to AuditLogs * Added generic `isSensitive()` to identify Passwords before logging Signed-off-by: Dinesh Prasanth M K (cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1) --- base/common/src/com/netscape/certsrv/apps/CMS.java | 30 ++++++++++++++++++++++ .../netscape/cms/servlet/admin/AdminServlet.java | 18 ++----------- .../com/netscape/cms/servlet/base/CMSServlet.java | 21 +-------------- .../netscape/cms/servlet/csadmin/BaseServlet.java | 15 +---------- .../cms/servlet/processors/CAProcessor.java | 16 +----------- .../servlet/profile/ProfileSubmitCMCServlet.java | 17 ++---------- 6 files changed, 37 insertions(+), 80 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java index d04223f..0bf186e 100644 --- a/base/common/src/com/netscape/certsrv/apps/CMS.java +++ b/base/common/src/com/netscape/certsrv/apps/CMS.java @@ -1672,6 +1672,36 @@ public final class CMS { } /** + * Check whether the string is contains password + * + * @param name key string + * @return whether key is a password or not + */ + public static boolean isSensitive(String name) { + return (name.startsWith("__") || + name.endsWith("password") || + name.endsWith("passwd") || + name.endsWith("pwd") || + name.equalsIgnoreCase("admin_password_again") || + name.equalsIgnoreCase("directoryManagerPwd") || + name.equalsIgnoreCase("bindpassword") || + name.equalsIgnoreCase("bindpwd") || + name.equalsIgnoreCase("passwd") || + name.equalsIgnoreCase("password") || + name.equalsIgnoreCase("pin") || + name.equalsIgnoreCase("pwd") || + name.equalsIgnoreCase("pwdagain") || + name.equalsIgnoreCase("uPasswd") || + name.equalsIgnoreCase("PASSWORD_CACHE_ADD") || + name.startsWith("p12Password") || + name.equalsIgnoreCase("host_challenge") || + name.equalsIgnoreCase("card_challenge") || + name.equalsIgnoreCase("card_cryptogram") || + name.equalsIgnoreCase("drm_trans_desKey") || + name.equalsIgnoreCase("cert_request")); + } + + /** * Main driver to start CMS. */ public static void main(String[] args) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java index 2b8cec7..ed5393b 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java @@ -203,21 +203,7 @@ public class AdminServlet extends HttpServlet { // __ (double underscores); however, in the event that // a security parameter slips through, we perform multiple // additional checks to insure that it is NOT displayed - if (pn.startsWith("__") || - pn.endsWith("password") || - pn.endsWith("passwd") || - pn.endsWith("pwd") || - pn.equalsIgnoreCase("admin_password_again") || - pn.equalsIgnoreCase("directoryManagerPwd") || - pn.equalsIgnoreCase("bindpassword") || - pn.equalsIgnoreCase("bindpwd") || - pn.equalsIgnoreCase("passwd") || - pn.equalsIgnoreCase("password") || - pn.equalsIgnoreCase("pin") || - pn.equalsIgnoreCase("pwd") || - pn.equalsIgnoreCase("pwdagain") || - pn.equalsIgnoreCase("uPasswd") || - pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) { + if (CMS.isSensitive(pn)) { CMS.debug("AdminServlet::service() param name='" + pn + "' value='(sensitive)'"); } else { @@ -992,7 +978,7 @@ public class AdminServlet extends HttpServlet { if (name.equals(Constants.RS_ID)) continue; String value = null; - if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) + if (CMS.isSensitive(name)) value = "(sensitive)"; else value = req.getParameter(name); diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java index f18db1a..0c65702 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java @@ -403,26 +403,7 @@ public abstract class CMSServlet extends HttpServlet { // __ (double underscores); however, in the event that // a security parameter slips through, we perform multiple // additional checks to insure that it is NOT displayed - if (pn.startsWith("__") || - pn.endsWith("password") || - pn.endsWith("passwd") || - pn.endsWith("pwd") || - pn.equalsIgnoreCase("admin_password_again") || - pn.equalsIgnoreCase("directoryManagerPwd") || - pn.equalsIgnoreCase("bindpassword") || - pn.equalsIgnoreCase("bindpwd") || - pn.equalsIgnoreCase("passwd") || - pn.equalsIgnoreCase("password") || - pn.equalsIgnoreCase("pin") || - pn.equalsIgnoreCase("pwd") || - pn.equalsIgnoreCase("pwdagain") || - pn.startsWith("p12Password") || - pn.equalsIgnoreCase("uPasswd") || - pn.equalsIgnoreCase("host_challenge") || - pn.equalsIgnoreCase("card_challenge") || - pn.equalsIgnoreCase("card_cryptogram") || - pn.equalsIgnoreCase("drm_trans_desKey") || - pn.equalsIgnoreCase("cert_request")) { + if (CMS.isSensitive(pn)) { CMS.debug("CMSServlet::service() param name='" + pn + "' value='(sensitive)'"); } else { diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java index 3b3ae40..70922dc 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java @@ -70,20 +70,7 @@ public class BaseServlet extends VelocityServlet { // __ (double underscores); however, in the event that // a security parameter slips through, we perform multiple // additional checks to insure that it is NOT displayed - if (pn.startsWith("__") || - pn.endsWith("password") || - pn.endsWith("passwd") || - pn.endsWith("pwd") || - pn.equalsIgnoreCase("admin_password_again") || - pn.equalsIgnoreCase("directoryManagerPwd") || - pn.equalsIgnoreCase("bindpassword") || - pn.equalsIgnoreCase("bindpwd") || - pn.equalsIgnoreCase("passwd") || - pn.equalsIgnoreCase("password") || - pn.equalsIgnoreCase("pin") || - pn.equalsIgnoreCase("pwd") || - pn.equalsIgnoreCase("pwdagain") || - pn.equalsIgnoreCase("uPasswd")) { + if (CMS.isSensitive(pn)) { CMS.debug("BaseServlet::service() param name='" + pn + "' value='(sensitive)'"); } else { diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index 62b4242..f732c4d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -258,21 +258,7 @@ public class CAProcessor extends Processor { // __ (double underscores); however, in the event that // a security parameter slips through, we perform multiple // additional checks to insure that it is NOT displayed - if (paramName.startsWith("__") || - paramName.endsWith("password") || - paramName.endsWith("passwd") || - paramName.endsWith("pwd") || - paramName.equalsIgnoreCase("admin_password_again") || - paramName.equalsIgnoreCase("directoryManagerPwd") || - paramName.equalsIgnoreCase("bindpassword") || - paramName.equalsIgnoreCase("bindpwd") || - paramName.equalsIgnoreCase("passwd") || - paramName.equalsIgnoreCase("password") || - paramName.equalsIgnoreCase("pin") || - paramName.equalsIgnoreCase("pwd") || - paramName.equalsIgnoreCase("pwdagain") || - paramName.equalsIgnoreCase("uPasswd") || - paramName.equalsIgnoreCase("cert_request")) { + if (CMS.isSensitive(paramName)) { CMS.debug("CAProcessor: - " + paramName + ": (sensitive)"); } else { CMS.debug("CAProcessor: - " + paramName + ": " + entry.getValue()); diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index 03e94a8..81a2f2a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -47,9 +47,9 @@ import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.AuthEvent; import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; -import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.profile.ECMCBadIdentityException; import com.netscape.certsrv.profile.ECMCBadMessageCheckException; import com.netscape.certsrv.profile.ECMCBadRequestException; @@ -306,20 +306,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { // __ (double underscores); however, in the event that // a security parameter slips through, we perform multiple // additional checks to insure that it is NOT displayed - if (paramName.startsWith("__") || - paramName.endsWith("password") || - paramName.endsWith("passwd") || - paramName.endsWith("pwd") || - paramName.equalsIgnoreCase("admin_password_again") || - paramName.equalsIgnoreCase("directoryManagerPwd") || - paramName.equalsIgnoreCase("bindpassword") || - paramName.equalsIgnoreCase("bindpwd") || - paramName.equalsIgnoreCase("passwd") || - paramName.equalsIgnoreCase("password") || - paramName.equalsIgnoreCase("pin") || - paramName.equalsIgnoreCase("pwd") || - paramName.equalsIgnoreCase("pwdagain") || - paramName.equalsIgnoreCase("uPasswd")) { + if (CMS.isSensitive(paramName)) { CMS.debug("ProfileSubmitCMCServlet Input Parameter " + paramName + "='(sensitive)'"); } else { -- 1.8.3.1 From 4041f30e683307eb96140c8b81e48e62c2e7c34a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 28 Aug 2018 23:08:13 +0200 Subject: [PATCH 13/19] Fixed CA signing cert importation The pki_ca_signing_cert_path param has been modified to have an empty value by default. The import_ca_signing_cert() has been modified such that if the param is not specified, it will return silently. If the param contains an invalid path, the method will fail. If the param contains a valid path to the CA signing cert, the cert will be imported into the NSS database. https://pagure.io/dogtagpki/issue/3040 Change-Id: Idde1850744391162495599067c840c47ef47de69 (cherry picked from commit a4f5b17ee96adf79391f9def6e04bb239a779cbe) --- base/server/etc/default.cfg | 2 +- base/server/man/man5/pki_default.cfg.5 | 2 +- .../pki/server/deployment/scriptlets/configuration.py | 19 ++++++++++--------- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 0f348ee..b92cca7 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -94,7 +94,7 @@ pki_ca_port=%(pki_security_domain_https_port)s pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA # DEPRECATED: Use 'pki_ca_signing_cert_path' instead. -pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert +pki_external_ca_cert_path= pki_ca_signing_cert_path=%(pki_external_ca_cert_path)s pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 index fe3cdc7..afdcbfb 100644 --- a/base/server/man/man5/pki_default.cfg.5 +++ b/base/server/man/man5/pki_default.cfg.5 @@ -413,7 +413,7 @@ Required for the second step of a stand-alone PKI process. This is the location .PP .B pki_ca_signing_cert_path .IP -Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/external_ca_chain.cert'. +Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to empty. .PP .B pki_external_admin_cert_path .IP diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index fd043a8..1b62445 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -395,15 +395,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): self.import_system_cert_request(deployer, subsystem, 'subsystem') self.import_system_cert_request(deployer, subsystem, 'sslserver') - def import_ca_signing_cert(self, deployer, nssdb, subsystem): + def import_ca_signing_cert(self, deployer, nssdb): param = 'pki_ca_signing_cert_path' cert_file = deployer.mdict.get(param) - if not cert_file or not os.path.exists(cert_file): - if subsystem.name == 'ca': - raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) - else: - return + + if not cert_file: + return + + if not os.path.exists(cert_file): + raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) nickname = deployer.mdict['pki_ca_signing_nickname'] @@ -593,14 +594,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def import_system_certs(self, deployer, nssdb, subsystem): if subsystem.name == 'ca': - self.import_ca_signing_cert(deployer, nssdb, subsystem) + self.import_ca_signing_cert(deployer, nssdb) self.import_ca_ocsp_signing_cert(deployer, nssdb) if subsystem.name == 'kra': # Always import cert chain into internal token. internal_nssdb = subsystem.instance.open_nssdb() try: - self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) + self.import_ca_signing_cert(deployer, internal_nssdb) finally: internal_nssdb.close() @@ -612,7 +613,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Always import cert chain into internal token. internal_nssdb = subsystem.instance.open_nssdb() try: - self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) + self.import_ca_signing_cert(deployer, internal_nssdb) finally: internal_nssdb.close() -- 1.8.3.1 From 6fbffb076caea906381e47bc1b6cae9da9892ae4 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 23 Oct 2018 03:31:33 +0200 Subject: [PATCH 14/19] Fixed password prompt in pki CLI The pki CLI has been modified not to throw an exception when the user specifies a username without any password. The CLI will then prompt for a password. https://pagure.io/dogtagpki/issue/2840 (cherry picked from commit b1bda0a1e7baca575561c08e78d93ae7c7160738) --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 711625a..50e5b75 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -378,9 +378,6 @@ public class MainCLI extends CLI { if (passwordFile != null && password != null) { throw new Exception("The '-W' and '-w' options are mutually exclusive."); - - } else if (passwordFile == null && password == null) { - throw new Exception("Missing user password."); } } -- 1.8.3.1 From 60ad482668db175f297e55a947f55021871ce348 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 17 Oct 2018 18:21:52 +0200 Subject: [PATCH 16/19] Added CMSEngine.disableSubsystem() The code that calls pki-server subsystem-disable in SelfTestSubsystem has been moved into CMSEngine.disableSubsystem(). https://pagure.io/dogtagpki/issue/3070 (cherry picked from commit d5b119cdf3693680d5d1518b4b21b436d442708b) --- base/common/src/com/netscape/certsrv/apps/CMS.java | 4 ++++ .../src/com/netscape/cmscore/apps/CMSEngine.java | 24 +++++++++++++++++++++ .../cmscore/selftests/SelfTestSubsystem.java | 25 +++++----------------- 3 files changed, 33 insertions(+), 20 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java index 0bf186e..b6b74e6 100644 --- a/base/common/src/com/netscape/certsrv/apps/CMS.java +++ b/base/common/src/com/netscape/certsrv/apps/CMS.java @@ -145,6 +145,10 @@ public final class CMS { _engine = engine; } + public static ICMSEngine getCMSEngine() { + return _engine; + } + /** * This method is used for unit tests. It allows the underlying _engine * to be stubbed out. diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index eaf57fa..2c953cc 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -2042,6 +2042,30 @@ public class CMSEngine implements ICMSEngine { } + public void disableSubsystem() { + + String name = mConfig.get("cs.type"); + String subsystemID = name.toLowerCase(); + + CMS.debug("CMSEngine: Disabling " + name + " subsystem"); + + try { + ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceId, subsystemID); + CMS.debug("Command: " + String.join(" ", pb.command())); + + Process process = pb.inheritIO().start(); + int rc = process.waitFor(); + + if (rc != 0) { + CMS.debug("CMSEngine: Unable to disable " + name + " subsystem. RC: " + rc); + } + + } catch (Exception e) { + CMS.debug("CMSEngine: Unable to disable " + name + " subsystem: " + e.getMessage()); + CMS.debug(e); + } + } + /** * shuts down a subsystem list in reverse order. */ diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java index 98b53c7..9ed4f8a 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java @@ -50,6 +50,7 @@ import com.netscape.certsrv.selftests.ISelfTest; import com.netscape.certsrv.selftests.ISelfTestSubsystem; import com.netscape.cms.logging.Logger; import com.netscape.cms.logging.SignedAuditLogger; +import com.netscape.cmscore.apps.CMSEngine; ////////////////////// // class definition // @@ -1832,29 +1833,13 @@ public class SelfTestSubsystem audit(auditMessage); - CMS.debug("SelfTestSubsystem.startup(): shutdown server"); + CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); + CMS.debug(e); - // shutdown the system gracefully CMS.shutdown(); - IConfigStore cs = CMS.getConfigStore(); - String instanceID = cs.get("instanceId"); - String subsystemID = cs.get("cs.type").toLowerCase(); - - System.out.println("SelfTestSubsystem: Disabling \"" + subsystemID + "\" subsystem due to selftest failure."); - - try { - ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceID, subsystemID); - Process process = pb.inheritIO().start(); - int rc = process.waitFor(); - - if (rc != 0) { - System.out.println("SelfTestSubsystem: Unable to disable \"" + subsystemID + "\". RC: " + rc); - } - - } catch (Exception e2) { - e.printStackTrace(); - } + CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); + engine.disableSubsystem(); } } -- 1.8.3.1 From 83e911b75bb887bc4f3bf36fc9709401e54b7443 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 17 Oct 2018 18:22:24 +0200 Subject: [PATCH 17/19] Fixed subsystem shutdown on selftest failures The code that handles selftest failures have been modified to call CMSEngine.disableSubsystem() to undeploy the web application. Once undeployed, the web application will no longer accept client requests, then Tomcat will execute CMSStartServlet.destroy() which will eventually shutdown the subsystem. https://pagure.io/dogtagpki/issue/3070 (cherry picked from commit 7c3711c786ba90fe29b7450530dd8372d5839fcd) --- .../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java | 7 ++++--- .../src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 9 ++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java index 59a5d62..633b13d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java @@ -73,6 +73,7 @@ import com.netscape.certsrv.selftests.ESelfTestException; import com.netscape.certsrv.selftests.ISelfTest; import com.netscape.certsrv.selftests.ISelfTestSubsystem; import com.netscape.certsrv.tks.ITKSAuthority; +import com.netscape.cmscore.apps.CMSEngine; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; @@ -3194,10 +3195,10 @@ public final class CMSAdminServlet extends AdminServlet { + "\n"; sendResponse(ERROR, content, null, resp); - CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server"); + CMS.debug("CMSAdminServlet: Disabling subsystem due to selftest failure: " + e.getMessage()); - // shutdown the system gracefully - CMS.shutdown(); + CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); + engine.disableSubsystem(); return; } else { diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java index 9ed4f8a..8ce9a58 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java @@ -537,10 +537,11 @@ public class SelfTestSubsystem "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED", instanceFullName)); - CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server"); + CMS.debug("SelfTestSubsystem: Disabling subsystem due to selftest failure: " + e.getMessage()); + CMS.debug(e); - // shutdown the system gracefully - CMS.shutdown(); + CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); + engine.disableSubsystem(); return; } @@ -1836,8 +1837,6 @@ public class SelfTestSubsystem CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); CMS.debug(e); - CMS.shutdown(); - CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); engine.disableSubsystem(); } -- 1.8.3.1 From 81710f32fb9c269f2795b3272b3765a542299eb6 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 17 Oct 2018 18:23:09 +0200 Subject: [PATCH 18/19] Fixed signed audit logging failure handling The code that handles signed audit logging failures has been modified to call CMSEngine.disableSubsystem() to undeploy the web application. Once undeployed, the web application will no longer accept client requests, then Tomcat will execute CMSStartServlet.destroy() which will eventually shutdown the subsystem. https://pagure.io/dogtagpki/issue/3070 (cherry picked from commit 5e7d7b972f14d65781909f6dfee4ad1e7ecb801a) --- .../cms/src/com/netscape/cms/logging/LogFile.java | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java index b04f70d..a4a691b 100644 --- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java +++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java @@ -79,6 +79,7 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.LogSource; import com.netscape.certsrv.logging.SignedAuditEvent; import com.netscape.certsrv.logging.SystemEvent; +import com.netscape.cmscore.apps.CMSEngine; import com.netscape.cmsutil.util.Utils; import netscape.ldap.client.JDAPAVA; @@ -422,20 +423,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { // synchronized. We just want to avoid an infinite loop. mInSignedAuditLogFailureMode = true; - // Block all new incoming requests - if (CMS.areRequestsDisabled() == false) { - // XXX is this a race condition? - CMS.disableRequests(); - } - - // Terminate all requests in process - CMS.terminateRequests(); - - // Call graceful shutdown of the CMS server - // Call force shutdown to get added functionality of - // making sure to kill the web server. + CMS.debug("LogFile: Disabling subsystem due to signed logging failure"); - CMS.forceShutdown(); + CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); + engine.disableSubsystem(); } } -- 1.8.3.1 From bd2b3117334ce0e638bf309a591a0eeb6390253f Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 20 Oct 2018 04:03:49 +0200 Subject: [PATCH 19/19] Added doc on signed audit logging failures https://pagure.io/dogtagpki/issue/3070 (cherry picked from commit 54c1b9b04625de6f3493e5d28979a740b31e63b3) --- docs/admin/Signed_Audit_Logging_Failures.md | 88 +++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 docs/admin/Signed_Audit_Logging_Failures.md diff --git a/docs/admin/Signed_Audit_Logging_Failures.md b/docs/admin/Signed_Audit_Logging_Failures.md new file mode 100644 index 0000000..17cc3bd --- /dev/null +++ b/docs/admin/Signed_Audit_Logging_Failures.md @@ -0,0 +1,88 @@ +Signed Audit Logging Failures +============================= + +## Overview + +If a PKI subsystem is unable to write signed audit log to disk, +the subsystem will automatically shutdown to prevent it from +receiving and executing additional operations that cannot be +logged. + +This situation may happen when the disk is full. In that case +the admin will need to provide additional disk space, then restart +the subsystem. + +Note: auto-shutdown will only work if audit signing is enabled. + +## Verifying Auto-Shutdown + +To verify auto-shutdown on a CA instance, prepare a small +partition and assign the proper permissions: + +``` +$ mkdir -p /tmp/audit +$ mount -t tmpfs -o size=2M,mode=0755 tmpfs /tmp/audit +$ chown pkiuser:pkiuser /tmp/audit +$ semanage fcontext -a -t pki_tomcat_log_t /tmp/audit +$ restorecon -vR /tmp/audit +``` + +Edit /etc/pki/pki-tomcat/ca/CS.cfg to enable audit signing +and configure it to store the logs in the above partition: + +``` +log.instance.SignedAudit.logSigning=true +log.instance.SignedAudit.fileName=/tmp/audit/ca_audit +``` + +Restart the server: + +``` +$ systemctl restart pki-tomcatd@pki-tomcat.service +``` + +Create a big file to fill up the partition: + +``` +$ dd if=/dev/zero of=/tmp/audit/bigfile bs=1M count=2 +``` + +Execute some operations to generate audit logs, for example: + +``` +$ pki ca-cert-find +``` + +When the partition becomes full, the server will no longer able +to write the signed audit log into the partition, so it will +generate the following message in console or systemd journal +(assuming the journal is stored in a different partition that +is not full): + +``` +Failed to flush log "/tmp/audit/ca_audit", error: No space left on device +``` + +Then the CA subsystem will shutdown automatically. The server itself +will still be running and accepting connections, but all requests +going to the CA subsystem will fail. + +To resolve the issue, create more space in the partition by +removing the big file: + +``` +$ rm -f /tmp/audit/bigfile +``` + +Then re-enable the CA subsystem with the following command: + +``` +$ pki-server subsystem-enable -i pki-tomcat ca +``` + +or by restarting the server: + +``` +$ systemctl restart pki-tomcatd@pki-tomcat.service +``` + -- 1.8.3.1