From 8b462b3a7e8ded71bc5aaf7d6a8b23fdce2d7ece Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 30 Jul 2018 17:15:09 -0700 Subject: [PATCH 1/5] Bug 1601071 Certificate generation happens with partial attributes in CMCRequest file This patch addresses the issue where when a cmcSelfSisnged profile is used in a cmcUserSigned case, the certificate is issued. A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case. A new constraint CMCSelfSignedSubjectNameConstraint has been introduced to verify. In additional, all profiles that authenticate through CMCUserSignedAuth are turned off by default to allow site administrators to make conscious decision on their own for these features. Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default. Change-Id: I275118d31b966494411888beb37032bb022c29ce (cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536) --- base/ca/shared/conf/CS.cfg | 2 +- base/ca/shared/conf/registry.cfg | 9 +- .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 8 +- .../profiles/ca/caECFullCMCUserSignedCert.cfg | 2 +- .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 8 +- .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +- .../certsrv/authentication/IAuthToken.java | 7 +- .../com/netscape/cms/authentication/CMCAuth.java | 5 +- .../cms/authentication/CMCUserSignedAuth.java | 16 ++- .../netscape/cms/authentication/SharedSecret.java | 4 +- .../netscape/cms/profile/common/EnrollProfile.java | 18 +++ .../CMCSelfSignedSubjectNameConstraint.java | 129 +++++++++++++++++++++ .../profile/def/AuthTokenSubjectNameDefault.java | 2 +- .../servlet/profile/ProfileSubmitCMCServlet.java | 29 ++++- base/server/cmsbundle/src/UserMessages.properties | 3 +- 15 files changed, 216 insertions(+), 28 deletions(-) create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 1d65835..fcd85a2 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION +log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg index 54e4d95..4fe6e93 100644 --- a/base/ca/shared/conf/registry.cfg +++ b/base/ca/shared/conf/registry.cfg @@ -1,5 +1,5 @@ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater -constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl +constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint @@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint +constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint +constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint +constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint -constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint -constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint +constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint +constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint constraintPolicy.validityConstraintImpl.desc=Validity Constraint constraintPolicy.validityConstraintImpl.name=Validity Constraint diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg index 144c05c..48e6499 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request -enable=true +enable=false enableBy=admin name=Self-Signed CMC User Certificate Enrollment visible=false @@ -10,10 +10,8 @@ output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl -policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -policyset.cmcUserCertSet.1.constraint.params.accept=true -policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* +policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl policyset.cmcUserCertSet.1.default.name=Subject Name Default policyset.cmcUserCertSet.1.default.params.name= diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg index d2286de..e7b60ee 100644 --- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication. -enable=true +enable=false enableBy=admin name=User-Signed CMC-Authenticated User Certificate Enrollment visible=false diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg index bdcdc24..538b16a 100644 --- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request -enable=true +enable=false enableBy=admin name=Self-Signed CMC User Certificate Enrollment visible=false @@ -10,10 +10,8 @@ output.list=o1 output.o1.class_id=certOutputImpl policyset.list=cmcUserCertSet policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl -policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* -policyset.cmcUserCertSet.1.constraint.params.accept=true +policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl policyset.cmcUserCertSet.1.default.name=Subject Name Default policyset.cmcUserCertSet.1.default.params.name= diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg index 9b5d3e9..b0ff8af 100644 --- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. -enable=true +enable=false enableBy=admin name=User-Signed CMC-Authenticated User Certificate Enrollment visible=false diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java index 59c6af2..d5d03b4 100644 --- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java @@ -44,9 +44,14 @@ public interface IAuthToken { public static final String GROUP = "group"; public static final String GROUPS = "groups"; - /* Subject name of the certificate in the authenticating entry */ + /* Subject name of the certificate request in the authenticating entry */ public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; + /* Subject name of the authenticated cert */ + public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject"; + /* Subject DN of the Shared Token authenticated entry */ + public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject"; + /* NotBefore value of the certificate in the authenticating entry */ public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index 86ffa2f..9b6a819 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, IAuthToken tempToken = agentAuth.authenticate(agentCred); netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); - String ID = tempPrincipal.toString(); + String ID = tempPrincipal.getName(); CMS.debug(method + " Principal name = " + ID); + authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString()); @@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, public void populate(IAuthToken token, IRequest request) throws EProfileException { request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, - token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); + token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT)); } public boolean isSSLClientRequired() { diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index d5f6c34..a9a7ade 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, if (requestCertSubject.equals("")) { requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; } - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); //authToken.set("uid", uid); @@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, IAuthToken tempToken = new AuthToken(null); netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); - String ID = tempPrincipal.toString(); //tempToken.get("userid"); + String ID = tempPrincipal.getName(); //tempToken.get("userid"); CMS.debug(method + " Principal name = " + ID); + authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); BigInteger certSerial = x509Certs[0].getSerialNumber(); CMS.debug(method + " verified cert serial=" + certSerial.toString()); @@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, public void populate(IAuthToken token, IRequest request) throws EProfileException { - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, - token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); + String method = "CMCUserSignedAuth: populate: "; + String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT); + if (authenticatedDN != null) { + request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, + authenticatedDN); + CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+ + authenticatedDN); + } else { + CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?"); + } } public boolean isSSLClientRequired() { diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java index 5ebc213..2d8679c 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java @@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.pkix.cmc.PKIData; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.authentication.EInvalidCredentials; import com.netscape.certsrv.authentication.IAuthCredentials; +import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authentication.ISharedToken; import com.netscape.certsrv.base.EBaseException; @@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication } CMS.debug(method + "found user ldap entry: userdn = " + userdn); - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn); + authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn); res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE, "(objectclass=*)", new String[] { mShrTokAttr }, false); diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 929e629..f9903c6 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile // catch for invalid request cmc_msgs = parseCMC(locale, cert_request, donePOI); + SessionContext sessionContext = SessionContext.getContext(); + String authenticatedSubject = + (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); + + if (authenticatedSubject != null) { + ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject); + } + if (cmc_msgs == null) { CMS.debug(method + "parseCMC returns cmc_msgs null"); return null; @@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile auditSubjectID = ident_string; sessionContext.put(SessionContext.USER_ID, auditSubjectID); + // subjectdn from SharedSecret ldap auth + // set in context and authToken to be used by profile + // default and constraints plugins + authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, + authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); + authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, + authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); + sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, + authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); + auditMessage = CMS.getLogMessage( AuditEvent.CMC_PROOF_OF_IDENTIFICATION, auditSubjectID, diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java new file mode 100644 index 0000000..d4554ca --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java @@ -0,0 +1,129 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.authentication.IAuthManager; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; +import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +/** + * This class implements the user subject name constraint for self-signed cmc requests. + * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match + * + * @author cfu + * @version $Revision$, $Date$ + */ +public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint { + + public CMCSelfSignedSubjectNameConstraint() { + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public String getDefaultConfig(String name) { + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. User encoded subject name + * is copied into the certificate template. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + String method = "CMCSelfSignedSubjectNameConstraint: "; + String msg = ""; + + CertificateSubjectName infoCertSN = null; + String authTokenSharedTokenSN = null; + + try { + infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); + if (infoCertSN == null) { + msg = method + "infoCertSN null"; + CMS.debug(msg); + throw new Exception(msg); + } + CMS.debug(method + "validate user subject ="+ + infoCertSN.toString()); + X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); + if (infoCertName == null) { + msg = method + "infoCertName null"; + CMS.debug(msg); + throw new Exception(msg); + } + + authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); + if (authTokenSharedTokenSN == null) { + msg = method + "authTokenSharedTokenSN null"; + CMS.debug(msg); + throw new Exception(msg); + } + if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { + CMS.debug(method + "names matched"); + } else { + msg = method + "names do not match; authTokenSharedTokenSN =" + + authTokenSharedTokenSN; + CMS.debug(msg); + throw new Exception(msg); + } + + } catch (Exception e) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); + } + + public boolean isApplicable(IPolicyDefault def) { + String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: "; + if (def instanceof AuthTokenSubjectNameDefault) { + CMS.debug(method + "true"); + return true; + } + CMS.debug(method + "false"); + return false; + } +} diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java index e789625..85bf241 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java @@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault { X500Name name = new X500Name( request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME)); - CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString()); + CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName()); info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name)); } catch (Exception e) { // failed to insert subject name diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index 12fd294..03e94a8 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { CMS.debug("ProfileSubmitCMCServlet: null it out"); ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); } + String signingCertSerialS = null; if (authToken != null) { signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); @@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); } + String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); + if (tmpSharedTokenAuthenticatedCertSubject != null) { + // unlikely to happen, but do this just in case + CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); + CMS.debug("ProfileSubmitCMCServlet: null it out"); + ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); + } + String errorCode = null; String errorReason = null; String auditRequesterID = ILogger.UNIDENTIFIED; @@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); if (tmpCertSerialS != null) { - // unlikely to happenm, but do this just in case + // unlikely to happen, but do this just in case CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS); CMS.debug("ProfileSubmitCMCServlet: null it out"); reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, ""); } // put CMCUserSignedAuth authToken in request if (signingCertSerialS != null) { + CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); + reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); + } + + tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); + if (tmpSharedTokenAuthenticatedCertSubject != null) { + // unlikely to happen, but do this just in case + CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); + CMS.debug("ProfileSubmitCMCServlet: null it out"); + reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); + } + // put Shared Token authToken in request + String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); + if (st_sbj != null) { + CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth"); + reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj); + } + if (tmpSharedTokenAuthenticatedCertSubject != null) { CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); } diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties index 208632d..e5e6ecc 100644 --- a/base/server/cmsbundle/src/UserMessages.properties +++ b/base/server/cmsbundle/src/UserMessages.properties @@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0} CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only -CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only +CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only +CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days. CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0} CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate. -- 1.8.3.1 From 99101af800addd61f66cdcf6b18c0b26f1e27011 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 1 Aug 2018 13:35:53 -0700 Subject: [PATCH 2/5] Bug 1593805 Better understanding of NSS_USE_DECODED_CKA_EC_POINT for ECC This patch removes the outdated reference to EC environment variable NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage. More info in the usage are updated as well for correctness and clarity. Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9 (cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051) --- .../src/com/netscape/cmstools/HttpClient.java | 32 ++++++++++++---------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java index fcaf210..28934ab 100644 --- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java +++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java @@ -251,43 +251,47 @@ public class HttpClient { System.out.println("The configuration file should look like as follows:"); System.out.println(""); System.out.println("#host: host name for the http server"); - System.out.println("host=host1.a.com"); + System.out.println("host=host.example.com"); System.out.println(""); System.out.println("#port: port number"); - System.out.println("port=1025"); + System.out.println("port=8443"); System.out.println(""); System.out.println("#secure: true for secure connection, false for nonsecure connection"); - System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command"); System.out.println("secure=false"); System.out.println(""); System.out.println("#input: full path for the enrollment request, the content must be in binary format"); - System.out.println("input=/u/doc/cmcReqCRMFBin"); + System.out.println("input=~/cmcReqCRMFBin"); System.out.println(""); System.out.println("#output: full path for the response in binary format"); - System.out.println("output=/u/doc/cmcResp"); + System.out.println("#output could be parsed by running CMCResponse"); + System.out.println("output=~/cmcResp"); System.out.println(""); - System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)"); + System.out.println("#dbdir: directory for NSS certificate/key databases"); System.out.println("#This parameter will be ignored if secure=false"); - System.out.println("tokenname=hsmname"); + System.out.println("dbdir=/.dogtag/nssdb"); System.out.println(""); - System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); + System.out.println("#password: password for NSS database"); + System.out.println("#This parameter will be ignored if secure=false and clientmode=false"); + System.out.println("password="); + System.out.println(""); + System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)"); System.out.println("#This parameter will be ignored if secure=false"); - System.out.println("dbdir=/u/smith/.netscape"); + System.out.println("tokenname=internal"); System.out.println(""); System.out.println("#clientmode: true for client authentication, false for no client authentication"); System.out.println("#This parameter will be ignored if secure=false"); System.out.println("clientmode=false"); System.out.println(""); - System.out.println("#password: password for cert8.db"); - System.out.println("#This parameter will be ignored if secure=false and clientauth=false"); - System.out.println("password="); - System.out.println(""); System.out.println("#nickname: nickname for client certificate"); System.out.println("#This parameter will be ignored if clientmode=false"); System.out.println("nickname="); System.out.println(""); System.out.println("#servlet: target URL"); - System.out.println("#This parameter may include query parameters"); + System.out.println("#This parameter may include query parameters;"); + System.out.println("# - reminder: profileId should be a profile that matches"); + System.out.println("# the intended certificate; for certificates intended"); + System.out.println("# for SSL (client or server), profiles should match"); + System.out.println("# the key type (RSA or EC) of the keys generated for CSR;"); System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert"); System.out.println(""); System.exit(0); -- 1.8.3.1 From a285327323d058218684cc671223b5b872bc9afc Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 2 Aug 2018 09:31:50 -0700 Subject: [PATCH 3/5] Bug1608375 - CMC Revocations throws exception with same reqIssuer & certissuer This patch resolves the possible encoding mismatch between the actual CA cert and the X500Name gleaned from the CMC revocation request. Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d (cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248) --- .../cms/authentication/CMCUserSignedAuth.java | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index a9a7ade..97971dd 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent; import com.netscape.certsrv.profile.EProfileException; @@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, // to CMCOutputTemplate so that we can // have a chance to capture user identification info if (issuerANY != null) { + // get CA signing cert + ICertificateAuthority ca = null; + ca = (ICertificateAuthority) CMS.getSubsystem("ca"); + X500Name caName = ca.getX500Name(); + try { byte[] issuerBytes = issuerANY.getEncoded(); - X500Name issuerName = new X500Name(issuerBytes); - CMS.debug(method + "revRequest issuer name = " + issuerName.toString()); + X500Name reqIssuerName = new X500Name(issuerBytes); + String reqIssuerNameStr = reqIssuerName.getName(); + CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr); + if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) { + // making sure it's identical, even in encoding + reqIssuerName = caName; + } else { + // not this CA; will be bumped off later; + // make a note in debug anyway + CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;"); + } // capture issuer principal to be checked against // cert issuer principal later in CMCOutputTemplate - auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName); + auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName); } catch (Exception e) { CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString()); } -- 1.8.3.1 From 9f3c6d13991cdafc748ded223a85b121ce2389b5 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 8 Aug 2018 18:41:52 -0700 Subject: [PATCH 4/5] Ticket #3041 Enable all config audit events This patch enables the audit events concerning role actions (mostly config) by default. Two additional minor issues are also addressed: 1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert (bugzilla #1610718) 2. removing unrecommended signing algorithms fixes: https://pagure.io/dogtagpki/issue/3041 Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d (cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099) --- base/ca/shared/conf/CS.cfg | 2 +- base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- base/ca/shared/profiles/ca/caECDirUserCert.cfg | 2 +- base/kra/shared/conf/CS.cfg | 2 +- base/ocsp/shared/conf/CS.cfg | 2 +- .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java | 2 +- .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java | 2 +- base/server/cmsbundle/src/LogMessages.properties | 2 +- base/tks/shared/conf/CS.cfg | 2 +- base/tps/shared/conf/CS.cfg | 2 +- base/util/src/netscape/security/x509/AlgorithmId.java | 8 ++++---- 11 files changed, 14 insertions(+), 14 deletions(-) diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index fcd85a2..6158d5a 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED +log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg index f12c7ed..0b7f6b7 100644 --- a/base/ca/shared/profiles/ca/caDirUserCert.cfg +++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg @@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 policyset.userCertSet.2.default.params.startTime=0 policyset.userCertSet.3.constraint.class_id=keyConstraintImpl policyset.userCertSet.3.constraint.name=Key Constraint -policyset.userCertSet.3.constraint.params.keyType=EC +policyset.userCertSet.3.constraint.params.keyType=RSA policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 policyset.userCertSet.3.default.class_id=userKeyDefaultImpl policyset.userCertSet.3.default.name=Key Default diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg index 0663b40..b65999e 100644 --- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg +++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg @@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 policyset.userCertSet.2.default.params.startTime=0 policyset.userCertSet.3.constraint.class_id=keyConstraintImpl policyset.userCertSet.3.constraint.name=Key Constraint -policyset.userCertSet.3.constraint.params.keyType=- +policyset.userCertSet.3.constraint.params.keyType=EC policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 policyset.userCertSet.3.default.class_id=userKeyDefaultImpl policyset.userCertSet.3.default.name=Key Default diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index f314234..878e5f8 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED +log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg index dc993b0..b412e5e 100644 --- a/base/ocsp/shared/conf/CS.cfg +++ b/base/ocsp/shared/conf/CS.cfg @@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION +log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) log.instance.SignedAudit.expirationTime=0 diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java index a1a83a4..2dcf9c1 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java @@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile defConfig4 .putString( "params.signingAlgsAllowed", - "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); IProfilePolicy policy5 = createProfilePolicy("set1", "p5", diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java index 710a461..9b1eacb 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java @@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile defConfig4 .putString( "params.signingAlgsAllowed", - "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); IProfilePolicy policy5 = createProfilePolicy("set1", "p5", diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 7963f6f..d534506 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authenticatio # and to be approved by an agent # Op must be "approve" or "disapprove" # -LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval +LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval # # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION # - used for proof of possession during certificate enrollment processing diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg index d1da996..e9bf03e 100644 --- a/base/tks/shared/conf/CS.cfg +++ b/base/tks/shared/conf/CS.cfg @@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION +log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) log.instance.SignedAudit.expirationTime=0 diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg index c44bc75..3671100 100644 --- a/base/tps/shared/conf/CS.cfg +++ b/base/tps/shared/conf/CS.cfg @@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER +log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure) diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java index ae5975a..012575c 100644 --- a/base/util/src/netscape/security/x509/AlgorithmId.java +++ b/base/util/src/netscape/security/x509/AlgorithmId.java @@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder { * Supported signing algorithms for a RSA key. */ public static final String[] RSA_SIGNING_ALGORITHMS = new String[] - { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" }; + { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" }; public static final String[] EC_SIGNING_ALGORITHMS = new String[] - { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" }; + { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; /** * All supported signing algorithms. */ public static final String[] ALL_SIGNING_ALGORITHMS = new String[] { - "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC", - "SHA256withEC", "SHA384withEC", "SHA512withEC" }; + "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA", + "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; } -- 1.8.3.1 From b4ef13f36124aeaadf3e43ae7c0560c38233c78a Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 10 Aug 2018 14:04:14 -0700 Subject: [PATCH 5/5] Ticket #2481 ECC keys not supported for signing audit logs This patch addes support for ECC audit log signing key. All enrollment profiles for audit signing certificate are updated to allow that. fixes https://pagure.io/dogtagpki/issue/2481 Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f (cherry picked from commit 435ede04d525d8816345271a887753a620795d56) --- base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++-- base/ca/shared/profiles/ca/caSignedLogCert.cfg | 8 ++++---- base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 6 +++--- base/server/cms/src/com/netscape/cms/logging/LogFile.java | 8 +++----- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg index ff4856c..642e67b 100644 --- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg @@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720 policyset.auditSigningCertSet.2.default.params.startTime=0 policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl policyset.auditSigningCertSet.3.constraint.name=Key Constraint -policyset.auditSigningCertSet.3.constraint.params.keyType=RSA -policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.auditSigningCertSet.3.constraint.params.keyType=- +policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl policyset.auditSigningCertSet.3.default.name=Key Default policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg index b850f1c..4acaab7 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg @@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0 policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl policyset.auditSigningCertSet.3.constraint.name=Key Constraint policyset.auditSigningCertSet.3.constraint.params.keyType=- -policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl policyset.auditSigningCertSet.3.default.name=Key Default policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl @@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.auditSigningCertSet.9.constraint.name=No Constraint -policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl policyset.auditSigningCertSet.9.default.name=Signing Alg policyset.auditSigningCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg index 6fdb8b5..c568572 100644 --- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg +++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg @@ -3,7 +3,7 @@ visible=true enable=true enableBy=admin auth.class_id= -name=Manual Log Signing Certificate Enrollment +name=Manual Audit Log Signing Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl input.i2.class_id=submitterInfoInputImpl @@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720 policyset.caLogSigningSet.2.default.params.startTime=0 policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl policyset.caLogSigningSet.3.constraint.name=Key Constraint -policyset.caLogSigningSet.3.constraint.params.keyType=RSA -policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.caLogSigningSet.3.constraint.params.keyType=- +policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl policyset.caLogSigningSet.3.default.name=Key Default policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl @@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul policyset.caLogSigningSet.8.default.params.critical=false policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl policyset.caLogSigningSet.9.constraint.name=No Constraint -policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl policyset.caLogSigningSet.9.default.name=Signing Alg policyset.caLogSigningSet.9.default.params.signingAlg=- diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java index 7693ba3..be9c0ed 100644 --- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java @@ -25,7 +25,6 @@ import java.io.FilenameFilter; import java.io.IOException; import java.security.PublicKey; import java.security.Signature; -import java.security.interfaces.DSAPublicKey; import java.security.interfaces.RSAPublicKey; import java.util.List; import java.util.StringTokenizer; @@ -34,6 +33,7 @@ import java.util.Vector; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkcs11.PK11ECPublicKey; import com.netscape.cmsutil.util.Utils; @@ -159,8 +159,8 @@ public class AuditVerify { String sigAlgorithm = null; if (pubk instanceof RSAPublicKey) { sigAlgorithm = "SHA-256/RSA"; - } else if (pubk instanceof DSAPublicKey) { - sigAlgorithm = "SHA-256/DSA"; + } else if (pubk instanceof PK11ECPublicKey) { + sigAlgorithm = "SHA-256/EC"; } else { throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm()); } diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java index 74a8ada..b04f70d 100644 --- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java +++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java @@ -41,8 +41,6 @@ import java.security.PrivateKey; import java.security.Provider; import java.security.Signature; import java.security.SignatureException; -import java.security.interfaces.DSAPrivateKey; -import java.security.interfaces.RSAPrivateKey; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Date; @@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { mSigningKey = cm.findPrivKeyByCert(cert); String sigAlgorithm; - if (mSigningKey instanceof RSAPrivateKey) { + if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) { sigAlgorithm = "SHA-256/RSA"; - } else if (mSigningKey instanceof DSAPrivateKey) { - sigAlgorithm = "SHA-256/DSA"; + } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) { + sigAlgorithm = "SHA-256/EC"; } else { throw new NoSuchAlgorithmException("Unknown private key type"); } -- 1.8.3.1