From ca25d3856c37febe4aa89d19ba143bd1e021f0d1 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Sat, 2 Jul 2016 11:03:53 +0530 Subject: [PATCH 36/96] Added instance and subsystem validation for pki-server subsystem-* commands. The pki-server subsystem-* commands have been updated to validate the instance and subsystem before proceeding with the operation. https://fedorahosted.org/pki/ticket/2399 --- base/server/python/pki/server/cli/subsystem.py | 66 +++++++++++++++++++++----- 1 file changed, 53 insertions(+), 13 deletions(-) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 49215cf..a44243a 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -177,6 +177,10 @@ class SubsystemShowCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) + sys.exit(1) SubsystemCLI.print_subsystem(subsystem) @@ -240,9 +244,17 @@ class SubsystemEnableCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) - subsystem.enable() + if not subsystem: + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) + sys.exit(1) - self.print_message('Enabled "%s" subsystem' % subsystem_name) + if subsystem.is_enabled(): + self.print_message('Subsystem "%s" is already ' + 'enabled' % subsystem_name) + else: + subsystem.enable() + self.print_message('Enabled "%s" subsystem' % subsystem_name) SubsystemCLI.print_subsystem(subsystem) @@ -308,9 +320,17 @@ class SubsystemDisableCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) - subsystem.disable() + if not subsystem: + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) + sys.exit(1) - self.print_message('Disabled "%s" subsystem' % subsystem_name) + if not subsystem.is_enabled(): + self.print_message('Subsystem "%s" is already ' + 'disabled' % subsystem_name) + else: + subsystem.disable() + self.print_message('Disabled "%s" subsystem' % subsystem_name) SubsystemCLI.print_subsystem(subsystem) @@ -403,6 +423,10 @@ class SubsystemCertFindCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) + sys.exit(1) results = subsystem.find_system_certs() self.print_message('%s entries matched' % len(results)) @@ -436,7 +460,7 @@ class SubsystemCertShowCLI(pki.cli.CLI): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', 'show-all', + 'instance=', 'show-all', 'verbose', 'help']) except getopt.GetoptError as e: @@ -471,7 +495,6 @@ class SubsystemCertShowCLI(pki.cli.CLI): self.usage() sys.exit(1) - if len(args) < 2: print('ERROR: missing cert ID') self.usage() @@ -489,6 +512,10 @@ class SubsystemCertShowCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) + sys.exit(1) cert = subsystem.get_subsystem_cert(cert_id) SubsystemCertCLI.print_subsystem_cert(cert, show_all) @@ -611,6 +638,10 @@ class SubsystemCertExportCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) + sys.exit(1) subsystem_cert = None if len(args) >= 2: @@ -732,6 +763,10 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): instance.load() subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) + sys.exit(1) subsystem_cert = subsystem.get_subsystem_cert(cert_id) # get cert data from NSS database @@ -749,6 +784,9 @@ class SubsystemCertUpdateCLI(pki.cli.CLI): # get cert request from local CA # TODO: add support for remote CA ca = instance.get_subsystem('ca') + if not ca: + print('ERROR: No CA subsystem in instance %s.' % instance_name) + sys.exit(1) results = ca.find_cert_requests(cert=data) cert_request = results[-1] request = cert_request['request'] @@ -820,7 +858,7 @@ class SubsystemCertValidateCLI(pki.cli.CLI): subsystem_name = args[0] - if len(args) >=2: + if len(args) >= 2: cert_id = args[1] else: cert_id = None @@ -835,7 +873,8 @@ class SubsystemCertValidateCLI(pki.cli.CLI): subsystem = instance.get_subsystem(subsystem_name) if not subsystem: - self.print_message('ERROR: missing subsystem ' + subsystem_name) + print('ERROR: No %s subsystem in instance ' + '%s.' % (subsystem_name, instance_name)) sys.exit(1) if cert_id is not None: @@ -909,16 +948,17 @@ class SubsystemCertValidateCLI(pki.cli.CLI): os.close(pwfile_handle) try: - cmd = ['pki', '-d', instance.nssdb_dir, - '-C', pwfile_path ] + cmd = ['pki', + '-d', instance.nssdb_dir, + '-C', pwfile_path] if token: cmd.extend(['--token', token]) cmd.extend(['client-cert-validate', - nickname, - '--certusage', usage] - ) + nickname, + '--certusage', usage + ]) subprocess.check_output(cmd, stderr=subprocess.STDOUT) print(' Status: VALID') -- 1.8.3.1 From 03926918b688d6634a46e322565bd1ab8ccdd811 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 Jul 2016 17:40:13 +0200 Subject: [PATCH 37/96] Fixed exception chain in SigningUnit.init(). The SigningUnit.init() has been modified to chain the exceptions to help troubleshooting. https://fedorahosted.org/pki/ticket/2399 --- base/ca/src/com/netscape/ca/SigningUnit.java | 45 +++++++++++++--------- .../certsrv/ca/CAMissingCertException.java | 3 ++ .../netscape/certsrv/ca/CAMissingKeyException.java | 3 ++ 3 files changed, 32 insertions(+), 19 deletions(-) diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java index 60bd84e..f708e55 100644 --- a/base/ca/src/com/netscape/ca/SigningUnit.java +++ b/base/ca/src/com/netscape/ca/SigningUnit.java @@ -22,10 +22,6 @@ import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.SignatureException; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509Key; - import org.mozilla.jss.CryptoManager; import org.mozilla.jss.NoSuchTokenException; import org.mozilla.jss.crypto.CryptoToken; @@ -42,15 +38,19 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; -import com.netscape.certsrv.ca.ECAException; import com.netscape.certsrv.ca.CAMissingCertException; import com.netscape.certsrv.ca.CAMissingKeyException; +import com.netscape.certsrv.ca.ECAException; import com.netscape.certsrv.common.Constants; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.ISigningUnit; import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmsutil.util.Cert; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509Key; + /** * CA signing unit based on JSS. * @@ -171,7 +171,7 @@ public final class SigningUnit implements ISigningUnit { mCert = mManager.findCertByNickname(mNickname); CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber()); } catch (ObjectNotFoundException e) { - throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e); } mCertImpl = new X509CertImpl(mCert.getEncoded()); @@ -181,7 +181,7 @@ public final class SigningUnit implements ISigningUnit { mPrivk = mManager.findPrivKeyByCert(mCert); CMS.debug("Got private key from cert"); } catch (ObjectNotFoundException e) { - throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e); } mPubk = mCert.getPublicKey(); @@ -194,32 +194,39 @@ public final class SigningUnit implements ISigningUnit { CMS.debug( "got signing algorithm " + mDefSigningAlgorithm); mInited = true; + } catch (java.security.cert.CertificateException e) { - CMS.debug("SigningUnit init: debug " + e.toString()); + CMS.debug("SigningUnit: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", e.getMessage())); - throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()), e); + } catch (CryptoManager.NotInitializedException e) { - CMS.debug("SigningUnit init: debug " + e.toString()); + CMS.debug("SigningUnit: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED"), e); + } catch (IncorrectPasswordException e) { - CMS.debug("SigningUnit init: debug " + e.toString()); + CMS.debug("SigningUnit: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD")); + throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD"), e); + } catch (NoSuchTokenException e) { - CMS.debug("SigningUnit init: debug " + e.toString()); + CMS.debug("SigningUnit: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname)); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname), e); + } catch (CAMissingCertException | CAMissingKeyException e) { - CMS.debug("SigningUnit init: debug " + e.toString()); + CMS.debug("SigningUnit: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); throw e; // re-throw + } catch (TokenException e) { - CMS.debug("SigningUnit init: debug " + e.toString()); + CMS.debug("SigningUnit: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR")); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR"), e); + } catch (Exception e) { - CMS.debug("SigningUnit init: debug " + e.toString()); + CMS.debug(e); } } diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java index 49c5063..e363647 100644 --- a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java @@ -12,4 +12,7 @@ public class CAMissingCertException extends ECAException { super(msgFormat); } + public CAMissingCertException(String msgFormat, Exception cause) { + super(msgFormat, cause); + } } diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java index 8f5e1e7..178857f 100644 --- a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java +++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java @@ -12,4 +12,7 @@ public class CAMissingKeyException extends ECAException { super(msgFormat); } + public CAMissingKeyException(String msgFormat, Exception cause) { + super(msgFormat, cause); + } } -- 1.8.3.1 From 4bdb8793eddd8d6c26a08c8f871249aa9a5bde7a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 Jul 2016 21:12:35 +0200 Subject: [PATCH 38/96] Fixed CLI error message on connection problems The CLI has been modified to display the actual error message instead of generic ProcessingException. https://fedorahosted.org/pki/ticket/2377 --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 797f3cb..8f3293d 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -31,6 +31,8 @@ import java.net.UnknownHostException; import java.util.Collection; import java.util.HashSet; +import javax.ws.rs.ProcessingException; + import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; import org.apache.commons.lang.StringUtils; @@ -571,11 +573,20 @@ public class MainCLI extends CLI { MainCLI cli = new MainCLI(); cli.execute(args); + } catch (ProcessingException e) { + Throwable t = e.getCause(); + if (verbose) { + t.printStackTrace(System.err); + } else { + System.err.println(t.getClass().getSimpleName() + ": " + t.getMessage()); + } + System.exit(-1); + } catch (Throwable t) { if (verbose) { t.printStackTrace(System.err); } else { - System.err.println(t.getClass().getSimpleName()+": "+t.getMessage()); + System.err.println(t.getClass().getSimpleName() + ": " + t.getMessage()); } System.exit(-1); } -- 1.8.3.1 From c595208f58a2c072f9a7a243434411f66f556242 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 Jul 2016 22:05:09 +0200 Subject: [PATCH 39/96] Added validation for pki client-cert-request extractable parameter. The pki client-cert-request CLI has been modified to validate the boolean extractable parameter. https://fedorahosted.org/pki/ticket/2383 --- .../src/com/netscape/cmstools/client/ClientCertRequestCLI.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java index 3ec4745..0277774 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -194,6 +194,9 @@ public class ClientCertRequestCLI extends CLI { if (s == null) { extractable = -1; } else { + if (!s.equalsIgnoreCase("true") && !s.equalsIgnoreCase("false")) { + throw new IllegalArgumentException("Invalid extractable parameter: " + s); + } extractable = Boolean.parseBoolean(s) ? 1 : 0; } -- 1.8.3.1 From db75d23cbb90b834b2b515ce6344346522067b7b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 Jul 2016 22:30:52 +0200 Subject: [PATCH 40/96] Added validation for pki client-cert-request sensitive parameter. The pki client-cert-request CLI has been modified to validate the boolean sensitive parameter. https://fedorahosted.org/pki/ticket/2383 --- .../src/com/netscape/cmstools/client/ClientCertRequestCLI.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java index 0277774..aff3220 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -186,6 +186,9 @@ public class ClientCertRequestCLI extends CLI { if (s == null) { sensitive = -1; } else { + if (!s.equalsIgnoreCase("true") && !s.equalsIgnoreCase("false")) { + throw new IllegalArgumentException("Invalid sensitive parameter: " + s); + } sensitive = Boolean.parseBoolean(s) ? 1 : 0; } -- 1.8.3.1 From 9bf9f9628420d133010ff994cdac0f01b764b603 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 Jul 2016 23:02:18 +0200 Subject: [PATCH 41/96] Added general exception handling for pki-server CLI. The pki-server CLI has been modified to catch all exceptions and display a simple exception message. In verbose mode it will display the stack trace. https://fedorahosted.org/pki/ticket/2381 --- base/server/sbin/pki-server | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server index cea62b7..6df70dc 100644 --- a/base/server/sbin/pki-server +++ b/base/server/sbin/pki-server @@ -116,3 +116,9 @@ if __name__ == '__main__': traceback.print_exc() print('ERROR: %s' % e) sys.exit(e.returncode) + + except Exception as e: # pylint: disable=broad-except + if cli.verbose: + traceback.print_exc() + print('ERROR: %s' % e) + sys.exit(1) -- 1.8.3.1 From 59ba26cf9292a578d34d98344e4b1f4d20339508 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 7 Jul 2016 02:42:14 +0200 Subject: [PATCH 42/96] Fixed problem with pki pkcs12-import --no-trust-flags. The pki pkcs12-import CLI has been fixed such that when it calls pki pkcs12-cert-find internally it does not add --no-trust-flags option. https://fedorahosted.org/pki/ticket/2399 --- base/common/python/pki/cli/pkcs12.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py index 3fcea35..145f125 100644 --- a/base/common/python/pki/cli/pkcs12.py +++ b/base/common/python/pki/cli/pkcs12.py @@ -159,9 +159,6 @@ class PKCS12ImportCLI(pki.cli.CLI): if password_file: cmd.extend(['--pkcs12-password-file', password_file]) - if no_trust_flags: - cmd.extend(['--no-trust-flags']) - if self.verbose: cmd.extend(['--verbose']) -- 1.8.3.1 From 12e24ae0eb3f6fb7e0f71b95e3911f45594c5965 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 7 Jul 2016 03:52:09 +0200 Subject: [PATCH 43/96] Fixed pki pkcs12-import output. The pki pkcs12-import has been modified to suppress the output of external command execution and display a completion message more consistently. https://fedorahosted.org/pki/ticket/2399 --- base/common/python/pki/cli/pkcs12.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py index 145f125..ded79c7 100644 --- a/base/common/python/pki/cli/pkcs12.py +++ b/base/common/python/pki/cli/pkcs12.py @@ -314,4 +314,7 @@ class PKCS12ImportCLI(pki.cli.CLI): cmd.extend(nicknames) - main_cli.execute_java(cmd) + with open(os.devnull, 'w') as f: + main_cli.execute_java(cmd, stdout=f) + + self.print_message('Import complete') -- 1.8.3.1 From 7164c2064a7f069f0943f64167eaab982068593d Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 7 Jul 2016 14:02:18 -0700 Subject: [PATCH 44/96] Ticket #978 PPS connector man page: add revocation routing info --- base/tps/man/man5/pki-tps-connector.5 | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/base/tps/man/man5/pki-tps-connector.5 b/base/tps/man/man5/pki-tps-connector.5 index 6ee009a..b3e405e 100644 --- a/base/tps/man/man5/pki-tps-connector.5 +++ b/base/tps/man/man5/pki-tps-connector.5 @@ -62,12 +62,26 @@ This property contains the maximum number of HTTP connections. .SS tps.connector.ca.uri. This property contains the URI to contact CA for the operation . -Example ops: enrollment, renewal, revoke, unrevoke. +Example ops: enrollment, renewal, revoke, unrevoke, getcert. .SS tps.connector.ca.timeout This property contains the connection timeout. +.SS tps.connector.connCAList + +This property is used for \fIRevocation Routing\fP. It contains a list of ordered ca id's separated by ',' that the revocation attempt should be made to. +Example: +tps.connCAList=ca1,ca2 + +.SS tps.connector.ca.caNickname + +This property is used for \fIRevocation Routing\fP. It contains the nickname of the CA signing certificate that represents this ca. + +.SS tps.connector.ca.caSKI + +This property is used for \fIRevocation Routing\fP . It contains the Subject Key Identifier of the CA signing certificate of this ca. This value is automatically calculated by TPS once and should not need handling by the administrator. + .SH KRA CONNECTOR A KRA connector is defined using properties that begin with tps.connector.kra where @@ -182,6 +196,13 @@ tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke +# in case of Revocation Routing +# note that caSKI is automatically calculated by TPS +tps.connCAList=ca1,ca2 +tps.connector.ca1.caNickname=caSigningCert cert-pki-tomcat CA +tps.connector.ca1.caSKI=hAzNarQMlzit4BymAlbduZMwVCc +# ca2 connector in case of Revocation Routing +tps.connector.ca2. tps.connector.kra1.enable=true tps.connector.kra1.host=server.example.com -- 1.8.3.1 From ee68baccc5510184ff67b903288410d3ccc6a831 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 11 Jul 2016 17:51:57 -0700 Subject: [PATCH 46/96] Ticket #2389 fix for regular CA installation This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation fails. --- .../src/com/netscape/cms/servlet/csadmin/CertUtil.java | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 495e4c0..ed762de 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -535,9 +535,14 @@ public class CertUtil { CMS.debug("Creating local request exception:" + e.toString()); } - // installAdjustValidity tells ValidityDefault to adjust the - // notAfter value to that of the CA's signing cert if needed - req.setExtData("installAdjustValidity", "true"); + if (!certTag.equals("signing")) { + /* + * (applies to non-CA-signing cert only) + * installAdjustValidity tells ValidityDefault to adjust the + * notAfter value to that of the CA's signing cert if needed + */ + req.setExtData("installAdjustValidity", "true"); + } processor.populate(req, info); PrivateKey caPrik = null; @@ -554,11 +559,11 @@ public class CertUtil { } if (caPrik == null) { - CMS.debug("CertUtil::createSelfSignedCert() - " + CMS.debug("CertUtil::createLocalCert() - " + "CA private key is null!"); throw new IOException("CA private key is null"); } else { - CMS.debug("CertUtil createSelfSignedCert: got CA private key"); + CMS.debug("CertUtil createLocalCert: got CA private key"); } String keyAlgo = x509key.getAlgorithm(); @@ -586,7 +591,7 @@ public class CertUtil { } if (cert != null) { - CMS.debug("CertUtil createSelfSignedCert: got cert signed"); + CMS.debug("CertUtil createLocalCert: got cert signed"); } } catch (IOException e) { -- 1.8.3.1 From c3ff087bd07cde4cd272defad499fd4d8367e5c1 Mon Sep 17 00:00:00 2001 From: Geetika Kapoor Date: Wed, 13 Jul 2016 06:57:08 -0400 Subject: [PATCH 47/96] Added fix for pki-server for db-update fixes: https://fedorahosted.org/pki/ticket/1667 Signed-off-by: Geetika Kapoor Reviewed-by: Fraser Tweedale --- base/server/python/pki/server/cli/db.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py index cc768da..17b1a2f 100644 --- a/base/server/python/pki/server/cli/db.py +++ b/base/server/python/pki/server/cli/db.py @@ -202,7 +202,7 @@ class DBUpgrade(pki.cli.CLI): entries = conn.ldap.search_s( repo_dn, ldap.SCOPE_ONELEVEL, - '(&(objectclass=certificateRecord)(!(issuerName=*)))', + '(&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=)))', None) for entry in entries: @@ -227,7 +227,7 @@ class DBUpgrade(pki.cli.CLI): issuer_name = str(cert.issuer) try: - conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)]) + conn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', issuer_name)]) except ldap.LDAPError as e: print( 'Failed to add issuerName to certificate {}: {}' -- 1.8.3.1 From 8c36ab242c99187a0356b85467e43f5b024718a2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 13 Jul 2016 04:11:56 +0200 Subject: [PATCH 48/96] Fixed certificate validation error message. The pkihelper.py has been modified to display the correct external command name on system certificate validation error. https://fedorahosted.org/pki/ticket/2399 --- base/server/python/pki/server/deployment/pkihelper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 0145b49..54ffe27 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -4663,7 +4663,7 @@ class SystemCertificateVerifier: stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: config.pki_log.error( - "pki subsystem-cert-validate return code: " + str(e.returncode), + "pki-server subsystem-cert-validate return code: " + str(e.returncode), extra=config.PKI_INDENTATION_LEVEL_2 ) config.pki_log.error( -- 1.8.3.1 From 96ebbeadc61e5a4c9df5d5adbd062a58ac3dee3c Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Wed, 13 Jul 2016 17:15:14 -0700 Subject: [PATCH 50/96] [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page This fix will involve the following changes to the source tree. 1. Fixes to the CS.cfg to add two new cert profiles. 2. Make the caDualCert.cfg profile invisible since it has little chance of working any more in Firefox. 3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI to have convenient profiles from which to enroll signing ONLY certificates. --- base/ca/shared/conf/CS.cfg | 6 +- base/ca/shared/profiles/ca/caDualCert.cfg | 2 +- base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 86 ++++++++++++++++++++++ base/ca/shared/profiles/ca/caSigningUserCert.cfg | 86 ++++++++++++++++++++++ 4 files changed, 178 insertions(+), 2 deletions(-) create mode 100644 base/ca/shared/profiles/ca/caSigningECUserCert.cfg create mode 100644 base/ca/shared/profiles/ca/caSigningUserCert.cfg diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 288f0d5..68e79a4 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -966,7 +966,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment +profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl @@ -1037,6 +1037,10 @@ profile.caServerCert.class_id=caEnrollImpl profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg profile.caSignedLogCert.class_id=caEnrollImpl profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg +profile.caSigningECUserCert.class_id=caEnrollImpl +profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg +profile.caSigningUserCert.class_id=caEnrollImpl +profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg profile.caSimpleCMCUserCert.class_id=caEnrollImpl profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg profile.caSubsystemCert.class_id=caEnrollImpl diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg index f90f78f..87036d1 100644 --- a/base/ca/shared/profiles/ca/caDualCert.cfg +++ b/base/ca/shared/profiles/ca/caDualCert.cfg @@ -1,5 +1,5 @@ desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. -visible=true +visible=false enable=true enableBy=admin name=Manual User Signing & Encryption Certificates Enrollment diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg new file mode 100644 index 0000000..b410504 --- /dev/null +++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox. +visible=false +enable=true +enableBy=admin +name=Manual User Signing ECC Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=signingCertSet +policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=CN=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=0 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=EC +policyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp521 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.5.constraint.class_id=noConstraintImpl +policyset.signingCertSet.5.constraint.name=No Constraint +policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.signingCertSet.5.default.name=AIA Extension Default +policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.signingCertSet.5.default.params.authInfoAccessCritical=false +policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.signingCertSet.6.constraint.class_id=noConstraintImpl +policyset.signingCertSet.6.constraint.name=No Constraint +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- + diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg new file mode 100644 index 0000000..f197ffa --- /dev/null +++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user signing certificates. +visible=false +enable=true +enableBy=admin +name=Manual User Signing Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=signingCertSet +policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=CN=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=0 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=RSA +policyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.5.constraint.class_id=noConstraintImpl +policyset.signingCertSet.5.constraint.name=No Constraint +policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.signingCertSet.5.default.name=AIA Extension Default +policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.signingCertSet.5.default.params.authInfoAccessCritical=false +policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.signingCertSet.6.constraint.class_id=noConstraintImpl +policyset.signingCertSet.6.constraint.name=No Constraint +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=- + -- 1.8.3.1 From 6bda601d3b4dea93e1a218662ae0814e3a2708a7 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 14 Jul 2016 23:11:46 +0200 Subject: [PATCH 51/96] Fixed cert usage list in pki client-cert-validate. The pki client-cert-validate has been modified to add the missing EmailRecipient and to list the supported cert usages. https://fedorahosted.org/pki/ticket/2376 https://fedorahosted.org/pki/ticket/2399 --- .../src/com/netscape/cmstools/client/ClientCertValidateCLI.java | 7 ++++++- base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java index 3988c71..50cd96f 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java @@ -45,7 +45,10 @@ public class ClientCertValidateCLI extends CLI { } public void createOptions() { - Option option = new Option(null, "certusage", true, "Certificate usage."); + Option option = new Option(null, "certusage", true, "Certificate usage: " + + "CheckAllUsages, SSLServer, SSLServerWithStepUp, SSLClient, SSLCA, AnyCA, " + + "StatusResponder, ObjectSigner, UserCertImport, ProtectedObjectSigner, " + + "VerifyCA, EmailSigner, EmailRecipient."); option.setArgName("certusage"); options.addOption(option); } @@ -188,6 +191,8 @@ public class ClientCertValidateCLI extends CLI { cu = CryptoManager.CertificateUsage.VerifyCA; else if (certusage.equalsIgnoreCase("EmailSigner")) cu = CryptoManager.CertificateUsage.EmailSigner; + else if (certusage.equalsIgnoreCase("EmailRecipient")) + cu = CryptoManager.CertificateUsage.EmailRecipient; return cu; } diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java index 5b6382e..400ad0c 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java @@ -988,6 +988,8 @@ public class CertUtils { cu = CryptoManager.CertificateUsage.VerifyCA; else if (certusage.equalsIgnoreCase("EmailSigner")) cu = CryptoManager.CertificateUsage.EmailSigner; + else if (certusage.equalsIgnoreCase("EmailRecipient")) + cu = CryptoManager.CertificateUsage.EmailRecipient; return cu; } -- 1.8.3.1 From 078dfc1f01dea30800f19eed6df4ed547edffee3 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 12 Jul 2016 18:18:39 -0700 Subject: [PATCH 52/96] Ticket #2246 [MAN] Man Page: AuditVerify This patch contains the man page for AuditVerify. --- base/java-tools/man/man1/AuditVerify.1 | 110 +++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 base/java-tools/man/man1/AuditVerify.1 diff --git a/base/java-tools/man/man1/AuditVerify.1 b/base/java-tools/man/man1/AuditVerify.1 new file mode 100644 index 0000000..c0bd5ba --- /dev/null +++ b/base/java-tools/man/man1/AuditVerify.1 @@ -0,0 +1,110 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH AuditVerify 1 "July 7, 2016" "version 10.3" "PKI Signed Audit Log Verification Command" Dogtag Team +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +AuditVerify \- Command-Line utility for verifying Certificate System signed audit logs. + +.SH SYNOPSIS +.nf +\fBAuditVerify\fR -d -n -a [-P cert/key_db_prefix] [-v] +.fi + +.SH DESCRIPTION +.PP +The \fBAuditVerify\fR command provides command-line utility to verify that signed audit logs were signed with the appropriate CS audit private signing key and that the audit logs have not been compromised. Auditors can verify the authenticity and integrity of signed audit logs using the \fBAuditVerify\fR tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file. The tool result indicates either that the signed audit log was successfully verified or that the signed audit log was not successfully verified. An unsuccessful verification warns the auditor that the signature failed to verify, indicating the log file may have been tampered with (compromised). +.PP +.B Note: An auditor can be any user that has the privilege to peruse the pki audit logs. + +.SH OPTIONS +.TP +.B -d +Specifies the directory containing the security databases with the imported audit log signing certificate. This directory is almost always the auditor's own personal certificate databases in a personal directory, such as ~jsmith/auditVerifyDir/. + +.TP +.B -n +Gives the nickname of the certificate used to sign the log files. The nickname is whatever was used when the log signing certificate was imported into that database. + +.TP +.B [-P cert/key_db_prefix] +Optional. The prefix to prepend to the certificate and key database filenames. If used, a value of empty quotation marks (“”) should be specified for this argument, since the auditor is using separate certificate and key databases from the Certificate System instance and it is unlikely that the prefix should be prepended to the new audit security database files. + +.TP +.B -a +Specifies the file which contains the comma-separate list of file paths (in chronological order) of the signed audit logs to be verified. +This file should be created in a directory which is writeable by the auditor, such as a special auditing directory like ~jsmith/auditDir. +The contents of the logListFile are the full paths to the audit logs. For example: +.PP +.nf + /var/log/pki/pki-ca/ca/signedAudit/ca_audit,/var/log/pki/pki-ca/ca/signedAudit/ca_audit.20030227102711,/var/log/pki/pki-ca/ca/signedAudit/ca_audit.20030226094015 +.fi + +.TP +.B [-v] +Optional. Specifies verbose output. + +.SH Setting up the Auditor's Database + +\fBAuditVerify\fP needs access to a set of security databases (usually the auditor's personal security databases) containing the signed audit log signing certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be marked as trusted in the database. +.PP +Auditors should import the audit signing certificate into their personal certificate database before running \fBAuditVerify\fP. The auditor should not use the security databases of the Certificate System instance that generated the signed audit log files. If there are no readily accessible certificate and key database, the auditor must create a set of certificate and key databases and import the signed audit log signing certificate chain. +.PP +To create the security databases and import the certificate chain: + +.SS Create a special directory in the auditor's home directory to use to perform the verification. For example: + +mkdir ~jsmith/auditVerifyDir + +.SS Use the certutil tool to create an empty set of certificate databases in the auditor's home directory. + +certutil -d ~jsmith/auditVerifyDir -N + +.SS Download the CA certificate from the CA's Retrieval page. The certificates can be obtained from the CA in ASCII format. + +https://server.example.com:ca_https_port/ca/ee/ca/ + +.SS Import the CA certificate and log signing certificate into the databases and set trust of the certificates + +If the CA certificate is in a file called cacert.txt and the log signing certificate is in a file called logsigncert.txt, then the certutil can be used to set the trust for the new audit security database directory pointing to those files, as follows: + +certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i cacert.txt + +certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate" -t ",,P" -a -i logsigncert.txt + +.B Note: The signedAudit directory kept by the subsystem is not writeable by any user, including auditors. + +.SH Operation +After a separate audit database directory has been configured, do the following: +.SS Create a text file containing a comma-separated list of the log files to be verified. The name of this file is referenced in the AuditVerify command. + +For example, this file could be logListFile in the ~jsmith/auditVerifyDir/ directory. The contents are the comma-separated list of audit logs to be verified, such as "auditlog.1213, auditlog.1214, auditlog.1215." + +.SS If the audit databases do not contain prefixes and are located in the user home directory, such as ~jsmith/.mozilla, and the signing certificate nickname is "Log Signing Certificate", the AuditVerify command is run as follows: + +AuditVerify -d ~jsmith/auditVerifyDir -n Log Signing Certificate -a ~jsmith/auditVerifyDir/logListFile -P "" -v + +.I Note: It has been observed that if audit signing is enabled after system is first started, the first audit signature would not be verified. What happens is that the signature starts calculating from it's in-memory audit log message when it signs, and since log signing is turned on mid-way (not from a fresh new log file), the previous content were not signed along for calculating the first signature (and rightfully so). When AuditVerify is run, it does not know where the log signing begins, so it assumes it starts from the beginning of the file till the first signature. This is why the first signature (if signing is turned on mid-way) will always appear to be incorrect. + + +.SH AUTHORS +Christina Fu . + +.SH COPYRIGHT +Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public +License, version 2 (GPLv2). A copy of this license is available at +http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR pki(1) -- 1.8.3.1 From d20638e2916fb99da5cf09d869a1fbc89cd6f17b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 16 Jul 2016 07:01:23 +0200 Subject: [PATCH 53/96] Removed redundant question in interactive pkispawn. The pkispawn has been modified such that if the admin selects to import the admin certificate the admin will not be asked where to export the certificate. https://fedorahosted.org/pki/ticket/2399 --- base/server/sbin/pkispawn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index d3a111f..11745b4 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -226,9 +226,9 @@ def main(argv): 'pki_import_admin_cert', 'False') - parser.read_text('Export certificate to', - config.pki_subsystem, - 'pki_client_admin_cert') + parser.read_text('Export certificate to', + config.pki_subsystem, + 'pki_client_admin_cert') # if parser.mdict['pki_hsm_enable'] == 'True': # use_hsm = 'Y' @@ -261,7 +261,7 @@ def main(argv): # parser.set_property(config.pki_subsystem, # 'pki_hsm_libfile', # libfile) - # print + print() print("Directory Server:") while True: -- 1.8.3.1 From 28176087a94f74b451c2dbf3c59b4d13a20014c6 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 16 Jul 2016 09:22:27 +0200 Subject: [PATCH 54/96] Fixed pkispawn installation summary. The pkispawn installation summary has been modified not to show the admin certificate nickname and NSS database if pki_client_database_purge or pki_clone is set to true since the NSS database will not be created in those cases. https://fedorahosted.org/pki/ticket/2399 --- base/server/sbin/pkispawn | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index 11745b4..13139fa 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -754,16 +754,15 @@ def print_final_install_information(mdict): print(" Administrator's PKCS #12 file:\n %s" % mdict['pki_client_admin_cert_p12']) - if not config.str2bool(mdict['pki_client_database_purge']): + if not config.str2bool(mdict['pki_client_database_purge']) and \ + not config.str2bool(mdict['pki_clone']): print() print(" Administrator's certificate nickname:\n %s" % mdict['pki_admin_nickname']) - - if not config.str2bool(mdict['pki_clone']): print(" Administrator's certificate database:\n %s" % mdict['pki_client_database_dir']) - else: + if config.str2bool(mdict['pki_clone']): print() print(" This %s subsystem of the '%s' instance\n" " is a clone." % -- 1.8.3.1 From eddbcedba312258cd4105f0353313c1423084593 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 20 Jul 2016 00:38:41 +0200 Subject: [PATCH 55/96] Fixed error handling in SystemConfigService. To help troubleshooting the SystemConfigService has been modified to chain the original exception and to log stack trace into the debug log. https://fedorahosted.org/pki/ticket/2399 --- .../src/org/dogtagpki/server/rest/SystemConfigService.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 6fc37b5..95afa4c 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -782,7 +782,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ConfigurationUtils.populateVLVIndexes(); } } catch (Exception e) { - e.printStackTrace(); + CMS.debug(e); throw new PKIException("Error in populating database: " + e, e); } } @@ -1029,14 +1029,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou String tokenpwd = data.getTokenPassword(); ConfigurationUtils.loginToken(ctoken, tokenpwd); } catch (NotInitializedException e) { - throw new PKIException("Token is not initialized"); + throw new PKIException("Token is not initialized", e); } catch (NoSuchTokenException e) { - throw new BadRequestException("Invalid Token provided. No such token."); + throw new BadRequestException("Invalid Token provided. No such token.", e); } catch (TokenException e) { - e.printStackTrace(); - throw new PKIException("Token Exception" + e); + CMS.debug(e); + throw new PKIException("Token Exception: " + e, e); } catch (IncorrectPasswordException e) { - throw new BadRequestException("Incorrect Password provided for token."); + throw new BadRequestException("Incorrect Password provided for token.", e); } } } -- 1.8.3.1 From 3998429da6e4a96b1ec667436f1da6b96d0ca33c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 22 Jul 2016 13:35:54 +0200 Subject: [PATCH 56/96] Fixed param substitution problem. The string splice operation in substitute_deployment_params() has been fixed to include the rest of the string. https://fedorahosted.org/pki/ticket/2399 --- base/server/python/pki/server/deployment/pkihelper.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 54ffe27..6ac68b1 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -1810,8 +1810,8 @@ class File: line[begin:end + 1], value, extra=config.PKI_INDENTATION_LEVEL_3) - # replace parameter with value - line = line[0:begin] + value + line[end + 1] + # replace parameter with value, keep the rest of the line + line = line[0:begin] + value + line[end + 1:] # calculate the new end position end = begin + len(value) + 1 -- 1.8.3.1 From 215d07d0754a5397e5008e98fe42626e8de9e399 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Fri, 22 Jul 2016 14:43:21 -0700 Subject: [PATCH 57/96] Stop using a java8 only constant. Will allow compilation with java7. Trivial fix. --- .../cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java index 9593816..db42cab 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java @@ -56,6 +56,8 @@ public class SecureChannelProtocol { static final int PROTOCOL_THREE = 3; static final int HOST_CRYPTOGRAM = 0; static final int CARD_CRYPTOGRAM = 1; + //Size of long type in bytes, since java7 has no define for this + static final int LONG_SIZE = 8; private SymmetricKey transportKey = null; CryptoManager cryptoManager = null; @@ -762,7 +764,7 @@ public class SecureChannelProtocol { } public static byte[] longToBytes(long x) { - ByteBuffer buffer = ByteBuffer.allocate(Long.BYTES); + ByteBuffer buffer = ByteBuffer.allocate(LONG_SIZE); buffer.putLong(x); return buffer.array(); } -- 1.8.3.1 From a307cf68e91327ddbef4b9d7e2bbd3991354831f Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 22 Jul 2016 18:38:19 -0600 Subject: [PATCH 58/96] Allow PrettyPrintCert to process HEADERs and TRAILERs. * PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements Checked-in under one-liner/trivial rule. --- base/java-tools/templates/pretty_print_cert_command_wrapper.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in index 63451d0..882e7a1 100644 --- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in +++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in @@ -137,7 +137,7 @@ if [ $# -eq 1 ] || then if [ "$1" = "-simpleinfo" ] then - file $2 | grep 'ASCII text' > /dev/null + file $2 | grep -E 'ASCII text|PEM certificate' > /dev/null if [ $? -ne 0 ] ; then ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND} printf "\n" @@ -147,7 +147,7 @@ then exit 255 fi else - file $1 | grep 'ASCII text' > /dev/null + file $1 | grep -E 'ASCII text|PEM certificate' > /dev/null if [ $? -ne 0 ] ; then ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND} printf "\n" -- 1.8.3.1 From 3f4c9e4e7946f3f330b71cfe36a00ae933de2575 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 21 Jul 2016 02:26:24 +0200 Subject: [PATCH 59/96] Added CMake target dependencies. To help troubleshooting build issues, some CMake dependencies have been added to some targets even though the actual codes do not require those dependencies. This will ensure the targets are built sequentially so build failures can be found more easily at the end of the build log. https://fedorahosted.org/pki/ticket/2403 --- base/native-tools/src/tkstool/CMakeLists.txt | 2 +- base/server/tomcat/src/CMakeLists.txt | 2 ++ base/tps-client/src/CMakeLists.txt | 1 + base/tps-client/src/authentication/CMakeLists.txt | 1 + base/tps-client/src/modules/tokendb/CMakeLists.txt | 1 + base/tps-client/src/modules/tps/CMakeLists.txt | 1 + base/tps-client/src/tus/CMakeLists.txt | 1 + 7 files changed, 8 insertions(+), 1 deletion(-) diff --git a/base/native-tools/src/tkstool/CMakeLists.txt b/base/native-tools/src/tkstool/CMakeLists.txt index 8b07950..8c65717 100644 --- a/base/native-tools/src/tkstool/CMakeLists.txt +++ b/base/native-tools/src/tkstool/CMakeLists.txt @@ -34,7 +34,7 @@ set(tkstool_SRCS include_directories(${TKSTOOL_PRIVATE_INCLUDE_DIRS}) add_executable(tkstool ${tkstool_SRCS}) - +add_dependencies(tkstool pki-certsrv-jar) target_link_libraries(tkstool ${TKSTOOL_LINK_LIBRARIES}) install( diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt index 4cb40ad..c589758 100644 --- a/base/server/tomcat/src/CMakeLists.txt +++ b/base/server/tomcat/src/CMakeLists.txt @@ -135,4 +135,6 @@ javac(pki-tomcat-classes ${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR} OUTPUT_DIR ${CMAKE_BINARY_DIR}/../../tomcat + DEPENDS + pki-certsrv-jar ) diff --git a/base/tps-client/src/CMakeLists.txt b/base/tps-client/src/CMakeLists.txt index b0276f8..28ca2e4 100644 --- a/base/tps-client/src/CMakeLists.txt +++ b/base/tps-client/src/CMakeLists.txt @@ -129,6 +129,7 @@ set(tps_library_SRCS include_directories(${TPS_PRIVATE_INCLUDE_DIRS}) add_library(${TPS_SHARED_LIBRARY} SHARED ${tps_library_SRCS}) +add_dependencies(${TPS_SHARED_LIBRARY} pki-tps-jar) target_link_libraries(${TPS_SHARED_LIBRARY} ${TPS_LINK_LIBRARIES}) set_target_properties( diff --git a/base/tps-client/src/authentication/CMakeLists.txt b/base/tps-client/src/authentication/CMakeLists.txt index ba8ca07..b0ca83a 100644 --- a/base/tps-client/src/authentication/CMakeLists.txt +++ b/base/tps-client/src/authentication/CMakeLists.txt @@ -37,6 +37,7 @@ set(ldapauth_library_SRCS include_directories(${LDAPAUTH_PRIVATE_INCLUDE_DIRS}) add_library(${LDAPAUTH_SHARED_LIBRARY} SHARED ${ldapauth_library_SRCS}) +add_dependencies(${LDAPAUTH_SHARED_LIBRARY} pki-tps-jar) target_link_libraries(${LDAPAUTH_SHARED_LIBRARY} ${LDAPAUTH_LINK_LIBRARIES}) set_target_properties(${LDAPAUTH_SHARED_LIBRARY} diff --git a/base/tps-client/src/modules/tokendb/CMakeLists.txt b/base/tps-client/src/modules/tokendb/CMakeLists.txt index 7b6edae..94db88e 100644 --- a/base/tps-client/src/modules/tokendb/CMakeLists.txt +++ b/base/tps-client/src/modules/tokendb/CMakeLists.txt @@ -31,6 +31,7 @@ set(tokendb_module_SRCS include_directories(${TOKENDB_PRIVATE_INCLUDE_DIRS}) add_library(${TOKENDB_MODULE} MODULE ${tokendb_module_SRCS}) +add_dependencies(${TOKENDB_MODULE} pki-tps-jar) target_link_libraries(${TOKENDB_MODULE} ${TOKENDB_LINK_LIBRARIES}) set_target_properties(${TOKENDB_MODULE} diff --git a/base/tps-client/src/modules/tps/CMakeLists.txt b/base/tps-client/src/modules/tps/CMakeLists.txt index 275d8b3..ac990e5 100644 --- a/base/tps-client/src/modules/tps/CMakeLists.txt +++ b/base/tps-client/src/modules/tps/CMakeLists.txt @@ -35,6 +35,7 @@ set(tps_module_SRCS include_directories(${TPS_PRIVATE_INCLUDE_DIRS}) add_library(${TPS_MODULE} MODULE ${tps_module_SRCS}) +add_dependencies(${TPS_MODULE} pki-tps-jar) target_link_libraries(${TPS_MODULE} ${TPS_LINK_LIBRARIES}) set_target_properties(${TPS_MODULE} diff --git a/base/tps-client/src/tus/CMakeLists.txt b/base/tps-client/src/tus/CMakeLists.txt index 3148d9e..912075f 100644 --- a/base/tps-client/src/tus/CMakeLists.txt +++ b/base/tps-client/src/tus/CMakeLists.txt @@ -35,6 +35,7 @@ set(tokendb_library_SRCS include_directories(${TOKENDB_PRIVATE_INCLUDE_DIRS}) add_library(${TOKENDB_SHARED_LIBRARY} SHARED ${tokendb_library_SRCS}) +add_dependencies(${TOKENDB_SHARED_LIBRARY} pki-tps-jar) target_link_libraries(${TOKENDB_SHARED_LIBRARY} ${TOKENDB_LINK_LIBRARIES}) set_target_properties(${TOKENDB_SHARED_LIBRARY} -- 1.8.3.1 From 9e77b42d88da07e91a42966bc2d1ea9237e62f47 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 22 Jul 2016 17:31:20 +0200 Subject: [PATCH 60/96] Removed hard-coded paths in pki.policy. The operations script has been modified to generate pki.policy dynamically from links in the /common/lib directory. This allows the pki.policy to match the actual paths in different platforms. https://fedorahosted.org/pki/ticket/2403 --- base/server/scripts/operations | 16 ++++- base/server/share/conf/pki.policy | 132 +------------------------------------- 2 files changed, 17 insertions(+), 131 deletions(-) diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 14443c4..5991670 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -1352,10 +1352,24 @@ start_instance() return $rv fi + # Copy pki.policy template + /bin/cp /usr/share/pki/server/conf/pki.policy /var/lib/pki/$PKI_INSTANCE_NAME/conf + + # Add permissions for all JAR files in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib + for path in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib/*; do + + cat >> /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy << EOF + +grant codeBase "file:$(realpath $path)" { + permission java.security.AllPermission; +}; +EOF + done + # Generate catalina.policy dynamically. cat /usr/share/pki/server/conf/catalina.policy \ /usr/share/tomcat/conf/catalina.policy \ - /usr/share/pki/server/conf/pki.policy \ + /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy index e281e01..7d8cfec 100644 --- a/base/server/share/conf/pki.policy +++ b/base/server/share/conf/pki.policy @@ -4,10 +4,10 @@ // --- END COPYRIGHT BLOCK --- // ============================================================================ -// pki.policy - Default Security Policy Permissions for PKI on Tomcat 7 +// pki.policy - Default Security Policy Permissions for PKI on Tomcat // // This file contains a default set of security policies for PKI running inside -// Tomcat 7. +// Tomcat. // ============================================================================ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { @@ -22,42 +22,6 @@ grant codeBase "file:${catalina.base}/lib/-" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/lib/java/jss4.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib/java/symkey.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib64/java/jss4.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib64/java/symkey.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/commons-codec.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-io.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-lang.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-logging.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/ecj.jar" { permission java.security.AllPermission; }; @@ -70,18 +34,6 @@ grant codeBase "file:/usr/share/java/glassfish-jsp.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/httpcomponents/httpclient.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/httpcomponents/httpcore.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/javassist.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/jaxb-api.jar" { permission java.security.AllPermission; }; @@ -98,66 +50,10 @@ grant codeBase "file:/usr/share/java/jboss-web.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/jackson/jackson-core-asl.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-jaxrs.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-mapper-asl.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-mrbean.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-smile.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-xc.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/ldapjdk.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/log4j.jar" { permission java.security.AllPermission; }; -grant codeBase "file:${RESTEASY_LIB}/jaxrs-api.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-atom-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-client.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxb-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxrs.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jackson-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/scannotation.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/servlet.jar" { permission java.security.AllPermission; }; @@ -166,10 +62,6 @@ grant codeBase "file:/usr/share/java/tomcat/-" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/tomcatjss.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/tomcat-el-api.jar" { permission java.security.AllPermission; }; @@ -178,22 +70,6 @@ grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/velocity.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xerces-j2.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xml-commons-apis.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xml-commons-resolver.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/pki/-" { permission java.security.AllPermission; }; @@ -221,7 +97,3 @@ grant codeBase "file:${catalina.base}/webapps/tks/-" { grant codeBase "file:${catalina.base}/webapps/ROOT/-" { permission java.security.AllPermission; }; - -grant codeBase "file:/usr/lib/java/nuxwdog.jar" { - permission java.security.AllPermission; -}; -- 1.8.3.1 From ecbf1cded60cec973316584baf272ae4c7bae1dd Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 21 Jul 2016 05:08:25 +0200 Subject: [PATCH 61/96] Removed hard-coded paths in pki CLI. The pki CLI has been modified to use java.ext.dirs property to load the dependencies instead of listing them individually. The dependencies are stored as links in /usr/share/pki/lib folder. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki/ticket/2403 --- base/common/CMakeLists.txt | 45 ++++++++++++++++++++++++++++++++++++++++++ base/common/share/etc/pki.conf | 3 +++ base/java-tools/bin/pki | 43 ++++------------------------------------ 3 files changed, 52 insertions(+), 39 deletions(-) diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt index 1213925..dc5cecf 100644 --- a/base/common/CMakeLists.txt +++ b/base/common/CMakeLists.txt @@ -11,6 +11,51 @@ configure_file( ${CMAKE_CURRENT_BINARY_DIR}/etc/pki.conf ) +# Create /usr/share/pki/lib. This can be customized for different platforms in RPM spec. + +add_custom_target(pki-lib ALL) + +add_custom_command( + TARGET pki-lib + COMMAND ${CMAKE_COMMAND} -E make_directory lib + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-cli.jar lib/commons-cli.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-codec.jar lib/commons-codec.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-httpclient.jar lib/commons-httpclient.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-io.jar lib/commons-io.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-lang.jar lib/commons-lang.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-logging.jar lib/commons-logging.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpclient.jar lib/httpclient.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpcore.jar lib/httpcore.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-core-asl.jar lib/jackson-core-asl.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-jaxrs.jar lib/jackson-jaxrs.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mapper-asl.jar lib/jackson-mapper-asl.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mrbean.jar lib/jackson-mrbean.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-smile.jar lib/jackson-smile.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-xc.jar lib/jackson-xc.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jaxb-api.jar lib/jaxb-api.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar lib/jss4.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar lib/ldapjdk.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-certsrv.jar lib/pki-certsrv.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-cmsutil.jar lib/pki-cmsutil.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-nsutil.jar lib/pki-nsutil.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tools.jar lib/pki-tools.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar lib/resteasy-atom-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar lib/resteasy-client.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar lib/resteasy-jackson-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxb-provider.jar lib/resteasy-jaxb-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar lib/resteasy-jaxrs-api.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs-jandex.jar lib/resteasy-jaxrs-jandex.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar lib/resteasy-jaxrs.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/servlet.jar lib/servlet.jar +) + +install( + DIRECTORY + ${CMAKE_CURRENT_BINARY_DIR}/lib/ + DESTINATION + ${DATA_INSTALL_DIR}/lib +) + install( FILES ${CMAKE_CURRENT_SOURCE_DIR}/share/etc/logging.properties diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf index f43d914..97f3777 100644 --- a/base/common/share/etc/pki.conf +++ b/base/common/share/etc/pki.conf @@ -4,5 +4,8 @@ JAVA_HOME=${JAVA_HOME} # JNI jar file location JNI_JAR_DIR=/usr/lib/java +# PKI library +PKI_LIB=/usr/share/pki/lib + # logging configuration location LOGGING_CONFIG=/usr/share/pki/etc/logging.properties diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki index c1ba34e..ba321be 100644 --- a/base/java-tools/bin/pki +++ b/base/java-tools/bin/pki @@ -76,11 +76,11 @@ class PKICLI(pki.cli.CLI): shell=True) java_home = value.decode(sys.getfilesystemencoding()).strip() - # read RESTEasy library path + # read PKI library value = subprocess.check_output( - '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $RESTEASY_LIB', + '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_LIB', shell=True) - resteasy_lib = value.decode(sys.getfilesystemencoding()).strip() + pki_lib = value.decode(sys.getfilesystemencoding()).strip() # read logging configuration path value = subprocess.check_output( @@ -88,44 +88,9 @@ class PKICLI(pki.cli.CLI): shell=True) logging_config = value.decode(sys.getfilesystemencoding()).strip() - # construct classpath - classpath = [ - '/usr/share/java/commons-cli.jar', - '/usr/share/java/commons-codec.jar', - '/usr/share/java/commons-httpclient.jar', - '/usr/share/java/commons-io.jar', - '/usr/share/java/commons-lang.jar', - '/usr/share/java/commons-logging.jar', - '/usr/share/java/httpcomponents/httpclient.jar', - '/usr/share/java/httpcomponents/httpcore.jar', - '/usr/share/java/jackson/jackson-core-asl.jar', - '/usr/share/java/jackson/jackson-jaxrs.jar', - '/usr/share/java/jackson/jackson-mapper-asl.jar', - '/usr/share/java/jackson/jackson-mrbean.jar', - '/usr/share/java/jackson/jackson-smile.jar', - '/usr/share/java/jackson/jackson-xc.jar', - '/usr/share/java/jaxb-api.jar', - '/usr/share/java/ldapjdk.jar', - '/usr/share/java/servlet.jar', - resteasy_lib + '/jaxrs-api.jar', - resteasy_lib + '/resteasy-atom-provider.jar', - resteasy_lib + '/resteasy-client.jar', - resteasy_lib + '/resteasy-jaxb-provider.jar', - resteasy_lib + '/resteasy-jaxrs.jar', - resteasy_lib + '/resteasy-jaxrs-jandex.jar', - resteasy_lib + '/resteasy-jackson-provider.jar', - '/usr/share/java/pki/pki-nsutil.jar', - '/usr/share/java/pki/pki-cmsutil.jar', - '/usr/share/java/pki/pki-certsrv.jar', - '/usr/share/java/pki/pki-tools.jar', - '/usr/lib64/java/jss4.jar', - '/usr/lib/java/jss4.jar' - ] - cmd = [ java_home + '/bin/java', - '-cp', - ':'.join(classpath), + '-Djava.ext.dirs=' + pki_lib, '-Djava.util.logging.config.file=' + logging_config, 'com.netscape.cmstools.cli.MainCLI' ] -- 1.8.3.1 From 4926aace5cf0be65ddddf51c031e6cac6646a1dd Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 21 Jul 2016 05:08:25 +0200 Subject: [PATCH 63/96] Removed hard-coded paths in deployment tool. The deployment tool has been modified to link /common to /usr/share/pki/server/common instead of creating separate links for each dependency. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki/ticket/2403 --- base/server/CMakeLists.txt | 47 +++++++ base/server/etc/default.cfg | 82 ------------ .../deployment/scriptlets/instance_layout.py | 143 +-------------------- base/server/scripts/operations | 79 ------------ 4 files changed, 54 insertions(+), 297 deletions(-) diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt index 5a6aea9..27470f3 100644 --- a/base/server/CMakeLists.txt +++ b/base/server/CMakeLists.txt @@ -21,6 +21,53 @@ set(APACHE_SUBSYSTEMS tps ) +# Create /usr/share/pki/server/common/lib. This can be customized for different platforms in RPM spec. + +add_custom_target(pki-server-common-lib ALL) + +add_custom_command( + TARGET pki-server-common-lib + COMMAND ${CMAKE_COMMAND} -E make_directory common/lib + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-codec.jar common/lib/commons-codec.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-collections.jar common/lib/commons-collections.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-io.jar common/lib/commons-io.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-lang.jar common/lib/commons-lang.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-logging.jar common/lib/commons-logging.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpclient.jar common/lib/httpclient.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpcore.jar common/lib/httpcore.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-core-asl.jar common/lib/jackson-core-asl.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-jaxrs.jar common/lib/jackson-jaxrs.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mapper-asl.jar common/lib/jackson-mapper-asl.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mrbean.jar common/lib/jackson-mrbean.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-smile.jar common/lib/jackson-smile.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-xc.jar common/lib/jackson-xc.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/javassist.jar common/lib/javassist.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar common/lib/jss4.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar common/lib/ldapjdk.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/nuxwdog.jar common/lib/nuxwdog.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tomcat.jar common/lib/pki-tomcat.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar common/lib/resteasy-atom-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar common/lib/resteasy-client.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar common/lib/resteasy-jackson-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxb-provider.jar common/lib/resteasy-jaxb-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar common/lib/resteasy-jaxrs-api.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar common/lib/resteasy-jaxrs.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/scannotation.jar common/lib/scannotation.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/symkey.jar common/lib/symkey.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/tomcatjss.jar common/lib/tomcatjss.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/velocity.jar common/lib/velocity.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xerces-j2.jar common/lib/xerces-j2.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-apis.jar common/lib/xml-commons-apis.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-resolver.jar common/lib/xml-commons-resolver.jar +) + +install( + DIRECTORY + ${CMAKE_CURRENT_BINARY_DIR}/common/lib/ + DESTINATION + ${DATA_INSTALL_DIR}/server/common/lib +) + install( DIRECTORY man/ diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index edd2632..4919cb4 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -268,88 +268,6 @@ pki_tomcat_subsystem_webapps_path=%(pki_subsystem_path)s/webapps pki_tomcat_webapps_subsystem_path=%(pki_tomcat_subsystem_webapps_path)s/%(pki_subsystem_type)s pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib -pki_certsrv_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-certsrv.jar -pki_cmsbundle_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsbundle.jar -pki_cmscore_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmscore.jar -pki_cms_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cms.jar -pki_cmsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsutil.jar -pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.jar - - -# JAR paths -# These are used in the processing of pkispawn and are not supposed -# to be overwritten by user configuration files -pki_jss_jar=%(jni_jar_dir)s/jss4.jar -pki_symkey_jar=%(jni_jar_dir)s/symkey.jar -pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar -pki_apache_commons_io_jar=/usr/share/java/apache-commons-io.jar -pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar -pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar -pki_commons_codec_jar=/usr/share/java/commons-codec.jar -pki_httpclient_jar=/usr/share/java/httpcomponents/httpclient.jar -pki_httpcore_jar=/usr/share/java/httpcomponents/httpcore.jar -pki_javassist_jar=/usr/share/java/javassist.jar -pki_ldapjdk_jar=/usr/share/java/ldapjdk.jar -pki_certsrv_jar=/usr/share/java/pki/pki-certsrv.jar -pki_cmsbundle=/usr/share/java/pki/pki-cmsbundle.jar -pki_cmscore=/usr/share/java/pki/pki-cmscore.jar -pki_cms=/usr/share/java/pki/pki-cms.jar -pki_cmsutil=/usr/share/java/pki/pki-cmsutil.jar -pki_nsutil=/usr/share/java/pki/pki-nsutil.jar -pki_tomcat_jar=/usr/share/java/pki/pki-tomcat.jar -pki_scannotation_jar=/usr/share/java/scannotation.jar -pki_tomcatjss_jar=/usr/share/java/tomcatjss.jar -pki_velocity_jar=/usr/share/java/velocity.jar -pki_xerces_j2_jar=/usr/share/java/xerces-j2.jar -pki_xml_commons_apis_jar=/usr/share/java/xml-commons-apis.jar -pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar -pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar -pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar -pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar -pki_apache_commons_io_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-io.jar -pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar -pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar -pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar -pki_httpclient_jar_link=%(pki_tomcat_common_lib_path)s/httpclient.jar -pki_httpcore_jar_link=%(pki_tomcat_common_lib_path)s/httpcore.jar -pki_javassist_jar_link=%(pki_tomcat_common_lib_path)s/javassist.jar -pki_ldapjdk_jar_link=%(pki_tomcat_common_lib_path)s/ldapjdk.jar -pki_tomcat_jar_link=%(pki_tomcat_common_lib_path)s/pki-tomcat.jar -pki_scannotation_jar_link=%(pki_tomcat_common_lib_path)s/scannotation.jar -pki_tomcatjss_jar_link=%(pki_tomcat_common_lib_path)s/tomcatjss.jar -pki_velocity_jar_link=%(pki_tomcat_common_lib_path)s/velocity.jar -pki_xerces_j2_jar_link=%(pki_tomcat_common_lib_path)s/xerces-j2.jar -pki_xml_commons_apis_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-apis.jar -pki_xml_commons_resolver_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-resolver.jar -pki_ca_jar=/usr/share/java/pki/pki-ca.jar -pki_ca_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ca.jar -pki_kra_jar=/usr/share/java/pki/pki-kra.jar -pki_kra_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-kra.jar -pki_ocsp_jar=/usr/share/java/pki/pki-ocsp.jar -pki_ocsp_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ocsp.jar -pki_tks_jar=/usr/share/java/pki/pki-tks.jar -pki_tks_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tks.jar -pki_tps_jar=/usr/share/java/pki/pki-tps.jar -pki_tps_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tps.jar - -# Jackson -pki_jackson_core_asl_jar=/usr/share/java/jackson/jackson-core-asl.jar -pki_jackson_jaxrs_jar=/usr/share/java/jackson/jackson-jaxrs.jar -pki_jackson_mapper_asl_jar=/usr/share/java/jackson/jackson-mapper-asl.jar -pki_jackson_mrbean_jar=/usr/share/java/jackson/jackson-mrbean.jar -pki_jackson_smile_jar=/usr/share/java/jackson/jackson-smile.jar -pki_jackson_xc_jar=/usr/share/java/jackson/jackson-xc.jar - -# RESTEasy -pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar -pki_resteasy_client_jar=%(resteasy_lib)s/resteasy-client.jar -pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar -pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar -pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar -pki_resteasy_jackson_provider_jar=%(resteasy_lib)s/resteasy-jackson-provider.jar - -# nuxwdog -pki_nuxwdog_client_jar=/usr/lib/java/nuxwdog.jar ############################################################################### diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py index 57f8537..c470c7f 100644 --- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py @@ -122,11 +122,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): "localhost", "pki#js.xml")) - # establish Tomcat instance base - deployer.directory.create(deployer.mdict['pki_tomcat_common_path']) - deployer.directory.create( - deployer.mdict['pki_tomcat_common_lib_path']) - # establish Tomcat instance library + # Create Tomcat instance library deployer.directory.create(deployer.mdict['pki_instance_lib']) for name in os.listdir(deployer.mdict['pki_tomcat_lib_path']): deployer.symlink.create( @@ -139,6 +135,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.symlink.create( deployer.mdict['pki_instance_conf_log4j_properties'], deployer.mdict['pki_instance_lib_log4j_properties']) + + # Link /var/lib/pki//common to /usr/share/pki/server/common + deployer.symlink.create( + '/usr/share/pki/server/common', + deployer.mdict['pki_tomcat_common_path']) + deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_path']) @@ -160,129 +162,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_tomcat_systemd'], deployer.mdict['pki_instance_systemd_link'], uid=0, gid=0) - # establish Tomcat instance common lib jar symbolic links - deployer.symlink.create( - deployer.mdict['pki_apache_commons_collections_jar'], - deployer.mdict['pki_apache_commons_collections_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_apache_commons_io_jar'], - deployer.mdict['pki_apache_commons_io_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_apache_commons_lang_jar'], - deployer.mdict['pki_apache_commons_lang_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_apache_commons_logging_jar'], - deployer.mdict['pki_apache_commons_logging_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_commons_codec_jar'], - deployer.mdict['pki_commons_codec_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_httpclient_jar'], - deployer.mdict['pki_httpclient_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_httpcore_jar'], - deployer.mdict['pki_httpcore_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_javassist_jar'], - deployer.mdict['pki_javassist_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_jss_jar'], - deployer.mdict['pki_jss_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_ldapjdk_jar'], - deployer.mdict['pki_ldapjdk_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_tomcat_jar'], - deployer.mdict['pki_tomcat_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_scannotation_jar'], - deployer.mdict['pki_scannotation_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_tomcatjss_jar'], - deployer.mdict['pki_tomcatjss_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_velocity_jar'], - deployer.mdict['pki_velocity_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_xerces_j2_jar'], - deployer.mdict['pki_xerces_j2_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_xml_commons_apis_jar'], - deployer.mdict['pki_xml_commons_apis_jar_link']) - deployer.symlink.create( - deployer.mdict['pki_xml_commons_resolver_jar'], - deployer.mdict['pki_xml_commons_resolver_jar_link']) - - # Jackson - deployer.symlink.create( - deployer.mdict['pki_jackson_core_asl_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'jackson-core-asl.jar')) - deployer.symlink.create( - deployer.mdict['pki_jackson_jaxrs_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'jackson-jaxrs.jar')) - deployer.symlink.create( - deployer.mdict['pki_jackson_mapper_asl_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'jackson-mapper-asl.jar')) - deployer.symlink.create( - deployer.mdict['pki_jackson_mrbean_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'jackson-mrbean.jar')) - deployer.symlink.create( - deployer.mdict['pki_jackson_smile_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'jackson-smile.jar')) - deployer.symlink.create( - deployer.mdict['pki_jackson_xc_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'jackson-xc.jar')) - - # RESTEasy - deployer.symlink.create( - deployer.mdict['pki_resteasy_atom_provider_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'resteasy-atom-provider.jar')) - deployer.symlink.create( - deployer.mdict['pki_resteasy_client_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'resteasy-client.jar')) - deployer.symlink.create( - deployer.mdict['pki_resteasy_jaxb_provider_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'resteasy-jaxb-provider.jar')) - deployer.symlink.create( - deployer.mdict['pki_resteasy_jaxrs_api_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'jaxrs-api.jar')) - deployer.symlink.create( - deployer.mdict['pki_resteasy_jaxrs_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'resteasy-jaxrs.jar')) - deployer.symlink.create( - deployer.mdict['pki_resteasy_jackson_provider_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'resteasy-jackson-provider.jar')) - - # nuxwdog - deployer.symlink.create( - deployer.mdict['pki_nuxwdog_client_jar'], - os.path.join( - deployer.mdict['pki_tomcat_common_lib_path'], - 'nuxwdog.jar')) # establish shared NSS security databases for this instance deployer.directory.create(deployer.mdict['pki_database_path']) @@ -297,14 +176,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_instance_log_path'], deployer.mdict['pki_instance_logs_link']) - # create the sym link to symkey regardless of subsystem - # as long as pki-symkey is installed on the system - if os.path.exists(deployer.mdict['pki_symkey_jar']): - if not os.path.exists(deployer.mdict['pki_symkey_jar_link']): - deployer.symlink.create( - deployer.mdict['pki_symkey_jar'], - deployer.mdict['pki_symkey_jar_link']) - # create Tomcat instance systemd service link deployer.symlink.create(deployer.mdict['pki_systemd_service'], deployer.mdict['pki_systemd_service_link']) diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 5991670..5b50178 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -909,7 +909,6 @@ verify_symlinks() declare -A ocsp_symlinks declare -A tks_symlinks declare -A tps_symlinks - declare -A common_jar_symlinks declare -A ca_jar_symlinks declare -A kra_jar_symlinks declare -A ocsp_jar_symlinks @@ -985,75 +984,6 @@ verify_symlinks() [logs]=/var/log/pki/${PKI_INSTANCE_NAME}/tps [registry]=${pki_registry_dir}) - # '${pki_common_jar_dir}' symlinks - if ! $debian; then - common_jar_symlinks=( - [apache-commons-codec.jar]=${java_dir}/commons-codec.jar - [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar - [apache-commons-io.jar]=${java_dir}/apache-commons-io.jar - [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar - [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar - [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar - [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar - [javassist.jar]=${java_dir}/javassist.jar - [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar - [jackson-core-asl.jar]=${java_dir}/jackson/jackson-core-asl.jar - [jackson-jaxrs.jar]=${java_dir}/jackson/jackson-jaxrs.jar - [jackson-mapper-asl.jar]=${java_dir}/jackson/jackson-mapper-asl.jar - [jackson-mrbean.jar]=${java_dir}/jackson/jackson-mrbean.jar - [jackson-smile.jar]=${java_dir}/jackson/jackson-smile.jar - [jackson-xc.jar]=${java_dir}/jackson/jackson-xc.jar - [jss4.jar]=${jni_jar_dir}/jss4.jar - [ldapjdk.jar]=${java_dir}/ldapjdk.jar - [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar - [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar - [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar - [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar - [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar - [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar - [scannotation.jar]=${java_dir}/scannotation.jar - [tomcatjss.jar]=${java_dir}/tomcatjss.jar - [velocity.jar]=${java_dir}/velocity.jar - [xerces-j2.jar]=${java_dir}/xerces-j2.jar - [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar - [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar) - else - common_jar_symlinks=( - [apache-commons-codec.jar]=${java_dir}/commons-codec.jar - [apache-commons-collections.jar]=${java_dir}/commons-collections3.jar - [apache-commons-io.jar]=${java_dir}/commons-io.jar - [apache-commons-lang.jar]=${java_dir}/commons-lang.jar - [apache-commons-logging.jar]=${java_dir}/commons-logging.jar - [httpclient.jar]=${java_dir}/httpclient.jar - [httpcore.jar]=${java_dir}/httpcore.jar - [javassist.jar]=${java_dir}/javassist.jar - [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar - [jackson-core-asl.jar]=${java_dir}/jackson-core-asl.jar - [jackson-jaxrs.jar]=${java_dir}/jackson-jaxrs.jar - [jackson-mapper-asl.jar]=${java_dir}/jackson-mapper-asl.jar - [jackson-mrbean.jar]=${java_dir}/jackson-mrbean.jar - [jackson-smile.jar]=${java_dir}/jackson-smile.jar - [jackson-xc.jar]=${java_dir}/jackson-xc.jar - [jss4.jar]=${jni_jar_dir}/jss4.jar - [ldapjdk.jar]=${java_dir}/ldapjdk.jar - [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar - [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar - [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar - [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar - [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar - [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar - [scannotation.jar]=${java_dir}/scannotation.jar - [tomcatjss.jar]=${java_dir}/tomcatjss.jar - [velocity.jar]=${java_dir}/velocity.jar - [xerces-j2.jar]=${java_dir}/xercesImpl.jar - [xml-commons-apis.jar]=${java_dir}/xml-apis.jar - [xml-commons-resolver.jar]=${java_dir}/xml-resolver.jar) - fi - - if [ -e ${PKI_INSTANCE_PATH}/tks ]; then - common_jar_symlinks[symkey.jar]=${jni_jar_dir}/symkey.jar - fi - # '${pki_systemd_dir}' symlinks systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service} @@ -1132,15 +1062,6 @@ verify_symlinks() fi fi - # Detect and correct 'common_jar_symlinks' - common_jar_symlinks_string=$(declare -p common_jar_symlinks) - eval "declare -A symlinks=${common_jar_symlinks_string#*=}" - check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'systemd_symlinks' systemd_symlinks_string=$(declare -p systemd_symlinks) eval "declare -A symlinks=${systemd_symlinks_string#*=}" -- 1.8.3.1 From 0c502a387c90d2e2d8ebe9e3edf3dfeaf1d6eba4 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Wed, 27 Jul 2016 11:43:33 -0700 Subject: [PATCH 66/96] Make starting CRL Number configurable. Ticket #2406 Make starting CRL Number configurable This simple patch provides a pkispawn config param that passes some starting crl number value to the config process. Here is a sample: [CA] pki_ca_starting_crl_number=4000 After the CA comes up the value of "crlNumber" in the db will reflect that value of 4000. Currently no other values are changed. We can talk about if we need more values reset in the given case. Also, this creates a setting in the CS.cfg ca.crl.MasterCrl.startingCrlNumber=4000 This setting is only consulted when the crl Issuing Point record is created for the first time. --- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 65 +++++++++++++++------- .../server/ca/rest/CAInstallerService.java | 7 +++ .../certsrv/system/ConfigurationRequest.java | 12 ++++ base/server/etc/default.cfg | 1 + .../python/pki/server/deployment/pkihelper.py | 4 ++ 5 files changed, 69 insertions(+), 20 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index fc9e6a3..a593eb8 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -31,6 +31,23 @@ import java.util.StringTokenizer; import java.util.TimeZone; import java.util.Vector; +import netscape.security.util.BitArray; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLNumberExtension; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.DeltaCRLIndicatorExtension; +import netscape.security.x509.Extension; +import netscape.security.x509.FreshestCRLExtension; +import netscape.security.x509.IssuingDistributionPoint; +import netscape.security.x509.IssuingDistributionPointExtension; +import netscape.security.x509.RevocationReason; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.RevokedCertificate; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509ExtensionException; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -66,23 +83,6 @@ import com.netscape.cmscore.dbs.CertRecord; import com.netscape.cmscore.dbs.CertificateRepository; import com.netscape.cmscore.util.Debug; -import netscape.security.util.BitArray; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.CRLExtensions; -import netscape.security.x509.CRLNumberExtension; -import netscape.security.x509.CRLReasonExtension; -import netscape.security.x509.DeltaCRLIndicatorExtension; -import netscape.security.x509.Extension; -import netscape.security.x509.FreshestCRLExtension; -import netscape.security.x509.IssuingDistributionPoint; -import netscape.security.x509.IssuingDistributionPointExtension; -import netscape.security.x509.RevocationReason; -import netscape.security.x509.RevokedCertImpl; -import netscape.security.x509.RevokedCertificate; -import netscape.security.x509.X509CRLImpl; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509ExtensionException; - /** * This class encapsulates CRL issuing mechanism. CertificateAuthority * contains a map of CRLIssuingPoint indexed by string ids. Each issuing @@ -112,6 +112,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private static final int CRL_PAGE_SIZE = 10000; + private static final String PROP_CRL_STARTING_NUMBER = "startingCrlNumber"; + /* configuration file property names */ public IPublisherProcessor mPublisherProcessor = null; @@ -923,13 +925,36 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (crlRecord == null) { // no crl was ever created, or crl in db is corrupted. // create new one. + + IConfigStore ipStore = mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE).getSubStore(mId); try { - crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, Long.valueOf(-1), + + BigInteger startingCrlNumberBig = ipStore.getBigInteger(PROP_CRL_STARTING_NUMBER, BigInteger.ZERO); + CMS.debug("startingCrlNumber: " + startingCrlNumberBig); + + // Check for bogus negative value + + if(startingCrlNumberBig.compareTo(BigInteger.ZERO) < 0) { + //Make it the default of ZERO + startingCrlNumberBig = BigInteger.ZERO; + } + + crlRecord = new CRLIssuingPointRecord(mId, startingCrlNumberBig, Long.valueOf(-1), null, null, BigInteger.ZERO, Long.valueOf(-1), mRevokedCerts, mUnrevokedCerts, mExpiredCerts); mCRLRepository.addCRLIssuingPointRecord(crlRecord); - mCRLNumber = BigInteger.ZERO; //BIG_ZERO; - mNextCRLNumber = BigInteger.ONE; //BIG_ONE; + mCRLNumber = startingCrlNumberBig; + + // The default case calls for ZERO being the starting point where + // it is then incremented by one to ONE + // If we specificy an explicit starting point, + // We want that exact number to be the next CRL Number. + if(mCRLNumber.compareTo(BigInteger.ZERO) == 0) { + mNextCRLNumber = BigInteger.ONE; + } else { + mNextCRLNumber = mCRLNumber; + } + mLastCRLNumber = mCRLNumber; mDeltaCRLNumber = mCRLNumber; mNextDeltaCRLNumber = mNextCRLNumber; diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java index e1b7160..3c7e483 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java @@ -80,6 +80,8 @@ public class CAInstallerService extends SystemConfigService { disableCRLCachingAndGenerationForClone(request); } + configureStartingCRLNumber(request); + } catch (Exception e) { CMS.debug(e); throw new PKIException("Errors in determining if security domain host is a master CA"); @@ -187,6 +189,11 @@ public class CAInstallerService extends SystemConfigService { configStore.commit(false /* no backup */); } + private void configureStartingCRLNumber(ConfigurationRequest data) { + CMS.debug("CAInstallerService:configureStartingCRLNumber entering."); + cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber() ); + + } private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException { CMS.debug("CAInstallerService:disableCRLCachingAndGenerationForClone entering."); diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 890f7d0..cd9d3c8 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -234,6 +234,9 @@ public class ConfigurationRequest { @XmlElement protected String sharedDBUserDN; + @XmlElement + protected String startingCRLNumber; + public ConfigurationRequest() { // required for JAXB } @@ -932,6 +935,14 @@ public class ConfigurationRequest { this.subordinateSecurityDomainName = subordinateSecurityDomainName; } + public String getStartingCRLNumber() { + return startingCRLNumber; + } + + public void setStartingCRLNumber(String startingCRLNumber) { + this.startingCRLNumber = startingCRLNumber; + } + @Override public String toString() { return "ConfigurationRequest [pin=XXXX" + @@ -995,6 +1006,7 @@ public class ConfigurationRequest { ", setupReplication=" + setupReplication + ", subordinateSecurityDomainName=" + subordinateSecurityDomainName + ", reindexData=" + reindexData + + ", startingCrlNumber=" + startingCRLNumber + "]"; } diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 4919cb4..3a7e005 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -296,6 +296,7 @@ pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name pki_ca_signing_token=Internal Key Storage Token pki_ca_signing_csr_path= pki_ca_signing_cert_path= +pki_ca_starting_crl_number=0 pki_external=False pki_req_ext_add=False # MS subca request ext data diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 6ac68b1..8a1dbdd 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -4113,6 +4113,10 @@ class ConfigClient: if self.subsystem == "TPS": self.set_tps_parameters(data) + # Misc CA parameters + if self.subsystem == "CA": + data.startingCRLNumber = self.mdict['pki_ca_starting_crl_number'] + return data def save_admin_csr(self): -- 1.8.3.1 From f990cb0dee46df211c2c7212ca0165465b5f3531 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sun, 24 Jul 2016 07:36:36 +0200 Subject: [PATCH 67/96] Added upgrade scripts to fix server library. An upgrade script has been added to replace the /common in existing instances with a link to /usr/share/pki/server/common which contains links to server dependencies. https://fedorahosted.org/pki/ticket/2403 --- base/common/upgrade/10.3.4/.gitignore | 4 +++ base/common/upgrade/10.3.5/.gitignore | 4 +++ base/server/upgrade/10.3.4/.gitignore | 4 +++ base/server/upgrade/10.3.5/01-FixServerLibrary | 46 ++++++++++++++++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 base/common/upgrade/10.3.4/.gitignore create mode 100644 base/common/upgrade/10.3.5/.gitignore create mode 100644 base/server/upgrade/10.3.4/.gitignore create mode 100644 base/server/upgrade/10.3.5/01-FixServerLibrary diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore new file mode 100644 index 0000000..5e7d273 --- /dev/null +++ b/base/common/upgrade/10.3.4/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore new file mode 100644 index 0000000..5e7d273 --- /dev/null +++ b/base/common/upgrade/10.3.5/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore new file mode 100644 index 0000000..5e7d273 --- /dev/null +++ b/base/server/upgrade/10.3.4/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore diff --git a/base/server/upgrade/10.3.5/01-FixServerLibrary b/base/server/upgrade/10.3.5/01-FixServerLibrary new file mode 100644 index 0000000..79d4965 --- /dev/null +++ b/base/server/upgrade/10.3.5/01-FixServerLibrary @@ -0,0 +1,46 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import os.path +import shutil +import pki.server.upgrade + + +class FixServerLibrary(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + super(FixServerLibrary, self).__init__() + self.message = 'Fix server library' + + def upgrade_instance(self, instance): + + common_dir = os.path.join(instance.base_dir, 'common') + + # if /common is already a link, skip + if os.path.islink(common_dir): + return + + # remove old /common + shutil.rmtree(common_dir) + + # link /common to /usr/share/pki/server/common + os.symlink('/usr/share/pki/server/common', common_dir) + os.lchown(common_dir, instance.uid, instance.gid) -- 1.8.3.1 From ba1e18ba4c9c47930efa0cdfc46fe326f71d3cd4 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 27 Jul 2016 19:51:37 +0200 Subject: [PATCH 68/96] Fixed SELinux contexts. The deployment tool has been modified to set up SELinux contexts after all instance files have been created to ensure they have the correct contexts. An upgrade script has been added to fix existing instances. https://fedorahosted.org/pki/ticket/2421 --- base/server/etc/default.cfg | 2 +- base/server/python/pki/server/__init__.py | 7 ++++- base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 ++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 3a7e005..24e4a43 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -39,10 +39,10 @@ spawn_scriplets= infrastructure_layout instance_layout subsystem_layout - selinux_setup webapp_deployment slot_substitution security_databases + selinux_setup configuration finalization diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 03bb225..13b3258 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -39,7 +39,10 @@ import pki.nssdb import pki.util INSTANCE_BASE_DIR = '/var/lib/pki' +CONFIG_BASE_DIR = '/etc/pki' +LOG_BASE_DIR = '/var/log/pki' REGISTRY_DIR = '/etc/sysconfig/pki' + SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps'] SUBSYSTEM_CLASSES = {} @@ -476,7 +479,9 @@ class PKIInstance(object): else: self.base_dir = os.path.join(pki.BASE_DIR, name) - self.conf_dir = os.path.join(self.base_dir, 'conf') + self.conf_dir = os.path.join(CONFIG_BASE_DIR, name) + self.log_dir = os.path.join(LOG_BASE_DIR, name) + self.password_conf = os.path.join(self.conf_dir, 'password.conf') self.external_certs_conf = os.path.join( self.conf_dir, 'external_certs.conf') diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts new file mode 100644 index 0000000..f3d981e --- /dev/null +++ b/base/server/upgrade/10.3.5/02-FixSELinuxContexts @@ -0,0 +1,36 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import selinux +import pki.server.upgrade + + +class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + super(FixSELinuxContexts, self).__init__() + self.message = 'Fix SELinux contexts' + + def upgrade_instance(self, instance): + + selinux.restorecon(instance.base_dir, True) + selinux.restorecon(instance.conf_dir, True) + selinux.restorecon(instance.log_dir, True) -- 1.8.3.1 From 0f6ddc442d2ac2c166126295dbce32f0c682e0fe Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 28 Jul 2016 10:36:50 +0100 Subject: [PATCH 70/96] Re-license the python client files to LGPLv3 --- base/common/LICENSE.LESSER | 170 +++++++++++++++++++++++++++++++++ base/common/python/pki/__init__.py | 13 +-- base/common/python/pki/account.py | 13 +-- base/common/python/pki/authority.py | 13 +-- base/common/python/pki/cert.py | 13 +-- base/common/python/pki/cli/__init__.py | 13 +-- base/common/python/pki/cli/pkcs12.py | 13 +-- base/common/python/pki/client.py | 13 +-- base/common/python/pki/crypto.py | 13 +-- base/common/python/pki/encoder.py | 17 ++++ base/common/python/pki/feature.py | 13 +-- base/common/python/pki/key.py | 13 +-- base/common/python/pki/kra.py | 13 +-- base/common/python/pki/nssdb.py | 13 +-- base/common/python/pki/profile.py | 13 +-- base/common/python/pki/system.py | 13 +-- base/common/python/pki/systemcert.py | 13 +-- base/common/python/pki/upgrade.py | 13 +-- base/common/python/pki/util.py | 13 +-- base/common/python/setup.py | 16 ++-- 20 files changed, 314 insertions(+), 110 deletions(-) create mode 100644 base/common/LICENSE.LESSER diff --git a/base/common/LICENSE.LESSER b/base/common/LICENSE.LESSER new file mode 100644 index 0000000..ca70b83 --- /dev/null +++ b/base/common/LICENSE.LESSER @@ -0,0 +1,170 @@ +The Python client code is released under LGPLv3+. +This license is provided below: +****************************************************************************** + + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. + diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py index 4c4b88a..5d2a143 100644 --- a/base/common/python/pki/__init__.py +++ b/base/common/python/pki/__init__.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/account.py b/base/common/python/pki/account.py index ee7507b..62d22fc 100644 --- a/base/common/python/pki/account.py +++ b/base/common/python/pki/account.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py index 8827db8..00c6fd9 100644 --- a/base/common/python/pki/authority.py +++ b/base/common/python/pki/authority.py @@ -1,15 +1,16 @@ # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2014 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/cert.py b/base/common/python/pki/cert.py index 05db87c..c53d757 100644 --- a/base/common/python/pki/cert.py +++ b/base/common/python/pki/cert.py @@ -1,15 +1,16 @@ # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2014 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/cli/__init__.py b/base/common/python/pki/cli/__init__.py index 3be9cce..2bed317 100644 --- a/base/common/python/pki/cli/__init__.py +++ b/base/common/python/pki/cli/__init__.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2015 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py index ded79c7..8934d33 100644 --- a/base/common/python/pki/cli/pkcs12.py +++ b/base/common/python/pki/cli/pkcs12.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2016 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py index 230c236..7e91046 100644 --- a/base/common/python/pki/client.py +++ b/base/common/python/pki/client.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py index 60e83c9..86fa16e 100644 --- a/base/common/python/pki/crypto.py +++ b/base/common/python/pki/crypto.py @@ -2,17 +2,18 @@ # Ade Lee # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py index f830601..8485ab8 100644 --- a/base/common/python/pki/encoder.py +++ b/base/common/python/pki/encoder.py @@ -1,3 +1,20 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. +# from __future__ import absolute_import import base64 diff --git a/base/common/python/pki/feature.py b/base/common/python/pki/feature.py index 45af63c..0e5171d 100644 --- a/base/common/python/pki/feature.py +++ b/base/common/python/pki/feature.py @@ -1,15 +1,16 @@ # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2014 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py index 28c0e96..14e0b14 100644 --- a/base/common/python/pki/key.py +++ b/base/common/python/pki/key.py @@ -1,15 +1,16 @@ # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py index 522773b..b98f856 100644 --- a/base/common/python/pki/kra.py +++ b/base/common/python/pki/kra.py @@ -3,17 +3,18 @@ # Ade Lee # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index f563fd8..a0b0302 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2015 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/profile.py b/base/common/python/pki/profile.py index c463a6b..a2e7621 100644 --- a/base/common/python/pki/profile.py +++ b/base/common/python/pki/profile.py @@ -1,15 +1,16 @@ # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2014 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/system.py b/base/common/python/pki/system.py index 45aa0d6..cbb908f 100644 --- a/base/common/python/pki/system.py +++ b/base/common/python/pki/system.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/systemcert.py b/base/common/python/pki/systemcert.py index ed41be9..9bf4678 100644 --- a/base/common/python/pki/systemcert.py +++ b/base/common/python/pki/systemcert.py @@ -2,17 +2,18 @@ # Ade Lee # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py index 2261ba8..3106c70 100644 --- a/base/common/python/pki/upgrade.py +++ b/base/common/python/pki/upgrade.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py index 2cac1d8..95a3670 100644 --- a/base/common/python/pki/util.py +++ b/base/common/python/pki/util.py @@ -2,17 +2,18 @@ # Endi S. Dewata # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2013 Red Hat, Inc. # All rights reserved. diff --git a/base/common/python/setup.py b/base/common/python/setup.py index 2ab0337..86e0704 100644 --- a/base/common/python/setup.py +++ b/base/common/python/setup.py @@ -2,17 +2,17 @@ # Christian Heimes # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# GNU Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Copyright (C) 2015 Red Hat, Inc. # All rights reserved. @@ -81,7 +81,7 @@ hardened by real-world deployments. It supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more. The Dogtag Certificate System can be downloaded for free and set up in less than an hour.""", - license='GPL', + license='LGPLv3+', keywords='pki x509 cert certificate', url='http://pki.fedoraproject.org/', packages=['pki', 'pki.cli'], @@ -93,7 +93,7 @@ and set up in less than an hour.""", 'Operating System :: OS Independent', 'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 3.4', - 'License :: OSI Approved :: GNU General Public License v2 (GPLv2)', + 'License :: OSI Approved :: GNU Lesser General Public License v3+ (LGPLv3+)', 'Topic :: Security :: Cryptography', ], ) -- 1.8.3.1 From d85080be85eb54756d9db69302a6117cef063017 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 29 Jul 2016 12:23:39 +0100 Subject: [PATCH 71/96] Do slot substitution for SERVER_KEYGEN Ticket 2418 --- base/server/config/pkislots.cfg | 1 + base/server/python/pki/server/deployment/pkiparser.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg index 473b0da..3873b83 100644 --- a/base/server/config/pkislots.cfg +++ b/base/server/config/pkislots.cfg @@ -64,6 +64,7 @@ PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] PKI_USER_SLOT=[PKI_USER] PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME] +SERVER_KEYGEN_SLOT=[SERVER_KEYGEN] TOKENDB_HOST_SLOT=[TOKENDB_HOST] TOKENDB_PORT_SLOT={TOKENDB_PORT] TOKENDB_ROOT_SLOT=[TOKENDB_ROOT] diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index d940e2c..622f87e 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -941,6 +941,8 @@ class PKIConfigParser: "tomcat" self.mdict['PKI_WEBAPPS_NAME_SLOT'] = \ "webapps" + self.mdict['SERVER_KEYGEN_SLOT'] = \ + self.mdict['pki_enable_server_side_keygen'] self.mdict['TOMCAT_CFG_SLOT'] = \ self.mdict['pki_target_tomcat_conf'] self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \ -- 1.8.3.1 From 7cfff9fb0c08d08f57d6229cb8a67d7c94f785aa Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 29 Jul 2016 14:42:35 +0100 Subject: [PATCH 72/96] Fix client-cert-import to set provided trust bits Ticket 2412 --- .../netscape/cmstools/client/ClientCertImportCLI.java | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java index 9625440..a920079 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java @@ -83,7 +83,7 @@ public class ClientCertImportCLI extends CLI { option.setArgName("serial number"); options.addOption(option); - option = new Option(null, "trust", true, "Trust attributes. Default: u,u,u."); + option = new Option(null, "trust", true, "Trust attributes."); option.setArgName("trust attributes"); options.addOption(option); } @@ -140,13 +140,16 @@ public class ClientCertImportCLI extends CLI { String pkcs12PasswordPath = cmd.getOptionValue("pkcs12-password-file"); boolean importFromCAServer = cmd.hasOption("ca-server"); String serialNumber = cmd.getOptionValue("serial"); - String trustAttributes = cmd.getOptionValue("trust", "u,u,u"); + String trustAttributes = cmd.getOptionValue("trust"); // load the certificate if (certPath != null) { if (verbose) System.out.println("Importing certificate from " + certPath + "."); + if (trustAttributes == null) + trustAttributes = "u,u,u"; + importCert( mainCLI.certDatabase.getAbsolutePath(), certPath, @@ -157,7 +160,8 @@ public class ClientCertImportCLI extends CLI { if (verbose) System.out.println("Importing CA certificate from " + caCertPath + "."); - trustAttributes = "CT,c,"; + if (trustAttributes == null) + trustAttributes = "CT,c,"; importCert( mainCLI.certDatabase.getAbsolutePath(), @@ -218,7 +222,8 @@ public class ClientCertImportCLI extends CLI { out.write(bytes); } - trustAttributes = "CT,c,"; + if (trustAttributes == null) + trustAttributes = "CT,c,"; importCert( mainCLI.certDatabase.getAbsolutePath(), @@ -250,6 +255,9 @@ public class ClientCertImportCLI extends CLI { out.write(encoded); } + if (trustAttributes == null) + trustAttributes = "u,u,u"; + importCert( mainCLI.certDatabase.getAbsolutePath(), certFile.getAbsolutePath(), -- 1.8.3.1 From e46fdb07d014368bb506b02d4ca9fafda672800a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 30 Jul 2016 00:23:48 +0200 Subject: [PATCH 73/96] Added log message in PKIClient. To help troubleshooting the PKIClient class has been modified to log the certificate chain retrieved from the CA. https://fedorahosted.org/pki/ticket/2399 --- base/common/src/com/netscape/certsrv/client/PKIClient.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java index 5c13554..8cad382 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIClient.java +++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java @@ -32,6 +32,7 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; +import org.apache.commons.codec.binary.Base64; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NicknameConflictException; import org.mozilla.jss.CryptoManager.NotInitializedException; @@ -177,7 +178,15 @@ public class PKIClient { Element element = (Element)list.item(0); String encodedChain = element.getTextContent(); - return Utils.base64decode(encodedChain); + byte[] bytes = Utils.base64decode(encodedChain); + + if (verbose) { + System.out.println("-----BEGIN PKCS7-----"); + System.out.print(new Base64(64).encodeToString(bytes)); + System.out.println("-----END PKCS7-----"); + } + + return bytes; } public X509Certificate importCertPackage(byte[] bytes, String nickname) -- 1.8.3.1 From 1b246d46671472d0b395957d3e550e54c3068758 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Mon, 1 Aug 2016 16:36:00 -0600 Subject: [PATCH 74/96] pki-tools man pages * PKI TRAC Ticket #690 - [MAN] pki-tools man pages - AtoB, - BtoA, - KRATool, - PrettyPrintCert, and - PrettyPrintCrl --- base/java-tools/man/man1/AtoB.1 | 56 ++++ base/java-tools/man/man1/BtoA.1 | 56 ++++ base/java-tools/man/man1/KRATool.1 | 459 +++++++++++++++++++++++++++++ base/java-tools/man/man1/PrettyPrintCert.1 | 204 +++++++++++++ base/java-tools/man/man1/PrettyPrintCrl.1 | 141 +++++++++ 5 files changed, 916 insertions(+) create mode 100644 base/java-tools/man/man1/AtoB.1 create mode 100644 base/java-tools/man/man1/BtoA.1 create mode 100644 base/java-tools/man/man1/KRATool.1 create mode 100644 base/java-tools/man/man1/PrettyPrintCert.1 create mode 100644 base/java-tools/man/man1/PrettyPrintCrl.1 diff --git a/base/java-tools/man/man1/AtoB.1 b/base/java-tools/man/man1/AtoB.1 new file mode 100644 index 0000000..228e3e0 --- /dev/null +++ b/base/java-tools/man/man1/AtoB.1 @@ -0,0 +1,56 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH AtoB 1 "July 20, 2016" "version 10.3" "PKI ASCII to Binary Conversion Tool" Dogtag Team +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +AtoB \- Convert ASCII base-64 encoded data to binary base-64 encoded data. + +.SH SYNOPSIS +.PP +\fBAtoB \fP + +.SH DESCRIPTION +.PP +The \fBAtoB\fP command provides a command-line utility used to convert ASCII base-64 encoded data to binary base-64 encoded data. + +.SH OPTIONS +.PP +The following parameters are mandatory: +.TP +.B +Specifies the path to the file containing the base-64 encoded ASCII data. + +.TP +.B +Specifies the path to the file where the utility should write the binary output. + +.SH EXAMPLES +.PP +This example command takes the base-64 ASCII data in the \fBascii_data.pem\fP file and writes the binary equivalent of the data to the \fBbinary_data.der\fP file: +.IP +.nf +AtoB ascii_data.pem binary_data.der +.if + +.SH AUTHORS +Matthew Harmsen . + +.SH COPYRIGHT +Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public +License, version 2 (GPLv2). A copy of this license is available at +http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR BtoA(1), pki(1) diff --git a/base/java-tools/man/man1/BtoA.1 b/base/java-tools/man/man1/BtoA.1 new file mode 100644 index 0000000..95c742d --- /dev/null +++ b/base/java-tools/man/man1/BtoA.1 @@ -0,0 +1,56 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH BtoA 1 "July 20, 2016" "version 10.3" "PKI Binary to ASCII Conversion Tool" Dogtag Team +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +BtoA \- Convert binary base-64 encoded data to ASCII base-64 encoded data. + +.SH SYNOPSIS +.PP +\fBBtoA \fP + +.SH DESCRIPTION +.PP +The \fBBtoA\fP command provides a command-line utility used to convert binary base-64 encoded data to ASCII base-64 encoded data. + +.SH OPTIONS +.PP +The following parameters are mandatory: +.TP +.B +Specifies the path to the file which contains the base-64 encoded binary data. + +.TP +.B +Specifies the path to the file where the utility should write the ASCII output. + +.SH EXAMPLES +.PP +This example command takes the base-64 binary data in the \fBbinary_data.der\fP file and writes the ASCII equivalent of the data to the \fBascii_data.pem\fP file: +.IP +.nf +BtoA binary_data.der ascii_data.pem +.if + +.SH AUTHORS +Matthew Harmsen . + +.SH COPYRIGHT +Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public +License, version 2 (GPLv2). A copy of this license is available at +http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR AtoB(1), pki(1) diff --git a/base/java-tools/man/man1/KRATool.1 b/base/java-tools/man/man1/KRATool.1 new file mode 100644 index 0000000..b04cd2b --- /dev/null +++ b/base/java-tools/man/man1/KRATool.1 @@ -0,0 +1,459 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH KRATool 1 "July 18, 2016" "version 10.3" "PKI Key Recovery Authority (KRA) Tool" Dogtag Team +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +KRATool \- Command-Line utility used to export private keys from one or more KRA instances (generally legacy) into a KRA instance (generally modern); during the process of moving the keys, the KRATool can rewrap keys, renumber keys, or both. + +.SH SYNOPSIS +.PP +The syntax for rewrapping keys: +.IP +.nf +\fBKRATool\fR -kratool_config_file + -source_ldif_file + -target_ldif_file + -log_file + [-source_pki_security_database_path + -source_storage_token_name + -source_storage_certificate_nickname + -target_storage_certificate_file + [-source_pki_security_database_pwdfile ]] + [-source_kra_naming_context -target_kra_naming_context ] + [-process_requests_and_key_records_only] +.fi +.PP +The syntax for renumbering keys: +.IP +.nf +\fBKRATool\fR -kratool_config_file + -source_ldif_file + -target_ldif_file + -log_file + [-append_id_offset | -remove_id_offset ] + [-source_kra_naming_context -target_kra_naming_context ] + [-process_requests_and_key_records_only] +.fi + +.SH DESCRIPTION +.PP +The \fBKRATool\fR command provides a command-line utility used to rewrap keys, renumber keys, or both. For example, some private keys (mainly in older deployments) were wrapped in SHA-1, 1024-bit storage keys when they were archived in the Key Recovery Authority (KRA). These algorithms have become less secure as processor speeds improve and algorithms have been broken. As a security measure, it is possible to rewrap the private keys in a new, stronger storage key (SHA-256, 2048-bit keys). +.TP +\fBNote:\fP +Because the KRATool utility can export private keys from one KRA, rewrap them with a new storage key, and then import them into a new KRA, this tool can be used as part of a process of combining multiple KRA instances into a single KRA. + +.SH OPTIONS +.PP +The following parameters are mandatory for both rewrapping and renumbering keys: +.TP +.B -kratool_config_file +Gives the complete path and filename of the configuration file used by the tool. This configuration process tells the tool how to process certain parameters in the existing key records, whether to apply any formatting changes (like changing the naming context or adding an offset) or even whether to update the modify date. The configuration file is required and a default file is included with the tool. The file format is described in the section entitled +.B Configuration File (.cfg). + +.TP +.B -source_ldif_file +Gives the complete path and filename of the Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file which contains all of the key data from the old KRA. + +.TP +.B -target_ldif_file +Gives the complete path and filename of the LDIF file to which the tool will write all of the key data from the new KRA. This file is created by the tool as it runs. + +.TP +.B -log_file +Gives the path and filename of the log file to use to log the tool progress and messages. This file is created by the tool as it runs. + +.PP +The following parameters are optional for both rewrapping and renumbering keys: + +.TP +.B -source_kra_naming_context +Gives the naming context of the original KRA instance, the Distinguished Name (DN) element that refers to the original KRA. Key-related LDIF entries have a DN with the KRA instance name in it, such as \fIcn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra\fP. The naming context for that entry is the DN value, \fIalpha.example.com-pki-kra\fP. These entries can be renamed, automatically, from the old KRA instance naming context to the new KRA instance naming context. + +While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA. +If this argument is used, then the \fB-target_kra_naming_context\fP argument must also be used. + +.TP +.B -target_kra_naming_context +Gives the naming context of the new KRA instance, the name that the original key entries should be changed too. Key-related LDIF entries have a DN with the KRA instance name in it, such as \fIcn=1,ou=kra,ou=requests,dc=omega.example.com-pki-kra\fP. The naming context for that entry is the DN value, \fIomega.example.com-pki-kra\fP.These entries can be renamed, automatically, from the old KRA instance to the new KRA instance naming context. + +While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA. +If this argument is used, then the \fB-source_kra_naming_context\fP argument must also be used. + +.TP +.B -process_requests_and_key_records_only +Removes configuration entries from the source LDIF file, leaving only the key and request entries. + +While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA. + +.PP +The following parameters are optional for rewrapping keys: + +.TP +.B -source_pki_security_database_path +Gives the full path to the directory which contains the Network Security Services (NSS) security databases used by the old KRA instance. + +This option is required if any other rewrap parameters are used. + +.TP +.B -source_storage_token_name +Gives the name of the token which stores the KRA data, like \fIInternal Key Storage Token\fP for internal tokens or a name like \fINHSM6000-OCS\fP for the hardware token name. + +This option is required if any other rewrap parameters are used. + +.TP +.B -source_storage_certificate_nickname +Gives the nickname of the KRA storage certificate for the old KRA instance. Either this certificate will be located in the security database for the old KRA instance or the security database will contain a pointer to the certificate in the hardware token. + +This option is required if any other rewrap parameters are used. + +.TP +.B -target_storage_certificate_file +Gives the path and filename of an ASCII-formatted file of the storage certificate for the new KRA instance. The storage certificate should be exported from the new KRA's databases and stored in an accessible location before running KRATool. + +This option is required if any other rewrap parameters are used. + +.TP +.B -source_pki_security_database_pwdfile +Gives the path and filename to a password file that contains only the password for the storage token given in the \fB-source_storage_token_name\fP option. + +This argument is optional when other rewrap parameters are used. If this argument is not used, then the script prompts for the password. + +.PP +The following parameters are optional for renumbering keys: + +.TP +.B -append_id_offset +Gives an ID number which will be preprended to every imported key, to prevent possible collisions. A unique ID offset should be used for every KRA instance which has keys exported using KRATool. + +If \fB-append_id_offset\fP is used, then do not use the \fB-remove_id_offset\fP option. + +.TP +.B -remove_id_offset +Gives an ID number to remove from the beginning of every imported key. + +If \fB-remove_id_offset\fP is used, then do not use the \fB-append_id_offset\fP option. + +.SH Configuration File (.cfg) +.PP +The required configuration file instructs the KRATool how to process attributes in the key archival and key request entries in the LDIF file. There are six types of entries: +.IP +* CA enrollment requests +* TPS enrollment requests +* CA key records +* TPS key records +* CA and TPS recovery requests (which are treated the same in the KRA) +.PP +Each key and key request has an LDAP entry with attributes that are specific to that kind of record. For example, for a recovery request: +.IP +.nf +dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra +objectClass: top +objectClass: request +objectClass: extensibleObject +requestId: 011 +requestState: complete +dateOfCreate: 20110121181006Z +dateOfModify: 20110524094652Z +extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n# + F#9E#98#B3 +extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1 + yTWvwIDAQAB +extdata-archive: true +extdata-requesttype: netkeyKeygen +extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10 +extdata-requestversion: 8.1.0 +extdata-requestortype: NETKEY_RA +extdata-keyrecord: 1 +extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6 + F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79 +extdata-userid: jmagne +extdata-keysize: 1024 +extdata-updatedby: TPS-alpha.example.com-7889 +extdata-dbstatus: UPDATED +extdata-cuid: 40906145C76224192D2B +extdata-requeststatus: complete +extdata-requestid: 1 +extdata-result: 1 +requestType: netkeyKeygen +cn: 1 +creatorsName: cn=directory manager +modifiersName: cn=directory manager +createTimestamp: 20110122021010Z +modifyTimestamp: 20110122021010Z +nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000 +.if + +.PP +Much of that information passes through the script processing unchanged, so it is entered into the new, target KRA just the same. However, some of those attributes can and should be edited, like the Common Name (CN) and DN being changed to match the new KRA instance. The fields which can safely be changed are listed in the configuration file for each type of key entry. (Any attribute not listed is not touched by the tool under any circumstances.) +.PP +If a field /fIshould/fP be edited — meaning, the tool can update the record ID number or rename the entry — then the value is set to true in the configuration file. For example, this configuration updates the CN, DN, ID number, last modified date, and associated entry notes for all CA enrollment requests: +.IP +.nf +kratool.ldif.caEnrollmentRequest.cn=true +kratool.ldif.caEnrollmentRequest.dateOfModify=true +kratool.ldif.caEnrollmentRequest.dn=true +kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true +kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true +kratool.ldif.caEnrollmentRequest.requestId=true +.if + +.PP +If a line is set to true, then the attribute is processed in the LDIF file. By default, all possible attributes are processed. Setting a line to false means that the KRATool skips that attribute and passes the value unchanged. For example, this leaves the last modified time unchanged so that it doesn't update for when the KRATool runs: +.IP +.nf +kratool.ldif.caEnrollmentRequest.dateOfModify=false +.if + +.TP +\fBNOTE:\fP +Key enrollments, records, and requests all have an optional notes attribute where administrators can enter notes about the process. When the KRATool runs, it appends a note to that attribute or adds the attribute with information about the tool running, what operations were performed, and a timestamp: +.IP +.nf +extdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetric session key' with the '2048-bit RSA public key' obtained from the target storage certificate + APPENDED ID offset '100000000000' + RENAMED source KRA naming context 'alpha.example.com-pki-kra' to target KRA naming context 'omega.example.com-pki-kra' + PROCESSED requests and key records ONLY! +.if + +.TP +\fB\fP +This information is very useful for both audit and maintenance of the KRA, so it is beneficial to keep the extdata.requestNotes parameter for all of the key record types set to true. + +.TP +\fBIMPORTANT:\fP +Every parameter line in the default \fBkratool.cfg\fP must be present in the \fI.cfg\fP file used when the tool is invoked. No line can be omitted and every line must have a valid value (true or false). If the file is not properly formatted, the KRATool will fail. + +.PP +The formatting of the \fI.cfg\fP file is the same as the formatting used in the instance \fBCS.cfg\fP files. + +.PP +A default \fI.cfg\fP file is included with the KRATool script. This file (shown in the example entitled \fBDefault kratool.cfg File\fP) can be copied and edited into a custom file or edited directly and used with the tool. + +.SS Default kratool.cfg File +.BR +.IP +.nf +kratool.ldif.caEnrollmentRequest._000=######################################## +kratool.ldif.caEnrollmentRequest._001=## KRA CA Enrollment Request ## +kratool.ldif.caEnrollmentRequest._002=######################################## +kratool.ldif.caEnrollmentRequest._003=## ## +kratool.ldif.caEnrollmentRequest._004=## NEVER allow 'KRATOOL' the ability ## +kratool.ldif.caEnrollmentRequest._005=## to change the CA 'naming context' ## +kratool.ldif.caEnrollmentRequest._006=## data in the following fields: ## +kratool.ldif.caEnrollmentRequest._007=## ## +kratool.ldif.caEnrollmentRequest._008=## extdata-auth--005ftoken;uid ## +kratool.ldif.caEnrollmentRequest._009=## extdata-auth--005ftoken;userid ## +kratool.ldif.caEnrollmentRequest._010=## extdata-updatedby ## +kratool.ldif.caEnrollmentRequest._011=## ## +kratool.ldif.caEnrollmentRequest._012=## NEVER allow 'KRATOOL' the ability ## +kratool.ldif.caEnrollmentRequest._013=## to change CA 'numeric' data in ## +kratool.ldif.caEnrollmentRequest._014=## the following fields: ## +kratool.ldif.caEnrollmentRequest._015=## ## +kratool.ldif.caEnrollmentRequest._016=## extdata-requestId ## +kratool.ldif.caEnrollmentRequest._017=## ## +kratool.ldif.caEnrollmentRequest._018=######################################## +kratool.ldif.caEnrollmentRequest.cn=true +kratool.ldif.caEnrollmentRequest.dateOfModify=true +kratool.ldif.caEnrollmentRequest.dn=true +kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true +kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true +kratool.ldif.caEnrollmentRequest.requestId=true +kratool.ldif.caKeyRecord._000=######################################### +kratool.ldif.caKeyRecord._001=## KRA CA Key Record ## +kratool.ldif.caKeyRecord._002=######################################### +kratool.ldif.caKeyRecord._003=## ## +kratool.ldif.caKeyRecord._004=## NEVER allow 'KRATOOL' the ability ## +kratool.ldif.caKeyRecord._005=## to change the CA 'naming context' ## +kratool.ldif.caKeyRecord._006=## data in the following fields: ## +kratool.ldif.caKeyRecord._007=## ## +kratool.ldif.caKeyRecord._008=## archivedBy ## +kratool.ldif.caKeyRecord._009=## ## +kratool.ldif.caKeyRecord._010=######################################### +kratool.ldif.caKeyRecord.cn=true +kratool.ldif.caKeyRecord.dateOfModify=true +kratool.ldif.caKeyRecord.dn=true +kratool.ldif.caKeyRecord.privateKeyData=true +kratool.ldif.caKeyRecord.serialno=true +kratool.ldif.namingContext._000=############################################ +kratool.ldif.namingContext._001=## KRA Naming Context Fields ## +kratool.ldif.namingContext._002=############################################ +kratool.ldif.namingContext._003=## ## +kratool.ldif.namingContext._004=## NEVER allow 'KRATOOL' the ability to ## +kratool.ldif.namingContext._005=## change the CA 'naming context' data ## +kratool.ldif.namingContext._006=## in the following 'non-KeyRecord / ## +kratool.ldif.namingContext._007=## non-Request' fields (as these records ## +kratool.ldif.namingContext._008=## should be removed via the option to ## +kratool.ldif.namingContext._009=## process requests and key records only ## +kratool.ldif.namingContext._010=## if this is a KRA migration): ## +kratool.ldif.namingContext._011=## ## +kratool.ldif.namingContext._012=## cn ## +kratool.ldif.namingContext._013=## sn ## +kratool.ldif.namingContext._014=## uid ## +kratool.ldif.namingContext._015=## uniqueMember ## +kratool.ldif.namingContext._016=## ## +kratool.ldif.namingContext._017=## NEVER allow 'KRATOOL' the ability to ## +kratool.ldif.namingContext._018=## change the KRA 'naming context' data ## +kratool.ldif.namingContext._019=## in the following 'non-KeyRecord / ## +kratool.ldif.namingContext._020=## non-Request' fields (as these records ## +kratool.ldif.namingContext._021=## should be removed via the option to ## +kratool.ldif.namingContext._022=## process requests and key records only ## +kratool.ldif.namingContext._023=## if this is a KRA migration): ## +kratool.ldif.namingContext._024=## ## +kratool.ldif.namingContext._025=## dc ## +kratool.ldif.namingContext._026=## dn ## +kratool.ldif.namingContext._027=## uniqueMember ## +kratool.ldif.namingContext._028=## ## +kratool.ldif.namingContext._029=## NEVER allow 'KRATOOL' the ability to ## +kratool.ldif.namingContext._030=## change the TPS 'naming context' data ## +kratool.ldif.namingContext._031=## in the following 'non-KeyRecord / ## +kratool.ldif.namingContext._032=## non-Request' fields (as these records ## +kratool.ldif.namingContext._033=## should be removed via the option to ## +kratool.ldif.namingContext._034=## process requests and key records only ## +kratool.ldif.namingContext._035=## if this is a KRA migration): ## +kratool.ldif.namingContext._036=## ## +kratool.ldif.namingContext._037=## uid ## +kratool.ldif.namingContext._038=## uniqueMember ## +kratool.ldif.namingContext._039=## ## +kratool.ldif.namingContext._040=## If '-source_naming_context ## +kratool.ldif.namingContext._041=## original source KRA naming context' ## +kratool.ldif.namingContext._042=## and '-target_naming_context ## +kratool.ldif.namingContext._043=## renamed target KRA naming context' ## +kratool.ldif.namingContext._044=## options are specified, ALWAYS ## +kratool.ldif.namingContext._045=## require 'KRATOOL' to change the ## +kratool.ldif.namingContext._046=## KRA 'naming context' data in ALL of ## +kratool.ldif.namingContext._047=## the following fields in EACH of the ## +kratool.ldif.namingContext._048=## following types of records: ## +kratool.ldif.namingContext._049=## ## +kratool.ldif.namingContext._050=## caEnrollmentRequest: ## +kratool.ldif.namingContext._051=## ## +kratool.ldif.namingContext._052=## dn ## +kratool.ldif.namingContext._053=## extdata-auth--005ftoken;user ## +kratool.ldif.namingContext._054=## extdata-auth--005ftoken;userdn ## +kratool.ldif.namingContext._055=## ## +kratool.ldif.namingContext._056=## caKeyRecord: ## +kratool.ldif.namingContext._057=## ## +kratool.ldif.namingContext._058=## dn ## +kratool.ldif.namingContext._059=## ## +kratool.ldif.namingContext._060=## recoveryRequest: ## +kratool.ldif.namingContext._061=## ## +kratool.ldif.namingContext._062=## dn ## +kratool.ldif.namingContext._063=## ## +kratool.ldif.namingContext._064=## tpsKeyRecord: ## +kratool.ldif.namingContext._065=## ## +kratool.ldif.namingContext._066=## dn ## +kratool.ldif.namingContext._067=## ## +kratool.ldif.namingContext._068=## tpsNetkeyKeygenRequest: ## +kratool.ldif.namingContext._069=## ## +kratool.ldif.namingContext._070=## dn ## +kratool.ldif.namingContext._071=## ## +kratool.ldif.namingContext._072=############################################ +kratool.ldif.recoveryRequest._000=##################################### +kratool.ldif.recoveryRequest._001=## KRA CA / TPS Recovery Request ## +kratool.ldif.recoveryRequest._002=##################################### +kratool.ldif.recoveryRequest.cn=true +kratool.ldif.recoveryRequest.dateOfModify=true +kratool.ldif.recoveryRequest.dn=true +kratool.ldif.recoveryRequest.extdata.requestId=true +kratool.ldif.recoveryRequest.extdata.requestNotes=true +kratool.ldif.recoveryRequest.extdata.serialnumber=true +kratool.ldif.recoveryRequest.requestId=true +kratool.ldif.tpsKeyRecord._000=######################################### +kratool.ldif.tpsKeyRecord._001=## KRA TPS Key Record ## +kratool.ldif.tpsKeyRecord._002=######################################### +kratool.ldif.tpsKeyRecord._003=## ## +kratool.ldif.tpsKeyRecord._004=## NEVER allow 'KRATOOL' the ability ## +kratool.ldif.tpsKeyRecord._005=## to change the TPS 'naming context' ## +kratool.ldif.tpsKeyRecord._006=## data in the following fields: ## +kratool.ldif.tpsKeyRecord._007=## ## +kratool.ldif.tpsKeyRecord._008=## archivedBy ## +kratool.ldif.tpsKeyRecord._009=## ## +kratool.ldif.tpsKeyRecord._010=######################################### +kratool.ldif.tpsKeyRecord.cn=true +kratool.ldif.tpsKeyRecord.dateOfModify=true +kratool.ldif.tpsKeyRecord.dn=true +kratool.ldif.tpsKeyRecord.privateKeyData=true +kratool.ldif.tpsKeyRecord.serialno=true +kratool.ldif.tpsNetkeyKeygenRequest._000=##################################### +kratool.ldif.tpsNetkeyKeygenRequest._001=## KRA TPS Netkey Keygen Request ## +kratool.ldif.tpsNetkeyKeygenRequest._002=##################################### +kratool.ldif.tpsNetkeyKeygenRequest._003=## ## +kratool.ldif.tpsNetkeyKeygenRequest._004=## NEVER allow 'KRATOOL' the ## +kratool.ldif.tpsNetkeyKeygenRequest._005=## ability to change the ## +kratool.ldif.tpsNetkeyKeygenRequest._006=## TPS 'naming context' data in ## +kratool.ldif.tpsNetkeyKeygenRequest._007=## the following fields: ## +kratool.ldif.tpsNetkeyKeygenRequest._008=## ## +kratool.ldif.tpsNetkeyKeygenRequest._009=## extdata-updatedby ## +kratool.ldif.tpsNetkeyKeygenRequest._010=## ## +kratool.ldif.tpsNetkeyKeygenRequest._011=##################################### +kratool.ldif.tpsNetkeyKeygenRequest.cn=true +kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true +kratool.ldif.tpsNetkeyKeygenRequest.dn=true +kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true +kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true +kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true +kratool.ldif.tpsNetkeyKeygenRequest.requestId=true +.if + +.SH EXAMPLES +.PP +The KRATool performs two operations: it can rewrap keys with a new private key, and it can renumber attributes in the LDIF file entries for key records, including enrollments and recovery requests. At least one operation (rewrap or renumber) must be performed and both can be performed in a single invocation. + +.SS Rewrapping Keys +.BR +.PP +When rewrapping keys, the tool needs to be able to access the original NSS databases for the source KRA and its storage certificate to unwrap the keys, as well as the storage certificate for the new KRA, which is used to rewrap the keys. +.IP +.nf +KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-kra" -target_storage_certificate_file "/tmp/files/omega.cert" +.if + +.SS Renumbering Keys +.BR +.PP +When multiple KRA instances are being merged into a single instance, it is important to make sure that no key or request records have conflicting CNs, DNs, serial numbers, or request ID numbers. These values can be processed to append a new, larger number to the existing values. +.PP +For the CN, the new number is the addition of the original CN plus the appended number. For example, if the CN is 4 and the append number is 1000000, the new CN is 1000004. +.PP +For serial numbers and request IDs, the value is always a digit count plus the value. So a CN of 4 has a serial number of 014, or one digit and the CN value. If the append number is 1000000, the new serial number is 071000004, for seven digits and then the sum of the append number (1000000) and the original value (4). +.IP +.nf +KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -append_id_offset 100000000000 +.if + +.SS Restoring the Original Numbering +.BR +.PP +If a number has been appended to key entries, as in the example entitled \fBRenumbering Keys\fP, that number can also be removed. Along with updating the CN, it also reconstructs any associated numbers, like serial numbers and request ID numbers. Undoing a renumbering action may be necessary if the original number wasn't large enough to prevent conflicts or as part of testing a migration or KRA consolidation process. +.IP +.nf +KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -remove_id_offset 100000000000 +.if + +.SS Renumbering and Rewrapping in a Single Command +.BR +.PP +Rewrapping and renumbering operations can be performed in the same invocation. +.IP +.nf +KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-kra" -target_storage_certificate_file "/tmp/files/omega.cert" -append_id_offset 100000000000 +.if + +.SH AUTHORS +Matthew Harmsen . + +.SH COPYRIGHT +Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public +License, version 2 (GPLv2). A copy of this license is available at +http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR pki(1) diff --git a/base/java-tools/man/man1/PrettyPrintCert.1 b/base/java-tools/man/man1/PrettyPrintCert.1 new file mode 100644 index 0000000..3cfb2f9 --- /dev/null +++ b/base/java-tools/man/man1/PrettyPrintCert.1 @@ -0,0 +1,204 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH PrettyPrintCert 1 "July 20, 2016" "version 10.3" "PKI Certificate Print Tool" Dogtag Team +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +PrettyPrintCert \- print the contents of a certificate stored as ASCII base-64 encoded data to a readable format. + +.SH SYNOPSIS +.PP +\fBPrettyPrintCert [-simpleinfo] [output_file]\fP + +.SH DESCRIPTION +.PP +The \fBPrettyPrintCert\fP command provides a command-line utility used to print the contents of a certificate stored as ASCII base-64 encoded data to a readable format. The output of this command is displayed to standard output, but can be optionally saved into a specified file. An additional non-mandatory option is available which limits the certificate information output of this command for easier parsing. + +.SH OPTIONS +.TP +.B [-simpleinfo] +\fBOptional\fP. Prints limited certificate information in an easy to parse format; if this option is not specified, the entire contents of the certificate will be printed. + +.TP +.B +\fBMandatory\fP. Specifies the path to the file containing the ASCII base-64 encoded certificate. + +.TP +.B [output_file] +\fBOptional\fP. Specifies the path to the file in which the tool should write the certificate. If this option is not specified, the certificate information is written to the standard output. + +.SH EXAMPLES +.PP +The following example converts the ASCII base-64 encoded certificate in the \fBascii_data.cert\fP file and writes the certificate in the pretty-print form to the output file \fBcert.out\fP: +.IP +.nf +PrettyPrintCert ascii_data.cert cert.out +.if + +.PP +For this example, the base-64 encoded certificate data in the \fBascii_data.cert\fP looks like the following: +.IP +.nf +-----BEGIN CERTIFICATE----- +MIIECjCCAvKgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy +c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu +aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjIwMzEzOFoXDTE3MDExODIxMzEzOFow +gZwxCzAJBgNVBAYTAlVTMRwwGgYDVQQKDBNFeGFtcGxlIENvcnBvcmF0aW9uMQsw +CQYDVQQLDAJJUzEpMCcGA1UEAwwgUHJldHR5UHJpbnRDZXJ0IFRlc3QgQ2VydGlm +aWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMRUwEwYKCZIm +iZPyLGQBAQwFYWRtaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn +Jv8ADWpC7C3Bzb13n9zQwaDW8YfyshZd7lXI0cghJOSfRLT6C10LOi1yhI+7W3NN +MgYeLDCiRmKfHnqq6lpPg9aZmrxBwrn+30OdP+m1K6Crf6X9wqAWSR/r2hG4NuYi +ovcJg7ani5h4BL+V0hbUvfEs4o7QfOWjQZcoo2KbOKmRrodAA21XVjWGB1ELQLNN +hGwmZ6l1rtnN04Ruoclu8LaKMAAzFSH8cHEBtdCgxeDNy+bNnXbjO1wdruFNrars +W6wdc230AvHRcEUWEvQVq86vHfS4UZ5q0N1ychibrHZXB0/+TUtyKDQGx0K7ELSB +xgwt9QxEjKlXHiStcGupAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCH +IzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzABhjJodHRwOi8v +cGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAOBgNV +HQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqG +SIb3DQEBCwUAA4IBAQCgQ/vTCyQ+lHKNDNCtvbul2l6V3Sjzvj0il9t4HtorxoBF +3FIE6VNpUYFq0AkNS/LjV7ek7LRl8kuuiKaNpqF6RvAIPrABPDh7hE1Gi3Vm+Xw/ +ndodT1AVII3x6xUbRsHu2iUVdZM5xO9ZFwA18nJUznL9q8lEGjj8vVCyFZuplUL+ +pdKqL3SgBNUdyfiV6vywevI9jFoZBlsQbn4EjBs2nNeaFSZhZ1NG6tktSt85fJ51 +IAiZv9Ipq0deHxFgpEywPq9lSrMZnm178PFlzRQUySHSm1pA+ngTydUKqZqAU0vr +XIDTmj4lE93VPZspnPS94p/0OT4Pe3NKAe+IbIv/ +-----END CERTIFICATE----- +.if + +.PP +The certificate in pretty-print format in the \fBcert.out\fP file looks like the following: +.IP +.nf + Certificate: + Data: + Version: v3 + Serial Number: 0x9 + Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Issuer: CN=CA Signing Certificate,O=example.com Security Domain + Validity: + Not Before: Friday, July 22, 2016 2:31:38 PM MDT America/Denver + Not After: Wednesday, January 18, 2017 2:31:38 PM MST America/Denver + Subject: UID=admin,E=admin@example.com,CN=PrettyPrintCert Test Certificate,OU=IS,O=Example Corporation,C=US + Subject Public Key Info: + Algorithm: RSA - 1.2.840.113549.1.1.1 + Public Key: + Exponent: 65537 + Public Key Modulus: (2048 bits) : + E7:26:FF:00:0D:6A:42:EC:2D:C1:CD:BD:77:9F:DC:D0: + C1:A0:D6:F1:87:F2:B2:16:5D:EE:55:C8:D1:C8:21:24: + E4:9F:44:B4:FA:0B:5D:0B:3A:2D:72:84:8F:BB:5B:73: + 4D:32:06:1E:2C:30:A2:46:62:9F:1E:7A:AA:EA:5A:4F: + 83:D6:99:9A:BC:41:C2:B9:FE:DF:43:9D:3F:E9:B5:2B: + A0:AB:7F:A5:FD:C2:A0:16:49:1F:EB:DA:11:B8:36:E6: + 22:A2:F7:09:83:B6:A7:8B:98:78:04:BF:95:D2:16:D4: + BD:F1:2C:E2:8E:D0:7C:E5:A3:41:97:28:A3:62:9B:38: + A9:91:AE:87:40:03:6D:57:56:35:86:07:51:0B:40:B3: + 4D:84:6C:26:67:A9:75:AE:D9:CD:D3:84:6E:A1:C9:6E: + F0:B6:8A:30:00:33:15:21:FC:70:71:01:B5:D0:A0:C5: + E0:CD:CB:E6:CD:9D:76:E3:3B:5C:1D:AE:E1:4D:AD:AA: + EC:5B:AC:1D:73:6D:F4:02:F1:D1:70:45:16:12:F4:15: + AB:CE:AF:1D:F4:B8:51:9E:6A:D0:DD:72:72:18:9B:AC: + 76:57:07:4F:FE:4D:4B:72:28:34:06:C7:42:BB:10:B4: + 81:C6:0C:2D:F5:0C:44:8C:A9:57:1E:24:AD:70:6B:A9 + Extensions: + Identifier: Authority Key Identifier - 2.5.29.35 + Critical: no + Key Identifier: + BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B: + 8A:EB:BA:B5 + Identifier: 1.3.6.1.5.5.7.1.1 + Critical: no + Value: + 30:40:30:3E:06:08:2B:06:01:05:05:07:30:01:86:32: + 68:74:74:70:3A:2F:2F:70:6B:69:2D:64:65:73:6B:74: + 6F:70:2E:75:73:65:72:73:79:73:2E:72:65:64:68:61: + 74:2E:63:6F:6D:3A:38:30:38:30:2F:63:61:2F:6F:63: + 73:70 + Identifier: Key Usage: - 2.5.29.15 + Critical: yes + Key Usage: + Digital Signature + Non Repudiation + Key Encipherment + Identifier: Extended Key Usage: - 2.5.29.37 + Critical: no + Extended Key Usage: + 1.3.6.1.5.5.7.3.2 + 1.3.6.1.5.5.7.3.4 + Signature: + Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Signature: + A0:43:FB:D3:0B:24:3E:94:72:8D:0C:D0:AD:BD:BB:A5: + DA:5E:95:DD:28:F3:BE:3D:22:97:DB:78:1E:DA:2B:C6: + 80:45:DC:52:04:E9:53:69:51:81:6A:D0:09:0D:4B:F2: + E3:57:B7:A4:EC:B4:65:F2:4B:AE:88:A6:8D:A6:A1:7A: + 46:F0:08:3E:B0:01:3C:38:7B:84:4D:46:8B:75:66:F9: + 7C:3F:9D:DA:1D:4F:50:15:20:8D:F1:EB:15:1B:46:C1: + EE:DA:25:15:75:93:39:C4:EF:59:17:00:35:F2:72:54: + CE:72:FD:AB:C9:44:1A:38:FC:BD:50:B2:15:9B:A9:95: + 42:FE:A5:D2:AA:2F:74:A0:04:D5:1D:C9:F8:95:EA:FC: + B0:7A:F2:3D:8C:5A:19:06:5B:10:6E:7E:04:8C:1B:36: + 9C:D7:9A:15:26:61:67:53:46:EA:D9:2D:4A:DF:39:7C: + 9E:75:20:08:99:BF:D2:29:AB:47:5E:1F:11:60:A4:4C: + B0:3E:AF:65:4A:B3:19:9E:6D:7B:F0:F1:65:CD:14:14: + C9:21:D2:9B:5A:40:FA:78:13:C9:D5:0A:A9:9A:80:53: + 4B:EB:5C:80:D3:9A:3E:25:13:DD:D5:3D:9B:29:9C:F4: + BD:E2:9F:F4:39:3E:0F:7B:73:4A:01:EF:88:6C:8B:FF + FingerPrint + MD2: + EC:AE:A5:A3:E5:FA:30:3B:34:0E:FD:9D:ED:46:56:03 + MD5: + CB:E1:80:0C:B3:66:DF:CF:3A:2B:A9:C1:F4:88:88:23 + SHA-1: + B6:BA:84:0D:AE:4E:B0:CD:84:71:D8:A4:61:60:A7:2D: + 3A:7C:55:46 + SHA-256: + B2:95:9C:8C:B9:3C:7B:9F:FF:8E:BD:92:90:BC:75:F5: + BB:0D:96:2C:93:05:20:1B:4C:9D:B9:59:6F:54:25:5B + SHA-512: + B9:7A:1E:2E:59:8C:6F:76:F5:52:36:AD:A6:62:E9:DD: + 00:6E:82:7A:BA:38:1E:29:FC:F8:80:F1:DD:7C:81:92: + F1:C2:E3:34:27:1A:7A:EB:95:36:DB:65:41:A2:46:19: + FB:14:89:00:B5:8B:DB:AA:33:41:8C:6C:C4:75:CF:17 +.if + +.PP +The following example command takes the same ASCII base-64 encoded certificate in the \fBascii_data.cert\fP file and writes the information contained within the certificate to the simple format output file \fBcert.simple\fP: +.IP +.nf +PrettyPrintCert -simpleinfo ascii_data.cert cert.simple +.if + +.PP +The simple certificate information in the \fBcert.simple\fP output file looks like the following: +.IP +.nf +UID=admin +E=admin@example.com +CN=PrettyPrintCert Test Certificate +OU=IS +O=Example Corporation +C=US +.if + +.SH AUTHORS +Matthew Harmsen . + +.SH COPYRIGHT +Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public +License, version 2 (GPLv2). A copy of this license is available at +http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR PrettyPrintCrl(1), pki(1) diff --git a/base/java-tools/man/man1/PrettyPrintCrl.1 b/base/java-tools/man/man1/PrettyPrintCrl.1 new file mode 100644 index 0000000..31a73a0 --- /dev/null +++ b/base/java-tools/man/man1/PrettyPrintCrl.1 @@ -0,0 +1,141 @@ +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH PrettyPrintCrl 1 "July 20, 2016" "version 10.3" "PKI CRL Print Tool" Dogtag Team +.\" Please adjust this date whenever revising the man page. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for man page specific macros, see man(7) +.SH NAME +PrettyPrintCrl \- reads a certificate revocation list (CRL) stored in an ASCII base-64 encoded file and outputs it in a readable format. + +.SH SYNOPSIS +.PP +\fBPrettyPrintCrl [output_file]\fP + +.SH DESCRIPTION +.PP +The \fBPrettyPrintCrl\fP command provides a command-line utility used to print the contents of a CRL stored as ASCII base-64 encoded data in a file to a readable format. The output of this command is displayed to standard output, but can be optionally saved into a specified file. + +.SH OPTIONS +.TP +.B +\fBMandatory\fP. Specifies the path to the file that contains the ASCII base-64 encoded CRL. + +.TP +.B [output_file] +\fBOptional\fP. Specifies the path to the file to write the CRL. If the output file is not specified, the CRL information is written to the standard output. + +.SH EXAMPLES +.PP +The following example \fBPrettyPrintCrl\fP command takes the ASCII base-64 encoded CRL in the \fBascii_data.crl\fP file and writes the CRL in the pretty-print format to the output file \fBcrl.out\fP: +.IP +.nf +PrettyPrintCrl ascii_data.crl crl.out +.if + +.PP +For this example, the base-64 encoded CRL data in the \fBascii_data.crl\fP looks like the following: +.IP +.nf +-----BEGIN X509 CRL----- +MIICVDCCATwCAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5y +ZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBD +ZXJ0aWZpY2F0ZRcNMTYwNzIyMjExMjUwWhcNMTYwNzIyMjMwMDAwWjCBiDAgAgEK +Fw0xNjA3MjIyMDU1MTZaMAwwCgYDVR0VBAMKAQYwIAIBCRcNMTYwNzIyMjEwMTU2 +WjAMMAoGA1UdFQQDCgEGMCACAQgXDTE2MDcyMjIxMTIyNVowDDAKBgNVHRUEAwoB +ATAgAgEHFw0xNjA3MjIyMTAxNTZaMAwwCgYDVR0VBAMKAQagLzAtMB8GA1UdIwQY +MBaAFLs2mF1ly4jghyM3b1v3r4uK67q1MAoGA1UdFAQDAgEKMA0GCSqGSIb3DQEB +CwUAA4IBAQCjnwpdLVU4sg3GnOFQiHpBuWspevzj0poHQs9b4Uv17o0MC4irftkR +zRBVgwLvdSd5WFEUSbhWVjhS4o4w84BXdmti/+UBS+mOVNxiKqs3Z7Fxcg+mCsiH +SDWT3iiqZVqlPMOKDzIQGj4XeArSBK13qjNdwKzVJZlXYfwzdDtyVKBJcoETXGZ3 +irU8RTXo7OhO6xKDAaHjzVVynjfGdIDaavl1fjwXFufwZBeiXm1zyyFSvDUdny4G +29NTmM2945jCESeR7DV2q1LHG/v2rzCOKTWdPdXTPCics05KzUA4S6X+mp051wkh +yJM2LYpV6lKV6JiczHLrgf5QcqfwSkTX +-----END X509 CRL----- +.if + +.PP +The CRL in pretty-print format in the \fBcrl.out\fP file looks like the following: +.IP +.nf + Certificate Revocation List: + Data: + Version: v2 + Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Issuer: CN=CA Signing Certificate,O=example.com Security Domain + This Update: Friday, July 22, 2016 3:12:50 PM MDT America/Denver + Next Update: Friday, July 22, 2016 5:00:00 PM MDT America/Denver + Revoked Certificates: + Serial Number: 0xA + Revocation Date: Friday, July 22, 2016 2:55:16 PM MDT America/Denver + Extensions: + Identifier: Revocation Reason - 2.5.29.21 + Critical: no + Reason: CA_Compromise + Serial Number: 0x9 + Revocation Date: Friday, July 22, 2016 3:01:56 PM MDT America/Denver + Extensions: + Identifier: Revocation Reason - 2.5.29.21 + Critical: no + Reason: Affiliation_Changed + Serial Number: 0x8 + Revocation Date: Friday, July 22, 2016 3:12:25 PM MDT America/Denver + Extensions: + Identifier: Revocation Reason - 2.5.29.21 + Critical: no + Reason: Key_Compromise + Serial Number: 0x7 + Revocation Date: Friday, July 22, 2016 3:01:56 PM MDT America/Denver + Extensions: + Identifier: Revocation Reason - 2.5.29.21 + Critical: no + Reason: Certificate_Hold + Extensions: + Identifier: Authority Key Identifier - 2.5.29.35 + Critical: no + Key Identifier: + BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B: + 8A:EB:BA:B5 + Identifier: CRL Number - 2.5.29.20 + Critical: no + Number: 10 + Signature: + Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 + Signature: + A3:9F:0A:5D:2D:55:38:B2:0D:C6:9C:E1:50:88:7A:41: + B9:6B:29:7A:FC:E3:D2:9A:07:42:CF:5B:E1:4B:F5:EE: + 8D:0C:0B:88:AB:7E:D9:11:CD:10:55:83:02:EF:75:27: + 79:58:51:14:49:B8:56:56:38:52:E2:8E:30:F3:80:57: + 76:6B:62:FF:E5:01:4B:E9:8E:54:DC:62:2A:AB:37:67: + B1:71:72:0F:A6:0A:C8:87:48:35:93:DE:28:AA:65:5A: + A5:3C:C3:8A:0F:32:10:1A:3E:17:78:0A:D2:04:AD:77: + AA:33:5D:C0:AC:D5:25:99:57:61:FC:33:74:3B:72:54: + A0:49:72:81:13:5C:66:77:8A:B5:3C:45:35:E8:EC:E8: + 4E:EB:12:83:01:A1:E3:CD:55:72:9E:37:C6:74:80:DA: + 6A:F9:75:7E:3C:17:16:E7:F0:64:17:A2:5E:6D:73:CB: + 21:52:BC:35:1D:9F:2E:06:DB:D3:53:98:CD:BD:E3:98: + C2:11:27:91:EC:35:76:AB:52:C7:1B:FB:F6:AF:30:8E: + 29:35:9D:3D:D5:D3:3C:28:9C:B3:4E:4A:CD:40:38:4B: + A5:FE:9A:9D:39:D7:09:21:C8:93:36:2D:8A:55:EA:52: + 95:E8:98:9C:CC:72:EB:81:FE:50:72:A7:F0:4A:44:D7 +.if + +.SH AUTHORS +Matthew Harmsen . + +.SH COPYRIGHT +Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public +License, version 2 (GPLv2). A copy of this license is available at +http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. + +.SH SEE ALSO +.BR PrettyPrintCert(1), pki(1) -- 1.8.3.1 From ad454dedb6ba7b5161f962fe65f78fb236c1a7fe Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 2 Aug 2016 11:18:31 -0400 Subject: [PATCH 76/96] Fix deployment issue Need to put pki_server_side_keygen in a conditional to avoid breaking other subsystem deployments. Ticket 2418 --- base/server/python/pki/server/deployment/pkiparser.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 622f87e..3e5d355 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -941,8 +941,11 @@ class PKIConfigParser: "tomcat" self.mdict['PKI_WEBAPPS_NAME_SLOT'] = \ "webapps" - self.mdict['SERVER_KEYGEN_SLOT'] = \ - self.mdict['pki_enable_server_side_keygen'] + + if self.mdict['pki_subsystem'] == "TPS": + self.mdict['SERVER_KEYGEN_SLOT'] = \ + self.mdict['pki_enable_server_side_keygen'] + self.mdict['TOMCAT_CFG_SLOT'] = \ self.mdict['pki_target_tomcat_conf'] self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \ -- 1.8.3.1 From e6c426eb69e294207a657897fdce0a7b07e4c41d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 2 Aug 2016 05:15:17 +0200 Subject: [PATCH 77/96] Fixed problem creating links to PKI JAR files. The CMake create_symlink command fails if the link target does not exist already. Since PKI JAR files may not exist at build time, the commands to create the links to those files have been replaced with the ln -sf command which will create the links regardless of the targets' existence. https://fedorahosted.org/pki/ticket/2403 --- base/common/CMakeLists.txt | 8 ++++---- base/server/CMakeLists.txt | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt index dc5cecf..d4b0d7f 100644 --- a/base/common/CMakeLists.txt +++ b/base/common/CMakeLists.txt @@ -35,10 +35,10 @@ add_custom_command( COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jaxb-api.jar lib/jaxb-api.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar lib/jss4.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar lib/ldapjdk.jar - COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-certsrv.jar lib/pki-certsrv.jar - COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-cmsutil.jar lib/pki-cmsutil.jar - COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-nsutil.jar lib/pki-nsutil.jar - COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tools.jar lib/pki-tools.jar + COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar + COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-cmsutil.jar + COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-nsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-nsutil.jar + COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-tools.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-tools.jar COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar lib/resteasy-atom-provider.jar COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar lib/resteasy-client.jar COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar lib/resteasy-jackson-provider.jar diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt index 27470f3..be58c05 100644 --- a/base/server/CMakeLists.txt +++ b/base/server/CMakeLists.txt @@ -45,7 +45,7 @@ add_custom_command( COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar common/lib/jss4.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar common/lib/ldapjdk.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/nuxwdog.jar common/lib/nuxwdog.jar - COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tomcat.jar common/lib/pki-tomcat.jar + COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-tomcat.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-tomcat.jar COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar common/lib/resteasy-atom-provider.jar COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar common/lib/resteasy-client.jar COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar common/lib/resteasy-jackson-provider.jar @@ -53,7 +53,7 @@ add_custom_command( COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar common/lib/resteasy-jaxrs-api.jar COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar common/lib/resteasy-jaxrs.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/scannotation.jar common/lib/scannotation.jar - COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/symkey.jar common/lib/symkey.jar + COMMAND /usr/bin/ln -sf /usr/lib/java/symkey.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/symkey.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/tomcatjss.jar common/lib/tomcatjss.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/velocity.jar common/lib/velocity.jar COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xerces-j2.jar common/lib/xerces-j2.jar -- 1.8.3.1 From c73f98926d6c3b5bd1fe5e6d7d1f48d5f4e77220 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 3 Aug 2016 23:55:53 -0400 Subject: [PATCH 78/96] Add pkispawn option to disable Master CRL --- base/ca/shared/conf/CS.cfg | 2 +- base/server/config/pkislots.cfg | 1 + base/server/etc/default.cfg | 1 + base/server/python/pki/server/deployment/pkiparser.py | 4 ++++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 68e79a4..3beb45c 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -578,7 +578,7 @@ ca.crl.MasterCRL.unexpectedExceptionLoopMax=10 ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint ca.crl.MasterCRL.dailyUpdates=1:00 ca.crl.MasterCRL.description=CA's complete Certificate Revocation List -ca.crl.MasterCRL.enable=true +ca.crl.MasterCRL.enable=[MASTER_CRL_ENABLE] ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCacheTesting=false diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg index 3873b83..d806c1f 100644 --- a/base/server/config/pkislots.cfg +++ b/base/server/config/pkislots.cfg @@ -1,6 +1,7 @@ [Tomcat] application_version=[APPLICATION_VERSION] INSTALL_TIME_SLOT=[INSTALL_TIME] +MASTER_CRL_ENABLE_SLOT=[MASTER_CRL_ENABLE] NUXWDOG_JNI_PATH_SLOT=[NUXWDOG_JNI_PATH] PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT] PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME] diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 24e4a43..cfbd289 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -335,6 +335,7 @@ pki_ds_database=%(pki_instance_name)s-CA pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s pki_share_db=False +pki_master_crl_enable=True # Default OCSP URI added by AuthInfoAccessExtDefault if the profile # config is blank. If both are blank, the value is constructed diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 3e5d355..115f3ca 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -946,6 +946,10 @@ class PKIConfigParser: self.mdict['SERVER_KEYGEN_SLOT'] = \ self.mdict['pki_enable_server_side_keygen'] + if self.mdict['pki_subsystem'] == "CA": + self.mdict['MASTER_CRL_ENABLE_SLOT'] = \ + self.mdict['pki_master_crl_enable'] + self.mdict['TOMCAT_CFG_SLOT'] = \ self.mdict['pki_target_tomcat_conf'] self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \ -- 1.8.3.1 From d2e8c9c5fb54e39884ecf304a234f8cb52c5a40e Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 4 Aug 2016 16:40:06 -0700 Subject: [PATCH 79/96] Ticket#2428 broken request links for CA's system certs in agent request viewing This patch fixes the issue that when an agent visit one of the CA's system cert request records, exception is thrown. --- .../cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java index 3cbf0f9..caf2cf1 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java @@ -431,7 +431,7 @@ public class ProfileReviewServlet extends ProfileServlet { defset.set(ARG_DEF_SYNTAX, defSyntax); defset.set(ARG_DEF_CONSTRAINT, defConstraint); defset.set(ARG_DEF_NAME, defValueName); - defset.set(ARG_DEF_VAL, defValue); + defset.set(ARG_DEF_VAL, (defValue!=null)? defValue:""); deflist.add(defset); } } -- 1.8.3.1 From 7702dae72b59a39b31b52640a9d1a4b5b6ca62ca Mon Sep 17 00:00:00 2001 From: Geetika Kapoor Date: Thu, 28 Jul 2016 02:59:40 -0400 Subject: [PATCH 80/96] Fixed NumberFormatException in tps-cert-find Signed-off-by: Geetika Kapoor --- .../netscape/cmstools/tps/cert/TPSCertFindCLI.java | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java index 9cbdad6..83c977b 100644 --- a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java @@ -84,12 +84,24 @@ public class TPSCertFindCLI extends CLI { String filter = cmdArgs.length > 0 ? cmdArgs[0] : null; String tokenID = cmd.getOptionValue("token"); + String string3 = cmd.getOptionValue("start"); + String string4 = cmd.getOptionValue("size"); + Integer start = null; + Integer size = null; - String s = cmd.getOptionValue("start"); - Integer start = s == null ? null : Integer.valueOf(s); + try { + start = string3 == null ? null : Integer.valueOf(string3); + } catch (NumberFormatException e) { + System.err.println("Error: Invalid value for --start parameter: " + string3); + System.exit(-1); + } - s = cmd.getOptionValue("size"); - Integer size = s == null ? null : Integer.valueOf(s); + try { + size = string4 == null ? null : Integer.valueOf(string4); + } catch (NumberFormatException e) { + System.err.println("Error: Invalid value for --size parameter: " + string4); + System.exit(-1); + } TPSCertCollection result = certCLI.certClient.findCerts(filter, tokenID, start, size); -- 1.8.3.1 From 5178567bf5c65d23d3903b0956a47813bdc1fe23 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Tue, 2 Aug 2016 16:46:29 +0530 Subject: [PATCH 81/96] Added check for Subsystem data and request in 'pki-server subsystem-cert-export' Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 Signed-off-by: Abhijeet Kasurde --- base/server/python/pki/server/cli/subsystem.py | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index a44243a..4651d74 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -1,5 +1,6 @@ # Authors: # Endi S. Dewata +# Abhijeet Kasurde # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -14,7 +15,7 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2015 Red Hat, Inc. +# Copyright (C) 2015-2016 Red Hat, Inc. # All rights reserved. # @@ -654,14 +655,22 @@ class SubsystemCertExportCLI(pki.cli.CLI): sys.exit(1) if cert_file: + cert_data = subsystem_cert.get('data', None) + if cert_data is None: + print("ERROR: Unable to find certificate data for %s" % cert_id) + sys.exit(1) - cert_data = pki.nssdb.convert_cert(subsystem_cert['data'], 'base64', 'pem') + cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: + cert_request = subsystem_cert.get('request', None) + if cert_request is None: + print("ERROR: Unable to find certificate request for %s" % cert_id) + sys.exit(1) - csr_data = pki.nssdb.convert_csr(subsystem_cert['request'], 'base64', 'pem') + csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) -- 1.8.3.1 From f0b1854a8f5cfe97d2d267ea16e4556d94666bb6 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Wed, 3 Aug 2016 18:01:23 -0700 Subject: [PATCH 82/96] Fix to sort the output of a cert search by serialno. --- .../src/com/netscape/certsrv/dbs/IDBSSession.java | 35 +++++++- .../certsrv/dbs/certdb/ICertificateRepository.java | 27 ++++++ .../com/netscape/cms/servlet/cert/SrchCerts.java | 4 +- .../cmscore/dbs/CertificateRepository.java | 37 ++++++++- .../src/com/netscape/cmscore/dbs/DBSSession.java | 97 +++++++++++++++++++--- .../cmscore/dbs/DBSSessionDefaultStub.java | 15 +++- 6 files changed, 197 insertions(+), 18 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java index 6569505..9ab2fde 100644 --- a/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java +++ b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java @@ -17,11 +17,11 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.dbs; +import netscape.ldap.LDAPSearchResults; + import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ISubsystem; -import netscape.ldap.LDAPSearchResults; - /** * An interface represents the database session. Operations * can be performed with a session. @@ -132,6 +132,21 @@ public interface IDBSSession extends AutoCloseable { * @param base starting point of the search * @param filter search filter * @param maxSize max number of entries + * @param sortAttribute Field to sort the records on + * @return search results + * @exception EBaseException failed to search + */ + public IDBSearchResults search(String base, String filter, int maxSize,String sortAttribute) + throws EBaseException; + + + /** + * Searchs for a list of objects that match the + * filter. + * + * @param base starting point of the search + * @param filter search filter + * @param maxSize max number of entries * @param timeLimit timeout limit * @return search results * @exception EBaseException failed to search @@ -140,6 +155,22 @@ public interface IDBSSession extends AutoCloseable { int timeLimit) throws EBaseException; /** + * Searchs for a list of objects that match the + * filter. + * + * @param base starting point of the search + * @param filter search filter + * @param maxSize max number of entries + * @param timeLimit timeout limit + * @param sortAttribute Field to sort the records on + * @return search results + * @exception EBaseException failed to search + */ + public IDBSearchResults search(String base, String filter, int maxSize, + int timeLimit, String sortAttribute) throws EBaseException; + + + /** * Retrieves a list of object that satifies the given * filter. * diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java index f113ea0..2efb023 100644 --- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java +++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java @@ -239,6 +239,33 @@ public interface ICertificateRepository extends IRepository { * the filter. * * @param filter search filter + * @param maxSize max size to return + * @param timeLimit timeout value + * @param sortAttribute Attribute of ICertRecord to sort the results + * @return a list of certificates + * @exception EBaseException failed to search + */ + public Enumeration searchCertificates(String filter, int maxSize, + int timeLimit,String sortAttribute) throws EBaseException; + + /** + * Finds a list of certificate records that satisifies + * the filter. + * + * @param filter search filter + * @param maxSize max size to return + * @param sortAttribute Attribute of ICertRecord to sort the results + * @return a list of certificates + * @exception EBaseException failed to search + */ + public Enumeration searchCertificates(String filter, int maxSize, + String sortAttribute) throws EBaseException; + + /** + * Finds a list of certificate records that satisifies + * the filter. + * + * @param filter search filter * @param attrs selected attribute * @param pageSize page size * @return a list of certificates diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java b/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java index 508a8df..c55dfea 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java @@ -608,7 +608,9 @@ public class SrchCerts extends CMSServlet { } CMS.debug("Start searching ... " + "filter=" + filter + " maxreturns=" + maxResults + " timelimit=" + timeLimit); - Enumeration e = mCertDB.searchCertificates(filter, maxResults, timeLimit); + + // Do the search with the optional sortAtribute field, giving an assured list of certs sorted by serialno + Enumeration e = mCertDB.searchCertificates(filter, maxResults, timeLimit, "serialno"); int count = 0; diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java index d0a604e..8406f36 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java @@ -1124,7 +1124,7 @@ public class CertificateRepository extends Repository ModificationSet mods = new ModificationSet(); if (isAlreadyOnHold) { mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_REPLACE, info); - } else { + } else { mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_ADD, info); } SessionContext ctx = SessionContext.getContext(); @@ -1190,6 +1190,21 @@ public class CertificateRepository extends Repository modifyCertificateRecord(id, mods); } + public Enumeration searchCertificates(String filter, int maxSize,String sortAttribute) + throws EBaseException { + IDBSSession s = mDBService.createSession(); + Enumeration e = null; + + CMS.debug("searchCertificates filter " + filter + " maxSize " + maxSize); + try { + e = s.search(getDN(), filter, maxSize,sortAttribute); + } finally { + if (s != null) + s.close(); + } + return e; + } + public Enumeration searchCertificates(String filter, int maxSize) throws EBaseException { IDBSSession s = mDBService.createSession(); @@ -1223,6 +1238,26 @@ public class CertificateRepository extends Repository return v.elements(); } + public Enumeration searchCertificates(String filter, int maxSize, + int timeLimit,String sortAttribute) throws EBaseException { + IDBSSession s = mDBService.createSession(); + Vector v = new Vector(); + + CMS.debug("searchCertificateswith time limit filter " + filter); + try { + IDBSearchResults sr = s.search(getDN(), filter, maxSize, timeLimit,sortAttribute); + while (sr.hasMoreElements()) { + v.add((ICertRecord) sr.nextElement()); + } + } finally { + if (s != null) + s.close(); + } + return v.elements(); + + } + + /** * Returns a list of X509CertImp that satisfies the filter. * diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java index 2bfd5f2..853dfe4 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java @@ -19,6 +19,20 @@ package com.netscape.cmscore.dbs; import java.util.Enumeration; +import netscape.ldap.LDAPAttribute; +import netscape.ldap.LDAPAttributeSet; +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPEntry; +import netscape.ldap.LDAPException; +import netscape.ldap.LDAPModification; +import netscape.ldap.LDAPModificationSet; +import netscape.ldap.LDAPSearchConstraints; +import netscape.ldap.LDAPSearchResults; +import netscape.ldap.LDAPSortKey; +import netscape.ldap.LDAPv2; +import netscape.ldap.controls.LDAPPersistSearchControl; +import netscape.ldap.controls.LDAPSortControl; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ISubsystem; @@ -34,18 +48,6 @@ import com.netscape.certsrv.dbs.Modification; import com.netscape.certsrv.dbs.ModificationSet; import com.netscape.certsrv.logging.ILogger; -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPAttributeSet; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPModification; -import netscape.ldap.LDAPModificationSet; -import netscape.ldap.LDAPSearchConstraints; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv2; -import netscape.ldap.controls.LDAPPersistSearchControl; - /** * A class represents the database session. Operations * can be performed with a session. @@ -295,6 +297,40 @@ public class DBSSession implements IDBSSession { } @SuppressWarnings("unchecked") + public IDBSearchResults search(String base, String filter, int maxSize,String sortAttribute) + throws EBaseException { + try { + String ldapattrs[] = null; + String ldapfilter = + mDBSystem.getRegistry().getFilter(filter); + + LDAPSearchConstraints cons = new LDAPSearchConstraints(); + + cons.setMaxResults(maxSize); + + if(sortAttribute != null) { + LDAPSortKey sortOrder = new LDAPSortKey( sortAttribute ); + LDAPSortControl sortCtrl = new LDAPSortControl(sortOrder,true); + cons.setServerControls( sortCtrl ); + } + + LDAPSearchResults res = mConn.search(base, + LDAPv2.SCOPE_ONE, ldapfilter, ldapattrs, false, cons); + + return new DBSearchResults(mDBSystem.getRegistry(), + res); + } catch (LDAPException e) { + if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) + throw new EDBNotAvailException( + CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_UNAVAILABLE")); + // XXX error handling, should not raise exception if + // entry not found + throw new EDBException(CMS.getUserMessage("CMS_DBS_LDAP_OP_FAILURE", + e.toString())); + } + } + + @SuppressWarnings("unchecked") public IDBSearchResults search(String base, String filter, int maxSize, int timeLimit) throws EBaseException { try { @@ -323,6 +359,43 @@ public class DBSSession implements IDBSSession { } } + @SuppressWarnings("unchecked") + public IDBSearchResults search(String base, String filter, int maxSize, + int timeLimit, String sortAttribute) throws EBaseException { + + try { + String ldapattrs[] = null; + String ldapfilter = + mDBSystem.getRegistry().getFilter(filter); + + LDAPSearchConstraints cons = new LDAPSearchConstraints(); + + cons.setMaxResults(maxSize); + cons.setServerTimeLimit(timeLimit); + + if(sortAttribute != null) { + LDAPSortKey sortOrder = new LDAPSortKey( sortAttribute ); + LDAPSortControl sortCtrl = new LDAPSortControl(sortOrder,true); + cons.setServerControls( sortCtrl ); + } + + LDAPSearchResults res = mConn.search(base, + LDAPv2.SCOPE_ONE, ldapfilter, ldapattrs, false, cons); + + return new DBSearchResults(mDBSystem.getRegistry(), + res); + } catch (LDAPException e) { + if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) + throw new EDBNotAvailException( + CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_UNAVAILABLE")); + // XXX error handling, should not raise exception if + // entry not found + throw new EDBException(CMS.getUserMessage("CMS_DBS_LDAP_OP_FAILURE", + e.toString())); + } + + } + /** * Retrieves a list of object that satifies the given * filter. diff --git a/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java b/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java index e4e7157..8d7bbc0 100644 --- a/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java +++ b/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java @@ -1,5 +1,7 @@ package com.netscape.cmscore.dbs; +import netscape.ldap.LDAPSearchResults; + import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.dbs.EDBException; @@ -9,8 +11,6 @@ import com.netscape.certsrv.dbs.IDBSearchResults; import com.netscape.certsrv.dbs.IDBVirtualList; import com.netscape.certsrv.dbs.ModificationSet; -import netscape.ldap.LDAPSearchResults; - /** * A default stub ojbect for tests to extend. */ @@ -81,4 +81,15 @@ public class DBSSessionDefaultStub implements IDBSSession { String sortKey, int pageSize) throws EBaseException { return null; } + + @Override + public IDBSearchResults search(String base, String filter, int maxSize, int timeLimit, String sortAttribute) + throws EBaseException { + return null; + } + + @Override + public IDBSearchResults search(String base, String filter, int maxSize, String sortAttribute) throws EBaseException { + return null; + } } -- 1.8.3.1 From f726f9a668b523c4e5a9438d8ea301f4b556efd4 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 1 Aug 2016 22:35:32 +0200 Subject: [PATCH 83/96] Added log messages for certificate validation. The ConfigCertApprovalCallback has been modified such that it logs the server certificate being validated and can be configured to ignore certain validation errors. The ConfigurationUtils has been modified to use the ConfigCertApprovalCallback to show and validate the server certificate in all GET and POST operations except for the importCertChain() in which the code needs to ignore untrusted issuer in order to get the certificate chain via SSL. https://fedorahosted.org/pki/ticket/2424 --- .../csadmin/ConfigCertApprovalCallback.java | 63 +++++++++++++++++++++- .../cms/servlet/csadmin/ConfigurationUtils.java | 63 ++++++++++++---------- 2 files changed, 97 insertions(+), 29 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java index 956c285..9b741af 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java @@ -17,17 +17,78 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.Set; + import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; +import com.netscape.certsrv.apps.CMS; + public class ConfigCertApprovalCallback implements SSLCertificateApprovalCallback { + public Set ignoredErrors = new HashSet(); + public ConfigCertApprovalCallback() { } + public void ignoreError(int error) { + ignoredErrors.add(error); + } + + public String getErrorDescription(int reason) { + + // iterate through all constants in ValidityStatus + for (Field f : ValidityStatus.class.getDeclaredFields()) { + int mod = f.getModifiers(); + if (Modifier.isPublic(mod) && + Modifier.isFinal(mod) && + Modifier.isStatic(mod)) { + + try { + int value = f.getInt(null); + + // if value matches the reason, return the name + if (value == reason) { + return f.getName(); + } + + } catch (IllegalAccessException e) { + return "ERROR #" + reason; + } + } + } + + return "UNKNOWN_ERROR"; + } + public boolean approve(X509Certificate cert, SSLCertificateApprovalCallback.ValidityStatus status) { - return true; + + CMS.debug("Server certificate:"); + CMS.debug(" - subject: " + cert.getSubjectDN()); + CMS.debug(" - issuer: " + cert.getIssuerDN()); + + Enumeration errors = status.getReasons(); + boolean result = true; + + while (errors.hasMoreElements()) { + SSLCertificateApprovalCallback.ValidityItem item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement(); + int reason = item.getReason(); + String description = getErrorDescription(reason); + + if (ignoredErrors.contains(reason)) { + CMS.debug("WARNING: " + description); + } else { + CMS.debug("ERROR: " + description); + result = false; + } + } + + return result; } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index ab5e4d6..fe65bb8 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -58,34 +58,6 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import javax.xml.parsers.ParserConfigurationException; -import netscape.ldap.LDAPAttribute; -import netscape.ldap.LDAPAttributeSet; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPDN; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPModification; -import netscape.ldap.LDAPSearchConstraints; -import netscape.ldap.LDAPSearchResults; -import netscape.ldap.LDAPv3; -import netscape.security.pkcs.ContentInfo; -import netscape.security.pkcs.PKCS10; -import netscape.security.pkcs.PKCS12; -import netscape.security.pkcs.PKCS12Util; -import netscape.security.pkcs.PKCS7; -import netscape.security.pkcs.SignerInfo; -import netscape.security.util.DerOutputStream; -import netscape.security.util.ObjectIdentifier; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.BasicConstraintsExtension; -import netscape.security.x509.CertificateChain; -import netscape.security.x509.Extension; -import netscape.security.x509.Extensions; -import netscape.security.x509.KeyUsageExtension; -import netscape.security.x509.X500Name; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509Key; - import org.apache.commons.lang.StringUtils; import org.apache.velocity.context.Context; import org.mozilla.jss.CryptoManager; @@ -131,6 +103,7 @@ import org.mozilla.jss.pkix.primitive.Attribute; import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo; import org.mozilla.jss.pkix.primitive.PrivateKeyInfo; import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; +import org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus; import org.mozilla.jss.util.IncorrectPasswordException; import org.mozilla.jss.util.Password; import org.w3c.dom.Document; @@ -180,6 +153,34 @@ import com.netscape.cmsutil.ldap.LDAPUtil; import com.netscape.cmsutil.util.Utils; import com.netscape.cmsutil.xml.XMLObject; +import netscape.ldap.LDAPAttribute; +import netscape.ldap.LDAPAttributeSet; +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPDN; +import netscape.ldap.LDAPEntry; +import netscape.ldap.LDAPException; +import netscape.ldap.LDAPModification; +import netscape.ldap.LDAPSearchConstraints; +import netscape.ldap.LDAPSearchResults; +import netscape.ldap.LDAPv3; +import netscape.security.pkcs.ContentInfo; +import netscape.security.pkcs.PKCS10; +import netscape.security.pkcs.PKCS12; +import netscape.security.pkcs.PKCS12Util; +import netscape.security.pkcs.PKCS7; +import netscape.security.pkcs.SignerInfo; +import netscape.security.util.DerOutputStream; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.BasicConstraintsExtension; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.Extension; +import netscape.security.x509.Extensions; +import netscape.security.x509.KeyUsageExtension; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509Key; + /** * Utility class for functions to be used by the RESTful installer. * @@ -196,6 +197,8 @@ public class ConfigurationUtils { public static final Long MINUS_ONE = Long.valueOf(-1); public static final String DBUSER = "pkidbuser"; + public static ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); + public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException, IncorrectPasswordException { boolean rv = true; @@ -229,6 +232,7 @@ public class ConfigurationUtils { CMS.debug("ConfigurationUtils: GET " + config.getServerURI() + path); PKIConnection connection = new PKIConnection(config); + if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback; connection.setCallback(certApprovalCallback); return connection.get(path); } @@ -245,6 +249,7 @@ public class ConfigurationUtils { CMS.debug("ConfigurationUtils: POST " + config.getServerURI() + path); PKIConnection connection = new PKIConnection(config); + if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback; connection.setCallback(certApprovalCallback); return connection.post(path, content); } @@ -256,6 +261,8 @@ public class ConfigurationUtils { IConfigStore cs = CMS.getConfigStore(); ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); + // Ignore untrusted issuer to get cert chain. + certApprovalCallback.ignoreError(ValidityStatus.UNTRUSTED_ISSUER); String c = get(host, port, true, serverPath, null, certApprovalCallback); if (c != null) { -- 1.8.3.1 From da66600e8ae07fa4169d24909c7d04ed69d2906c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 1 Aug 2016 22:35:32 +0200 Subject: [PATCH 84/96] Added log messages for certificate import during cloning. To help troubleshooting cloning issues the security_databases.py has been modified to log the content of the PKCS #12 file before import and the NSS database after import. https://fedorahosted.org/pki/ticket/2424 --- base/common/python/pki/nssdb.py | 10 +++ base/common/python/pki/pkcs12.py | 73 ++++++++++++++++++++++ .../deployment/scriptlets/security_databases.py | 42 ++++++++++--- 3 files changed, 118 insertions(+), 7 deletions(-) create mode 100644 base/common/python/pki/pkcs12.py diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index a0b0302..ed45654 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -398,6 +398,16 @@ class NSSDatabase(object): if rc: raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc) + def show_certs(self): + + cmd = [ + 'certutil', + '-L', + '-d', self.directory + ] + + subprocess.check_call(cmd) + def get_cert(self, nickname, output_format='pem'): if output_format == 'pem': diff --git a/base/common/python/pki/pkcs12.py b/base/common/python/pki/pkcs12.py new file mode 100644 index 0000000..a62ca09 --- /dev/null +++ b/base/common/python/pki/pkcs12.py @@ -0,0 +1,73 @@ +# Authors: +# Endi S. Dewata +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the Lesser GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +import os +import shutil +import subprocess +import tempfile + + +class PKCS12(object): + + def __init__(self, path, password=None, password_file=None, nssdb=None): + + # The pki CLI needs an NSS database to run PKCS #12 operations + # as required by JSS. If the nssdb parameter is provided, the CLI + # will use the specified NSS database object. Otherwise, it will use + # the default NSS database in ~/.dogtag/nssdb. + + self.path = path + self.nssdb = nssdb + + self.tmpdir = tempfile.mkdtemp() + + if password: + self.password_file = os.path.join(self.tmpdir, 'password.txt') + with open(self.password_file, 'w') as f: + f.write(password) + + elif password_file: + self.password_file = password_file + + else: + raise Exception('Missing PKCS #12 password') + + def close(self): + shutil.rmtree(self.tmpdir) + + def show_certs(self): + + cmd = ['pki'] + + if self.nssdb: + cmd.extend([ + '-d', self.nssdb.directory, + '-C', self.nssdb.password_file + ]) + + cmd.extend([ + 'pkcs12-cert-find', + '--pkcs12-file', self.path, + '--pkcs12-password-file', self.password_file + ]) + + subprocess.check_call(cmd) diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 18fc3e1..99daf15 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -19,9 +19,11 @@ # from __future__ import absolute_import +from __future__ import print_function import os import pki.nssdb +import pki.pkcs12 import pki.server # PKI Deployment Imports @@ -104,9 +106,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): directory=deployer.mdict['pki_database_path'], password_file=deployer.mdict['pki_shared_pfile']) - nssdb.import_pkcs12( - pkcs12_file=pki_server_pkcs12_path, - pkcs12_password=pki_server_pkcs12_password) + try: + nssdb.import_pkcs12( + pkcs12_file=pki_server_pkcs12_path, + pkcs12_password=pki_server_pkcs12_password) + finally: + nssdb.close() # update external CA file (if needed) external_certs_path = deployer.mdict['pki_server_external_certs_path'] @@ -127,10 +132,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): directory=deployer.mdict['pki_database_path'], password_file=deployer.mdict['pki_shared_pfile']) - nssdb.import_pkcs12( - pkcs12_file=pki_clone_pkcs12_path, - pkcs12_password=pki_clone_pkcs12_password, - no_user_certs=True) + try: + print('Importing certificates from %s:' % pki_clone_pkcs12_path) + + # The PKCS12 class requires an NSS database to run. For simplicity + # it uses the NSS database that has just been created. + pkcs12 = pki.pkcs12.PKCS12( + path=pki_clone_pkcs12_path, + password=pki_clone_pkcs12_password, + nssdb=nssdb) + + try: + pkcs12.show_certs() + finally: + pkcs12.close() + + # Import certificates + nssdb.import_pkcs12( + pkcs12_file=pki_clone_pkcs12_path, + pkcs12_password=pki_clone_pkcs12_password, + no_user_certs=True) + + print('Imported certificates in %s:' % deployer.mdict['pki_database_path']) + + nssdb.show_certs() + + finally: + nssdb.close() if len(deployer.instance.tomcat_instance_subsystems()) < 2: -- 1.8.3.1 From b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 1 Aug 2016 22:35:32 +0200 Subject: [PATCH 85/96] Fixed PKCS #12 import for cloning. To fix cloning issue in IPA the security_database.py has been modified to import all certificates and keys in the PKCS #12 file before the PKI server is started. Since the PKCS #12 generated by IPA may not contain the certificate trust flags, the script will also reset the trust flags on the imported certificates (i.e. CT,C,C for CA certificate and u,u,Pu for audit certificate). The ConfigurationUtils.restoreCertsFromP12() is now redundant and it should be removed in the future, but for now it has been modified to set the same trust flags on imported certificates. The CryptoUtil.importCertificateChain() has also been modified to set the same trust flags on imported certificates. https://fedorahosted.org/pki/ticket/2424 --- .../cms/servlet/csadmin/ConfigurationUtils.java | 9 +++- .../deployment/scriptlets/security_databases.py | 13 ++++- .../com/netscape/cmsutil/crypto/CryptoUtil.java | 60 ++++++++++++---------- 3 files changed, 51 insertions(+), 31 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index fe65bb8..3494882 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -834,7 +834,8 @@ public class ConfigurationUtils { BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, InvalidBERException, IOException { - // TODO: refactor into a PKCS #12 utility class + // TODO: The PKCS #12 file is already imported in security_database.py. + // This method should be removed. byte b[] = new byte[1000000]; FileInputStream fis = new FileInputStream(p12File); @@ -1109,10 +1110,14 @@ public class ConfigurationUtils { InternalCertificate icert = (InternalCertificate) xcert; if (isCASigningCert) { - // we need to change the trust attribute to CT + // set trust flags to CT,C,C icert.setSSLTrust(InternalCertificate.TRUSTED_CA | InternalCertificate.TRUSTED_CLIENT_CA | InternalCertificate.VALID_CA); + icert.setEmailTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); + icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); } else if (isAuditSigningCert(name)) { icert.setObjectSigningTrust(InternalCertificate.USER diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 99daf15..e80a1d0 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -150,8 +150,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Import certificates nssdb.import_pkcs12( pkcs12_file=pki_clone_pkcs12_path, - pkcs12_password=pki_clone_pkcs12_password, - no_user_certs=True) + pkcs12_password=pki_clone_pkcs12_password) + + # Set certificate trust flags + if subsystem.type == 'CA': + nssdb.modify_cert( + nickname=deployer.mdict['pki_ca_signing_nickname'], + trust_attributes='CTu,Cu,Cu') + + nssdb.modify_cert( + nickname=deployer.mdict['pki_audit_signing_nickname'], + trust_attributes='u,u,Pu') print('Imported certificates in %s:' % deployer.mdict['pki_database_path']) diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 9cabdc5..b02c363 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -47,33 +47,6 @@ import java.util.Random; import java.util.StringTokenizer; import java.util.Vector; -import netscape.security.pkcs.PKCS10; -import netscape.security.pkcs.PKCS10Attribute; -import netscape.security.pkcs.PKCS10Attributes; -import netscape.security.pkcs.PKCS7; -import netscape.security.pkcs.PKCS9Attribute; -import netscape.security.util.BigInt; -import netscape.security.util.DerInputStream; -import netscape.security.util.DerOutputStream; -import netscape.security.util.DerValue; -import netscape.security.util.ObjectIdentifier; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.CertificateAlgorithmId; -import netscape.security.x509.CertificateChain; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateIssuerName; -import netscape.security.x509.CertificateSerialNumber; -import netscape.security.x509.CertificateSubjectName; -import netscape.security.x509.CertificateValidity; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.CertificateX509Key; -import netscape.security.x509.Extensions; -import netscape.security.x509.X500Name; -import netscape.security.x509.X500Signer; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; -import netscape.security.x509.X509Key; - import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.NoSuchTokenException; @@ -132,6 +105,33 @@ import org.mozilla.jss.util.Password; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; +import netscape.security.pkcs.PKCS10; +import netscape.security.pkcs.PKCS10Attribute; +import netscape.security.pkcs.PKCS10Attributes; +import netscape.security.pkcs.PKCS7; +import netscape.security.pkcs.PKCS9Attribute; +import netscape.security.util.BigInt; +import netscape.security.util.DerInputStream; +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSerialNumber; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.Extensions; +import netscape.security.x509.X500Name; +import netscape.security.x509.X500Signer; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + @SuppressWarnings("serial") public class CryptoUtil { @@ -1164,10 +1164,16 @@ public class CryptoUtil { if (certchains != null) { cert = certchains[certchains.length - 1]; } + + // set trust flags to CT,C,C InternalCertificate icert = (InternalCertificate) cert; icert.setSSLTrust(InternalCertificate.TRUSTED_CA | InternalCertificate.TRUSTED_CLIENT_CA | InternalCertificate.VALID_CA); + icert.setEmailTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); + icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); } public static SEQUENCE parseCRMFMsgs(byte cert_request[]) -- 1.8.3.1 From 018b5c1f3295fadd263d256d00866dd7b9d31163 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 Jul 2016 14:07:10 +1000 Subject: [PATCH 90/96] Fix CA OCSP responder when LWCAs are not in use The CA subsystem OCSP responder was updated to handle dispatching OCSP requests to the relevant CertificateAuthority instance, according to the issuer of the certificates identified in the request. Unfortunately, the updated routine assumes that the database updates that enable lightweight CAs have occurred. If they have not, the OCSP responder always fails. Fix the issue by inferring that if 'caMap' is empty, lightweight CAs are not in use, the current instance is the one and only CA, and proceed straight to validation. Fixes: https://fedorahosted.org/pki/ticket/2420 --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 502ab18..a5397da 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -2240,6 +2240,10 @@ public class CertificateAuthority * employ some heuristic to deal with this case. Our * heuristic is: * + * 0. If caMap contains no CAs, then lightweight CAs are not + * enabled. There is only one CA, and 'this' is it. Go + * straight to validation. + * * 1. Find the issuer of the cert identified by the first * CertID in the request. * @@ -2254,7 +2258,7 @@ public class CertificateAuthority * aggregate OCSP response. */ ICertificateAuthority ocspCA = this; - if (tbsReq.getRequestCount() > 0) { + if (caMap.size() > 0 && tbsReq.getRequestCount() > 0) { com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0); BigInteger serialNo = req.getCertID().getSerialNumber(); X509CertImpl cert = mCertRepot.getX509Certificate(serialNo); -- 1.8.3.1 From 7bed80ef6b1529f948da260a6b43f2052c6ffb21 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 8 Aug 2016 14:39:01 +1000 Subject: [PATCH 91/96] Fix lightweight CA PEM-encoded PKCS #7 cert chain retrieval The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert chain incorrectly returns X.509 data wrapped in PKCS7 PEM header. Return proper PKCS #7 data. Fixes: https://fedorahosted.org/pki/ticket/2433 --- base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java index 7bca10f..246a3f0 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -173,7 +173,7 @@ public class AuthorityService extends PKIService implements AuthorityResource { @Override public Response getChainPEM(String aidString) { - byte[] der = (byte[]) getCert(aidString).getEntity(); + byte[] der = (byte[]) getChain(aidString).getEntity(); return Response.ok(toPem("PKCS7", der)).build(); } -- 1.8.3.1 From e948a42f8bf7823b18ad4551a8fe8a5db991e966 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 8 Aug 2016 13:08:17 +0200 Subject: [PATCH 92/96] Improve setup.py for standalone Dogtag client releases PyPI requires a different spelling of LGPLv3+ classifier. The correct name for installation requirements is 'install_requires', not 'requirements'. Add a new version_info command that rewrites setup.py in place to include the current version. This fixes a problem with source distributions of the client package. --- base/common/python/setup.cfg | 2 +- base/common/python/setup.py | 83 +++++++++++++++++++++++++++++++++----------- 2 files changed, 63 insertions(+), 22 deletions(-) diff --git a/base/common/python/setup.cfg b/base/common/python/setup.cfg index ad43486..32f2126 100644 --- a/base/common/python/setup.cfg +++ b/base/common/python/setup.cfg @@ -2,5 +2,5 @@ universal = 1 [aliases] -packages = clean --all egg_info bdist_wheel sdist --format=zip +packages = clean --all version_info egg_info bdist_wheel sdist --format=zip release = packages register upload diff --git a/base/common/python/setup.py b/base/common/python/setup.py index 86e0704..e0920c1 100644 --- a/base/common/python/setup.py +++ b/base/common/python/setup.py @@ -43,28 +43,67 @@ try: except ImportError: from distutils.core import setup +from distutils.cmd import Command + + +class VersionInfo(Command): + user_options = [] -def get_version(specfile='../../../specs/pki-core.spec'): version_re = re.compile('^Version:\s*(\d+\.\d+\.\d+)') release_re = re.compile('^Release:.*?([\d\.]+)') - version = release = None - with open(specfile) as f: - for line in f: - if version is None: - match = version_re.match(line) - if match is not None: - version = match.group(1) - if release is None: - match = release_re.match(line) - if match is not None: - release = match.group(1) - if version is not None and release is not None: - break - if version is None or release is None: - raise ValueError(version, release) - return "%s.%s" % (version, release) - -VERSION = get_version() + specfile = '../../../specs/pki-core.spec' + + def initialize_options(self): + self.rpm_version = None + + def finalize_options(self): + try: + version, release = self.get_version() + except IOError: + pass + else: + self.rpm_version = "%s.%s" % (version, release) + + def run(self): + if self.rpm_version is not None: + self.distribution.metadata.version = self.rpm_version + self.rewrite_setup_py() + else: + raise ValueError( + 'Cannot load version from {}'.format(self.specfile) + ) + + def get_version(self): + version = release = None + with open(self.specfile) as f: + for line in f: + if version is None: + match = self.version_re.match(line) + if match is not None: + version = match.group(1) + if release is None: + match = self.release_re.match(line) + if match is not None: + release = match.group(1) + if version is not None and release is not None: + break + if version is None or release is None: + raise ValueError(version, release) + return version, release + + def rewrite_setup_py(self): + with open(__file__) as f: + lines = list(f) + for i, line in enumerate(lines): + if line.startswith('VERSION ='): + lines[i] = "VERSION = '{}'\n".format(self.rpm_version) + with open(__file__, 'w') as f: + f.write(''.join(lines)) + + +# auto-generated by version_info +VERSION = None + setup( author='Dogtag Certificate System Team', @@ -85,7 +124,8 @@ and set up in less than an hour.""", keywords='pki x509 cert certificate', url='http://pki.fedoraproject.org/', packages=['pki', 'pki.cli'], - requirements=['python-nss', 'requests', 'six'], + install_requires=['python-nss', 'requests', 'six'], + cmdclass={'version_info': VersionInfo}, classifiers=[ 'Development Status :: 5 - Production/Stable', 'Environment :: Web Environment', @@ -93,7 +133,8 @@ and set up in less than an hour.""", 'Operating System :: OS Independent', 'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 3.4', - 'License :: OSI Approved :: GNU Lesser General Public License v3+ (LGPLv3+)', + 'License :: OSI Approved :: GNU Lesser General Public License ' + + 'v3 or later (LGPLv3+)', 'Topic :: Security :: Cryptography', ], ) -- 1.8.3.1 From a38b8b875e40d0d8551752af7aa2567d2891384a Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 8 Aug 2016 11:34:52 -0700 Subject: [PATCH 93/96] Ticket #2428 - part2 handle NullPointerException --- .../src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java index caf2cf1..0073bd2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java @@ -423,8 +423,8 @@ public class ProfileReviewServlet extends ProfileServlet { try { defValue = def.getValue(defName, locale, req); - } catch (EPropertyException ee) { - CMS.debug("ProfileReviewServlet: " + ee.toString()); + } catch (Exception exp) { + CMS.debug("ProfileReviewServlet: " + exp.toString()); } defset.set(ARG_DEF_ID, defName); -- 1.8.3.1 From a808013629d4b4de886ec1563daebf6ea5138f0c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 8 Aug 2016 19:19:16 +0200 Subject: [PATCH 94/96] Improved SystemConfigService.configure() error message. The pkispawn has been modified to improve the way it displays the error message returned by SystemConfigService.configure(). If the method throws a PKIException, the response is returned as a JSON message, so pkispawn will parse it and display the actual error message. For other exceptions pkispawn will display the entire HTML message returned by Tomcat. https://fedorahosted.org/pki/ticket/2399 --- .../python/pki/server/deployment/pkihelper.py | 23 +--------------------- base/server/sbin/pkispawn | 20 +++++++++++++++++-- 2 files changed, 19 insertions(+), 24 deletions(-) diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 8a1dbdd..b6eacf1 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3959,28 +3959,7 @@ class ConfigClient: admin_cert = response['adminCert']['cert'] self.process_admin_cert(admin_cert) - except Exception as e: - config.pki_log.error( - log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e), - extra=config.PKI_INDENTATION_LEVEL_2) - - if hasattr(e, 'response'): - text = e.response.text # pylint: disable=E1101 - try: - root = ET.fromstring(text) - except ET.ParseError as pe: - config.pki_log.error( - "ParseError: %s: %s " % (pe, text), - extra=config.PKI_INDENTATION_LEVEL_2) - raise - - if root.tag == 'PKIException': - message = root.findall('.//Message')[0].text - if message is not None: - config.pki_log.error( - log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + - message, - extra=config.PKI_INDENTATION_LEVEL_2) + except: raise diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index 13139fa..c87c49a 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -527,8 +527,24 @@ def main(argv): scriptlet.spawn(deployer) - # pylint: disable=W0703 - except Exception as e: + except requests.HTTPError as e: + r = e.response + print() + + print('Installation failed:') + if r.headers['content-type'] == 'application/json': + data = r.json() + print('%s: %s' % (data['ClassName'], data['Message'])) + else: + print(r.text) + + print() + print('Please check the %s logs in %s.' % + (config.pki_subsystem, deployer.mdict['pki_subsystem_log_path'])) + + sys.exit(1) + + except Exception as e: # pylint: disable=broad-except log_error_details() print() print("Installation failed: %s" % e) -- 1.8.3.1